Skip to content

Commit efa07b8

Browse files
author
Yoan Moscatelli
committed
k8s control plane hardening
1 parent 0ff4395 commit efa07b8

1 file changed

Lines changed: 5 additions & 1 deletion

File tree

salt/metalk8s/kubernetes/apiserver/installed.sls

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -85,17 +85,21 @@ Create kube-apiserver Pod manifest:
8585
- kube-apiserver
8686
- --advertise-address={{ host }}
8787
- --allow-privileged=true
88+
- --anonymous-auth=false
8889
- --authorization-mode=Node,RBAC
8990
- --client-ca-file=/etc/kubernetes/pki/ca.crt
90-
- --enable-admission-plugins=NodeRestriction
91+
- --disable-admission-plugins=DenyServiceExternalIPs
92+
- --enable-admission-plugins=NodeRestriction,AlwaysPullImages
9193
- --enable-bootstrap-token-auth=true
9294
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
9395
- --etcd-certfile={{ certificates.client.files['apiserver-etcd'].path }}
9496
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
9597
- --etcd-servers={{ etcd_servers | join(",") }}
98+
- --kubelet-certificate-authority=/etc/kubernetes/pki/ca.crt
9699
- --kubelet-client-certificate={{ certificates.client.files['apiserver-kubelet'].path }}
97100
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
98101
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
102+
- --profiling=false
99103
- --proxy-client-cert-file={{ certificates.client.files['front-proxy'].path }}
100104
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
101105
- --requestheader-allowed-names=front-proxy-client

0 commit comments

Comments
 (0)