Make the Kubelet read-only port configurable and disable it by default. Fixes #2159.

inventory/group_vars/all.yml

@@ -122,3 +122,6 @@ bin_dir: /usr/local/bin
 
 ## Set level of detail for etcd exported metrics, specify 'extensive' to include histogram metrics.
 #etcd_metrics: basic
+
+# The read-only port for the Kubelet to serve on with no authentication/authorization. Uncomment to enable.
+# kube_read_only_port: 10255

roles/kubernetes/node/defaults/main.yml

@@ -86,3 +86,6 @@ kube_override_hostname: >-
 
 # cAdvisor port
 kube_cadvisor_port: 0
+
+# The read-only port for the Kubelet to serve on with no authentication/authorization.
+kube_read_only_port: 0

roles/kubernetes/node/templates/kubelet.kubeadm.env.j2

@@ -31,6 +31,7 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 --cgroup-driver={{ kubelet_cgroup_driver|default(kubelet_cgroup_driver_detected) }} \
 --docker-disable-shared-pid={{ kubelet_disable_shared_pid }} \
 --anonymous-auth=false \
+--read-only-port={{ kube_read_only_port }} \
 {% if kube_version | version_compare('v1.8', '<') %}
 --experimental-fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \
 {% else %}

roles/kubernetes/node/templates/kubelet.standard.env.j2

@@ -20,6 +20,7 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 --tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \
 --tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
 --anonymous-auth=false \
+--read-only-port={{ kube_read_only_port }} \
 {% if kube_version | version_compare('v1.6', '>=') %}
 {# flag got removed with 1.7.0 #}
 {% if kube_version | version_compare('v1.7', '<') %}