From 669f27a0bbfdd949da5251d18d81843b9791983d Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Wed, 11 Oct 2017 16:59:58 +0100 Subject: [PATCH] Add recommended security params --- .../templates/manifests/kube-apiserver.manifest.j2 | 10 ++++++++-- .../manifests/kube-controller-manager.manifest.j2 | 4 +++- .../templates/manifests/kube-scheduler.manifest.j2 | 1 + 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index cad57b5f2..57f6c7385 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -40,12 +40,18 @@ spec: - --service-cluster-ip-range={{ kube_service_addresses }} - --service-node-port-range={{ kube_apiserver_node_port_range }} - --client-ca-file={{ kube_cert_dir }}/ca.pem -{% if kube_basic_auth|default(true) %} + - --profiling=false + - --repair-malformed-updates=false + - --kubelet-certificate-authority={{ kube_cert_dir }}/ca.pem + - --kubelet-client-certificate={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem + - --kubelet-client-key={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem + - --service-account-lookup=true +{% if kube_basic_auth|default(false) %} - --basic-auth-file={{ kube_users_dir }}/known_users.csv {% endif %} - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem -{% if kube_token_auth|default(true) %} +{% if kube_token_auth|default(false) %} - --token-auth-file={{ kube_token_dir }}/known_tokens.csv {% endif %} - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 index 9be67c01d..705ad6d52 100644 --- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 @@ -37,9 +37,11 @@ spec: - --node-monitor-grace-period={{ kube_controller_node_monitor_grace_period }} - --node-monitor-period={{ kube_controller_node_monitor_period }} - --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }} + - --profiling=false + - --terminated-pod-gc-threshold=12500 - --v={{ kube_log_level }} {% if rbac_enabled %} - - --use-service-account-credentials + - --use-service-account-credentials=true {% endif %} {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} - --cloud-provider={{cloud_provider}} diff --git a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 index 6353ca102..d50c10ed7 100644 --- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 @@ -28,6 +28,7 @@ spec: - scheduler - --leader-elect=true - --kubeconfig={{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml + - --profiling=false - --v={{ kube_log_level }} {% if kube_feature_gates %} - --feature-gates={{ kube_feature_gates|join(',') }}