Adopt CIS Kubernetes Benchmark, Part 2: Controller Manager. (#2066)

Azure · Jan 17, 2018 · ab9e35b · ab9e35b
1 parent b9ecfca
commit ab9e35b
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/docs/clusterdefinition.md b/docs/clusterdefinition.md
@@ -200,6 +200,7 @@ Below is a list of kubelet options that are *not* currently user-configurable, e
         "--node-monitor-grace-period": "40s",
         "--pod-eviction-timeout": "5m0s",
         "--route-reconciliation-period": "10s"
+        "--terminated-pod-gc-threshold": "5000"
     }
 }
 ```
@@ -213,6 +214,7 @@ Below is a list of controller-manager options that acs-engine will configure by
 |"--node-monitor-grace-period"|"40s"|
 |"--pod-eviction-timeout"|"5m0s"|
 |"--route-reconciliation-period"|"10s"|
+|"--terminated-pod-gc-threshold"|"5000"|
 
 
 Below is a list of controller-manager options that are *not* currently user-configurable, either because a higher order configuration vector is available that enforces controller-manager configuration, or because a static configuration is required to build a functional cluster:

diff --git a/pkg/acsengine/const.go b/pkg/acsengine/const.go
@@ -56,6 +56,8 @@ const (
 	DefaultKubernetesCtrlMgrPodEvictionTimeout = "5m0s"
 	// DefaultKubernetesCtrlMgrRouteReconciliationPeriod is 10s, see --route-reconciliation-period at https://kubernetes.io/docs/admin/kube-controller-manager/
 	DefaultKubernetesCtrlMgrRouteReconciliationPeriod = "10s"
+	// DefaultKubernetesCtrlMgrTerminatedPodGcThreshold is set to 5000, see --terminated-pod-gc-threshold at https://kubernetes.io/docs/admin/kube-controller-manager/ and https://github.com/kubernetes/kubernetes/issues/22680
+	DefaultKubernetesCtrlMgrTerminatedPodGcThreshold = "5000"
 	// DefaultKubernetesCloudProviderBackoff is false to disable cloudprovider backoff implementation for API calls
 	DefaultKubernetesCloudProviderBackoff = false
 	// DefaultKubernetesCloudProviderBackoffRetries is 6, takes effect if DefaultKubernetesCloudProviderBackoff is true

diff --git a/pkg/acsengine/defaults-controller-manager.go b/pkg/acsengine/defaults-controller-manager.go
@@ -19,7 +19,7 @@ func setControllerManagerConfig(cs *api.ContainerService) {
 		"--service-account-private-key-file": "/etc/kubernetes/certs/apiserver.key",
 		"--leader-elect":                     "true",
 		"--v":                                "2",
-		"--profiling":                        "False",
+		"--profiling":                        "false",
 	}
 
 	// Set --cluster-name based on appropriate DNS prefix
@@ -47,6 +47,7 @@ func setControllerManagerConfig(cs *api.ContainerService) {
 		"--node-monitor-grace-period":   DefaultKubernetesCtrlMgrNodeMonitorGracePeriod,
 		"--pod-eviction-timeout":        DefaultKubernetesCtrlMgrPodEvictionTimeout,
 		"--route-reconciliation-period": DefaultKubernetesCtrlMgrRouteReconciliationPeriod,
+		"--terminated-pod-gc-threshold": DefaultKubernetesCtrlMgrTerminatedPodGcThreshold,
 	}
 
 	// If no user-configurable controller-manager config values exists, use the defaults