From efc408944c1eba5e2709df8f5fd01971f18f989e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucas=20K=C3=A4ldstr=C3=B6m?= Date: Wed, 23 May 2018 23:51:49 +0300 Subject: [PATCH] kubeadm: Improve the kubelet default configuration security-wise --- cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go | 1 + cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go | 9 +++++---- cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go | 9 +++++---- .../util/config/testdata/conversion/master/internal.yaml | 1 + .../util/config/testdata/conversion/master/v1alpha2.yaml | 1 + .../config/testdata/defaulting/master/defaulted.yaml | 1 + 6 files changed, 14 insertions(+), 8 deletions(-) diff --git a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go index 3bd46500aa1..54cb51b5263 100644 --- a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go +++ b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go @@ -79,6 +79,7 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { Enabled: utilpointer.BoolPtr(false), }, }, + RotateCertificates: true, }, } kubeletconfigv1beta1.SetDefaults_KubeletConfiguration(obj.KubeletConfiguration.BaseConfig) diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go index 9b2b499f6cc..c0439cbc07a 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go @@ -247,12 +247,13 @@ func SetDefaults_KubeletConfiguration(obj *MasterConfiguration) { obj.KubeletConfiguration.BaseConfig.Authorization.Mode = kubeletconfigv1beta1.KubeletAuthorizationModeWebhook // Let clients using other authentication methods like ServiceAccount tokens also access the kubelet API - // TODO: Enable in a future PR - // obj.KubeletConfiguration.BaseConfig.Authentication.Webhook.Enabled = utilpointer.BoolPtr(true) + obj.KubeletConfiguration.BaseConfig.Authentication.Webhook.Enabled = utilpointer.BoolPtr(true) // Disable the readonly port of the kubelet, in order to not expose unnecessary information - // TODO: Enable in a future PR - // obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0 + obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0 + + // Enables client certificate rotation for the kubelet + obj.KubeletConfiguration.BaseConfig.RotateCertificates = true // Serve a /healthz webserver on localhost:10248 that kubeadm can talk to obj.KubeletConfiguration.BaseConfig.HealthzBindAddress = "127.0.0.1" diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go index 946d3f2e6e8..79782b841a1 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go @@ -210,12 +210,13 @@ func SetDefaults_KubeletConfiguration(obj *MasterConfiguration) { obj.KubeletConfiguration.BaseConfig.Authorization.Mode = kubeletconfigv1beta1.KubeletAuthorizationModeWebhook // Let clients using other authentication methods like ServiceAccount tokens also access the kubelet API - // TODO: Enable in a future PR - // obj.KubeletConfiguration.BaseConfig.Authentication.Webhook.Enabled = utilpointer.BoolPtr(true) + obj.KubeletConfiguration.BaseConfig.Authentication.Webhook.Enabled = utilpointer.BoolPtr(true) // Disable the readonly port of the kubelet, in order to not expose unnecessary information - // TODO: Enable in a future PR - // obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0 + obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0 + + // Enables client certificate rotation for the kubelet + obj.KubeletConfiguration.BaseConfig.RotateCertificates = true // Serve a /healthz webserver on localhost:10248 that kubeadm can talk to obj.KubeletConfiguration.BaseConfig.HealthzBindAddress = "127.0.0.1" diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml index aa8c9942bbb..c4b757ab5af 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml @@ -130,6 +130,7 @@ KubeletConfiguration: registryBurst: 10 registryPullQPS: 5 resolvConf: /etc/resolv.conf + rotateCertificates: true runtimeRequestTimeout: 2m0s serializeImagePulls: true staticPodPath: /etc/kubernetes/manifests diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml index de6b2724910..7587218a3e7 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml @@ -123,6 +123,7 @@ kubeletConfiguration: registryBurst: 10 registryPullQPS: 5 resolvConf: /etc/resolv.conf + rotateCertificates: true runtimeRequestTimeout: 2m0s serializeImagePulls: true staticPodPath: /etc/kubernetes/manifests diff --git a/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml b/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml index a852a56a357..6d7d199da63 100644 --- a/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml +++ b/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml @@ -118,6 +118,7 @@ kubeletConfiguration: registryBurst: 10 registryPullQPS: 5 resolvConf: /etc/resolv.conf + rotateCertificates: true runtimeRequestTimeout: 2m0s serializeImagePulls: true staticPodPath: /etc/kubernetes/manifests