diff --git a/parts/k8s/manifests/kubernetesmaster-kube-apiserver.yaml b/parts/k8s/manifests/kubernetesmaster-kube-apiserver.yaml index da9cd8a254..566284e1c4 100644 --- a/parts/k8s/manifests/kubernetesmaster-kube-apiserver.yaml +++ b/parts/k8s/manifests/kubernetesmaster-kube-apiserver.yaml @@ -35,6 +35,8 @@ spec: - "--proxy-client-cert-file=/etc/kubernetes/certs/proxy.crt" - "--proxy-client-key-file=/etc/kubernetes/certs/proxy.key" - "--service-account-key-file=/etc/kubernetes/certs/apiserver.key" + - "--kubelet-client-certificate=/etc/kubernetes/certs/client.crt" + - "--kubelet-client-key=/etc/kubernetes/certs/client.key" - "--oidc-client-id=" - "--oidc-issuer-url=" - "--oidc-username-claim=oid" diff --git a/pkg/acsengine/defaults-kubelet.go b/pkg/acsengine/defaults-kubelet.go index 183cae42a4..7728d77b4c 100644 --- a/pkg/acsengine/defaults-kubelet.go +++ b/pkg/acsengine/defaults-kubelet.go @@ -13,6 +13,9 @@ func setKubeletConfig(cs *api.ContainerService) { staticLinuxKubeletConfig := map[string]string{ "--address": "0.0.0.0", "--allow-privileged": "true", + "--anonymous-auth": "false", + "--authorization-mode": "Webhook", + "--client-ca-file": "/etc/kubernetes/certs/ca.crt", "--pod-manifest-path": "/etc/kubernetes/manifests", "--cloud-config": "/etc/kubernetes/azure.json", "--cluster-domain": "cluster.local",