epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-28 09:39:12 +03:00
Code Issues Packages Projects Releases Wiki Activity

Update kubelet systemd service default allowed IP addresses for cluster hardening (#11061)

Browse Source 
Signed-off-by: bmelbourne <barry.melbourne0@gmail.com>
This commit is contained in:
Barry M
2024-04-11 08:58:27 +01:00
committed by GitHub
parent 8a423abd0f
commit 1b870a1862
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
roles/kubernetes/node/defaults/main.yml
View File

@@ -24,10 +24,11 @@ kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
kubelet_systemd_hardening: false
# List of secure IPs for kubelet
kubelet_secure_addresses: >-
{%- for host in groups['kube_control_plane'] -%}
kube_node_addresses: >-
{%- for host in (groups['kube_control_plane'] + groups['kube_node'] + groups['etcd']) | unique -%}
{{ hostvars[host]['ip'] | default(fallback_ips[host]) }}{{ ' ' if not loop.last else '' }}
{%- endfor -%}
kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} {{ kube_node_addresses }}"
# Reserve this space for kube resources
# Set to true to reserve resources for kube daemons