From f7703dbca37436c214b29d10691a17c4ef2524e7 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <mmosesohn@mirantis.com>
Date: Mon, 30 Oct 2017 19:06:54 +0000
Subject: [PATCH] Block anonymous auth requests to kubelet

---
 roles/kubernetes/node/templates/kubelet.kubeadm.env.j2  | 1 +
 roles/kubernetes/node/templates/kubelet.standard.env.j2 | 1 +
 2 files changed, 2 insertions(+)

diff --git a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2 b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
index c6daf49c9..c543a86fe 100644
--- a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
+++ b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
@@ -28,6 +28,7 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 --node-status-update-frequency={{ kubelet_status_update_frequency }} \
 --cgroup-driver={{ kubelet_cgroup_driver|default(kubelet_cgroup_driver_detected) }} \
 --docker-disable-shared-pid={{ kubelet_disable_shared_pid }} \
+--anonymous-auth=false \
 {% if kube_version | version_compare('v1.8', '<') %}
 --experimental-fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \
 {% else %}
diff --git a/roles/kubernetes/node/templates/kubelet.standard.env.j2 b/roles/kubernetes/node/templates/kubelet.standard.env.j2
index 1ccf8b409..30c07059b 100644
--- a/roles/kubernetes/node/templates/kubelet.standard.env.j2
+++ b/roles/kubernetes/node/templates/kubelet.standard.env.j2
@@ -17,6 +17,7 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 --client-ca-file={{ kube_cert_dir }}/ca.pem \
 --tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \
 --tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
+--anonymous-auth=false \
 {% if kube_version | version_compare('v1.6', '>=') %}
 {# flag got removed with 1.7.0 #}
 {% if kube_version | version_compare('v1.7', '<') %}