diff --git a/docs/hardening.md b/docs/hardening.md index 7a5cddb8544..b91d9e66cf9 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -74,7 +74,6 @@ kube_kubeadm_scheduler_extra_args: etcd_deployment_type: kubeadm ## kubelet -kubelet_authorization_mode_webhook: true kubelet_authentication_token_webhook: true kube_read_only_port: 0 kubelet_rotate_server_certificates: true diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 364b821290e..82053c71fef 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -474,7 +474,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}" kubelet_authentication_token_webhook: true # When enabled, access to the kubelet API requires authorization by delegation to the API server -kubelet_authorization_mode_webhook: true +kubelet_authorization_mode_webhook: false # kubelet uses certificates for authenticating to the Kubernetes API # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration