From 3b9d13fda97fcc07b8e31cf1babe3f73f5af8470 Mon Sep 17 00:00:00 2001 From: Sergey Date: Wed, 10 Apr 2019 22:20:08 +0300 Subject: [PATCH] Return back bind API server node loadbalancer to 127.0.0.1 for security purposes. (#4489) --- roles/kubernetes/node/templates/haproxy.cfg.j2 | 2 +- roles/kubernetes/node/templates/nginx.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/kubernetes/node/templates/haproxy.cfg.j2 b/roles/kubernetes/node/templates/haproxy.cfg.j2 index 76466b008..6c467bda2 100644 --- a/roles/kubernetes/node/templates/haproxy.cfg.j2 +++ b/roles/kubernetes/node/templates/haproxy.cfg.j2 @@ -27,7 +27,7 @@ frontend healthz {% endif %} frontend kube_api_frontend - bind *:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }} + bind 127.0.0.1:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }} mode tcp option tcplog default_backend kube_api_backend diff --git a/roles/kubernetes/node/templates/nginx.conf.j2 b/roles/kubernetes/node/templates/nginx.conf.j2 index 0c869d94a..bdd830d7d 100644 --- a/roles/kubernetes/node/templates/nginx.conf.j2 +++ b/roles/kubernetes/node/templates/nginx.conf.j2 @@ -19,7 +19,7 @@ stream { } server { - listen {{ loadbalancer_apiserver_port|default(kube_apiserver_port) }}; + listen 127.0.0.1:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }}; proxy_pass kube_apiserver; proxy_timeout 10m; proxy_connect_timeout 1s;