Skip to content

Commit

Permalink
refactor: move variable name to kubelet_secure_addresses
Browse files Browse the repository at this point in the history
  • Loading branch information
alegrey91 committed Aug 28, 2022
1 parent beebc25 commit 1877c5e
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 7 deletions.
8 changes: 5 additions & 3 deletions docs/hardening.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,12 @@ kubelet_make_iptables_util_chains: true
kubelet_feature_gates: ["RotateKubeletServerCertificate=true","SeccompDefault=true"]
kubelet_seccomp_default: true
kubelet_systemd_hardening: true
# in case you have multiple interfaces in your
# In case you have multiple interfaces in your
# control plane nodes and you want to specify the right
# IP addresses
kubelet_secure_address: "192.168.10.110 192.168.10.111 192.168.10.112"
# IP addresses, kubelet_secure_addresses allows you
# to specify the IP from which the kubelet
# will receive the packets.
kubelet_secure_addresses: "192.168.10.110 192.168.10.111 192.168.10.112"

# additional configurations
kube_owner: root
Expand Down
4 changes: 2 additions & 2 deletions docs/vars.md
Original file line number Diff line number Diff line change
Expand Up @@ -208,12 +208,12 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m

**N.B.** To enable this feature, ensure you are using **`cgroup v2`** on your system. Check it out with command: `sudo ls -l /sys/fs/cgroup/*.slice`. If directory does not exists, enable this with the following guide: [enable cgroup v2](https://rootlesscontaine.rs/getting-started/common/cgroup2/#enabling-cgroup-v2).

* *kubelet_secure_address* - By default *kubelet_systemd_hardening* set the **control plane** `ansible_host` IPs as the `kubelet_secure_address`. In case you have multiple interfaces in your control plane nodes and the `kube-apiserver` is not bound to the default interface, you can override them with this variable.
* *kubelet_secure_addresses* - By default *kubelet_systemd_hardening* set the **control plane** `ansible_host` IPs as the `kubelet_secure_addresses`. In case you have multiple interfaces in your control plane nodes and the `kube-apiserver` is not bound to the default interface, you can override them with this variable.
Example:

The **control plane** node may have 2 interfaces with the following IP addresses: `eth0:10.0.0.110`, `eth1:192.168.1.110`.

By default the `kubelet_secure_address` is set with the `10.0.0.110` the ansible control host uses `eth0` to connect to the machine. In case you want to use `eth1` as the outgoing interface on which `kube-apiserver` connects to the `kubelet`s, you should override the variable in this way: `kubelet_secure_address: "192.168.1.110"`.
By default the `kubelet_secure_addresses` is set with the `10.0.0.110` the ansible control host uses `eth0` to connect to the machine. In case you want to use `eth1` as the outgoing interface on which `kube-apiserver` connects to the `kubelet`s, you should override the variable in this way: `kubelet_secure_addresses: "192.168.1.110"`.

* *node_labels* - Labels applied to nodes via kubelet --node-labels parameter.
For example, labels can be set in the inventory as variables or more widely in group_vars.
Expand Down
2 changes: 1 addition & 1 deletion roles/kubernetes/node/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ kubelet_fail_swap_on: true
kubelet_systemd_hardening: false

# List of secure IPs for kubelet
kubelet_secure_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_host']) | join(' ') }}"
kubelet_secure_addresses: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_host']) | join(' ') }}"

# Reserve this space for kube resources
kube_memory_reserved: 256Mi
Expand Down
2 changes: 1 addition & 1 deletion roles/kubernetes/node/templates/kubelet.service.j2
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ RestartSec=10s
{% if kubelet_systemd_hardening %}
# Hardening setup
IPAddressDeny=any
IPAddressAllow={{ kubelet_secure_address }}
IPAddressAllow={{ kubelet_secure_addresses }}
{% endif %}

[Install]
Expand Down

0 comments on commit 1877c5e

Please sign in to comment.