Add protectKernelDefaults option (default true) to kubelet config file (#6611)
This commit is contained in:
parent
c1ba8e1b3a
commit
f1566cb8c2
3 changed files with 19 additions and 0 deletions
|
@ -31,6 +31,9 @@ healthzPort: {{ kubelet_healthz_port }}
|
|||
healthzBindAddress: {{ kubelet_healthz_bind_address }}
|
||||
kubeletCgroups: {{ kubelet_kubelet_cgroups }}
|
||||
clusterDomain: {{ dns_domain }}
|
||||
{% if kubelet_protect_kernel_defaults|bool %}
|
||||
protectKernelDefaults: true
|
||||
{% endif %}
|
||||
{% if kubelet_rotate_certificates|bool %}
|
||||
rotateCertificates: true
|
||||
{% endif %}
|
||||
|
|
|
@ -61,3 +61,16 @@
|
|||
value: 1
|
||||
state: present
|
||||
reload: yes
|
||||
|
||||
- name: Ensure kube-bench parameters are set
|
||||
sysctl:
|
||||
sysctl_file: /etc/sysctl.d/bridge-nf-call.conf
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
state: present
|
||||
reload: yes
|
||||
with_items:
|
||||
- { name: vm.overcommit_memory, value: 1 }
|
||||
- { name: kernel.panic, value: 10 }
|
||||
- { name: kernel.panic_on_oops, value: 1 }
|
||||
when: kubelet_protect_kernel_defaults|bool
|
||||
|
|
|
@ -397,6 +397,9 @@ kubelet_rotate_certificates: true
|
|||
# kubelet can also request a new server certificate from the Kubernetes API
|
||||
kubelet_rotate_server_certificates: false
|
||||
|
||||
# If set to true, kubelet errors if any of kernel tunables is different than kubelet defaults
|
||||
kubelet_protect_kernel_defaults: true
|
||||
|
||||
## List of key=value pairs that describe feature gates for
|
||||
## the k8s cluster.
|
||||
kube_feature_gates: []
|
||||
|
|
Loading…
Reference in a new issue