epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2025-12-13 21:34:40 +03:00
Code Issues Packages Projects Releases Wiki Activity

Documentation - hardening.md - etcd_deployment_type: host (#12520)

Browse Source 
* Fix for #12447

Signed-off-by: Bas Meijer <bas.meijer@enexis.nl>

* Update hardening.md

Co-authored-by: spatterlight <81454789+spatterIight@users.noreply.github.com>

---------

Signed-off-by: Bas Meijer <bas.meijer@enexis.nl>
Co-authored-by: spatterlight <81454789+spatterIight@users.noreply.github.com>
This commit is contained in:
Bas
2025-10-06 11:07:00 +02:00
committed by GitHub
parent 270ff65992
commit 9ded45f703
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/operations/hardening.md
View File

@@ -81,7 +81,11 @@ kube_controller_feature_gates: ["RotateKubeletServerCertificate=true"]
kube_scheduler_bind_address: 127.0.0.1 kube_scheduler_bind_address: 127.0.0.1
## etcd ## etcd
etcd_deployment_type: kubeadm # Running etcd (on dedicated hosts) outside the Kubernetes cluster is the most secure deployment option,
# as it isolates etcd from the cluster's CNI network and removes direct pod-level attack vectors.
# This approach prevents RBAC misconfigurations that potentially compromise etcd,
# creating an additional security boundary that protects the cluster's critical state store.
etcd_deployment_type: host
## kubelet ## kubelet
kubelet_authorization_mode_webhook: true kubelet_authorization_mode_webhook: true