Add recommended security params

2017-10-11 16:59:58 +01:00 · 2017-10-11 16:59:58 +01:00 · 669f27a0bb
commit 669f27a0bb
parent cf43fb697f
3 changed files with 12 additions and 3 deletions
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@ -40,12 +40,18 @@ spec:
    - --service-cluster-ip-range={{ kube_service_addresses }}
    - --service-node-port-range={{ kube_apiserver_node_port_range }}
    - --client-ca-file={{ kube_cert_dir }}/ca.pem
-{% if kube_basic_auth|default(true) %}
+    - --profiling=false
+    - --repair-malformed-updates=false
+    - --kubelet-certificate-authority={{ kube_cert_dir }}/ca.pem
+    - --kubelet-client-certificate={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem
+    - --kubelet-client-key={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem
+    - --service-account-lookup=true
+{% if kube_basic_auth|default(false) %}
    - --basic-auth-file={{ kube_users_dir }}/known_users.csv
 {% endif %}
    - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
    - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
-{% if kube_token_auth|default(true) %}
+{% if kube_token_auth|default(false) %}
    - --token-auth-file={{ kube_token_dir }}/known_tokens.csv
 {% endif %}
    - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@ -37,9 +37,11 @@ spec:
    - --node-monitor-grace-period={{ kube_controller_node_monitor_grace_period }}
    - --node-monitor-period={{ kube_controller_node_monitor_period }}
    - --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
+    - --profiling=false
+    - --terminated-pod-gc-threshold=12500
    - --v={{ kube_log_level }}
 {% if rbac_enabled %}
-    - --use-service-account-credentials
+    - --use-service-account-credentials=true
 {% endif %}
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
    - --cloud-provider={{cloud_provider}}
--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@ -28,6 +28,7 @@ spec:
    - scheduler
    - --leader-elect=true
    - --kubeconfig={{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml
+    - --profiling=false
    - --v={{ kube_log_level }}
 {% if kube_feature_gates %}
    - --feature-gates={{ kube_feature_gates|join(',') }}