c12s-kubespray/roles/kubernetes/node/templates/kubelet.service.j2
Alessio Greggi acb6f243fd
feat: add kubelet systemd service hardening option (#9194)
* feat: add kubelet systemd service hardening option

* refactor: move variable name to kubelet_secure_addresses

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* docs: add diagram about kubelet_secure_addresses variable

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
2022-08-30 11:18:55 -07:00

34 lines
804 B
Django/Jinja

[Unit]
Description=Kubernetes Kubelet Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After={{ container_manager }}.service
{% if container_manager == 'docker' %}
Wants=docker.socket
{% else %}
Wants={{ container_manager }}.service
{% endif %}
[Service]
EnvironmentFile=-{{ kube_config_dir }}/kubelet.env
ExecStart={{ bin_dir }}/kubelet \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBELET_API_SERVER \
$KUBELET_ADDRESS \
$KUBELET_PORT \
$KUBELET_HOSTNAME \
$KUBELET_ARGS \
$DOCKER_SOCKET \
$KUBELET_NETWORK_PLUGIN \
$KUBELET_VOLUME_PLUGIN \
$KUBELET_CLOUDPROVIDER
Restart=always
RestartSec=10s
{% if kubelet_systemd_hardening %}
# Hardening setup
IPAddressDeny=any
IPAddressAllow={{ kubelet_secure_addresses }}
{% endif %}
[Install]
WantedBy=multi-user.target