epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2025-12-14 05:45:06 +03:00
Code Issues Packages Projects Releases Wiki Activity

disable kubelet_authorization_mode_webhook by default (#9238)

Browse Source
This commit is contained in:
Cristian Calin
2022-08-31 14:53:00 +03:00
committed by GitHub
parent 5603f9f374
commit 6db6c8678c
2 changed files with 1 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/hardening.md
View File

@@ -74,7 +74,6 @@ kube_kubeadm_scheduler_extra_args:
etcd_deployment_type: kubeadm etcd_deployment_type: kubeadm
## kubelet ## kubelet
kubelet_authorization_mode_webhook: true
kubelet_authentication_token_webhook: true kubelet_authentication_token_webhook: true
kube_read_only_port: 0 kube_read_only_port: 0
kubelet_rotate_server_certificates: true kubelet_rotate_server_certificates: true

2
roles/kubespray-defaults/defaults/main.yaml
View File

@@ -474,7 +474,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
kubelet_authentication_token_webhook: true kubelet_authentication_token_webhook: true
# When enabled, access to the kubelet API requires authorization by delegation to the API server # When enabled, access to the kubelet API requires authorization by delegation to the API server
kubelet_authorization_mode_webhook: true kubelet_authorization_mode_webhook: false
# kubelet uses certificates for authenticating to the Kubernetes API # kubelet uses certificates for authenticating to the Kubernetes API
# Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration