Skip to content

Commit

Permalink
Update kubelet systemd service default allowed IP addresses for clust…
Browse files Browse the repository at this point in the history 
…er hardening (#11061)

Signed-off-by: bmelbourne <[email protected]>
  • Loading branch information
@bmelbourne
bmelbourne authored Apr 11, 2024
1 parent 8a423ab commit 1b870a1
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 3 deletions.
2 changes: 1 addition & 1 deletion docs/hardening.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ kubelet_systemd_hardening: true
# IP addresses, kubelet_secure_addresses allows you
# to specify the IP from which the kubelet
# will receive the packets.
kubelet_secure_addresses: "192.168.10.110 192.168.10.111 192.168.10.112"
kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} 192.168.10.110 192.168.10.111 192.168.10.112"

# additional configurations
kube_owner: root
Expand Down
5 changes: 3 additions & 2 deletions roles/kubernetes/node/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,11 @@ kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
kubelet_systemd_hardening: false

# List of secure IPs for kubelet
kubelet_secure_addresses: >-
{%- for host in groups['kube_control_plane'] -%}
kube_node_addresses: >-
{%- for host in (groups['kube_control_plane'] + groups['kube_node'] + groups['etcd']) | unique -%}
{{ hostvars[host]['ip'] | default(fallback_ips[host]) }}{{ ' ' if not loop.last else '' }}
{%- endfor -%}
kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} {{ kube_node_addresses }}"

# Reserve this space for kube resources
# Set to true to reserve resources for kube daemons
Expand Down

0 comments on commit 1b870a1

Please sign in to comment.