feat: add kubelet systemd service hardening option (#9194)

* feat: add kubelet systemd service hardening option

* refactor: move variable name to kubelet_secure_addresses

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* docs: add diagram about kubelet_secure_addresses variable

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

roles/kubernetes/node/defaults/main.yml

@@ -22,6 +22,12 @@ kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
 ### fail with swap on (default true)
 kubelet_fail_swap_on: true
 
+# Set systemd service hardening features
+kubelet_systemd_hardening: false
+
+# List of secure IPs for kubelet
+kubelet_secure_addresses: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_host']) | join(' ') }}"
+
 # Reserve this space for kube resources
 kube_memory_reserved: 256Mi
 kube_cpu_reserved: 100m

roles/kubernetes/node/templates/kubelet.service.j2

@@ -24,6 +24,11 @@ ExecStart={{ bin_dir }}/kubelet \
 		$KUBELET_CLOUDPROVIDER
 Restart=always
 RestartSec=10s
+{% if kubelet_systemd_hardening %}
+# Hardening setup
+IPAddressDeny=any
+IPAddressAllow={{ kubelet_secure_addresses }}
+{% endif %}
 
 [Install]
 WantedBy=multi-user.target