Security best practice fixes (#1783)

* Disable basic and token auth by default * Add recommended security params * allow basic auth to fail in tests * Enable TLS authentication for kubelet
2026-03-09 03:37:36 +03:00 · 2017-10-15 20:41:17 +01:00
parent 66e5e14bac
commit d487b2f927
9 changed files with 23 additions and 8 deletions
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@@ -48,7 +48,7 @@ apiServerExtraArgs:
 {% endif %}
  storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}
-  runtime-config: {{ kube_api_runtime_config }}
+  runtime-config: {{ kube_api_runtime_config | join(',') }}
 {% endif %}
  allow-privileged: "true"
 controllerManagerExtraArgs:
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -40,6 +40,11 @@ spec:
    - --service-cluster-ip-range={{ kube_service_addresses }}
    - --service-node-port-range={{ kube_apiserver_node_port_range }}
    - --client-ca-file={{ kube_cert_dir }}/ca.pem
+    - --profiling=false
+    - --repair-malformed-updates=false
+    - --kubelet-client-certificate={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem
+    - --kubelet-client-key={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem
+    - --service-account-lookup=true
 {% if kube_basic_auth|default(true) %}
    - --basic-auth-file={{ kube_users_dir }}/known_users.csv
 {% endif %}
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -37,9 +37,11 @@ spec:
    - --node-monitor-grace-period={{ kube_controller_node_monitor_grace_period }}
    - --node-monitor-period={{ kube_controller_node_monitor_period }}
    - --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
+    - --profiling=false
+    - --terminated-pod-gc-threshold=12500
    - --v={{ kube_log_level }}
 {% if rbac_enabled %}
-    - --use-service-account-credentials
+    - --use-service-account-credentials=true
 {% endif %}
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
    - --cloud-provider={{cloud_provider}}
--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@@ -28,6 +28,7 @@ spec:
    - scheduler
    - --leader-elect=true
    - --kubeconfig={{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml
+    - --profiling=false
    - --v={{ kube_log_level }}
 {% if kube_feature_gates %}
    - --feature-gates={{ kube_feature_gates|join(',') }}