diff --git a/docs/hardening.md b/docs/hardening.md index 33d40e5406d..f56e4b37c1a 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -86,10 +86,12 @@ kubelet_make_iptables_util_chains: true kubelet_feature_gates: ["RotateKubeletServerCertificate=true","SeccompDefault=true"] kubelet_seccomp_default: true kubelet_systemd_hardening: true -# in case you have multiple interfaces in your +# In case you have multiple interfaces in your # control plane nodes and you want to specify the right -# IP addresses -kubelet_secure_address: "192.168.10.110 192.168.10.111 192.168.10.112" +# IP addresses, kubelet_secure_addresses allows you +# to specify the IP from which the kubelet +# will receive the packets. +kubelet_secure_addresses: "192.168.10.110 192.168.10.111 192.168.10.112" # additional configurations kube_owner: root diff --git a/docs/vars.md b/docs/vars.md index ee683e13d34..1fde812d3db 100644 --- a/docs/vars.md +++ b/docs/vars.md @@ -208,12 +208,12 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m **N.B.** To enable this feature, ensure you are using the **`cgroup v2`** on your system. Check it out with command: `sudo ls -l /sys/fs/cgroup/*.slice`. If directory does not exists, enable this with the following guide: [enable cgroup v2](https://rootlesscontaine.rs/getting-started/common/cgroup2/#enabling-cgroup-v2). - * *kubelet_secure_address* - By default *kubelet_systemd_hardening* set the **control plane** `ansible_host` IPs as the `kubelet_secure_address`. In case you have multiple interfaces in your control plane nodes and the `kube-apiserver` is not bound to the default interface, you can override them with this variable. + * *kubelet_secure_addresses* - By default *kubelet_systemd_hardening* set the **control plane** `ansible_host` IPs as the `kubelet_secure_addresses`. In case you have multiple interfaces in your control plane nodes and the `kube-apiserver` is not bound to the default interface, you can override them with this variable. Example: The **control plane** node may have 2 interfaces with the following IP addresses: `eth0:10.0.0.110`, `eth1:192.168.1.110`. - By default the `kubelet_secure_address` is set with the `10.0.0.110` the ansible control host uses `eth0` to connect to the machine. In case you want to use `eth1` as the outgoing interface on which `kube-apiserver` connects to the `kubelet`s, you should override the variable in this way: `kubelet_secure_address: "192.168.1.110"`. + By default the `kubelet_secure_addresses` is set with the `10.0.0.110` the ansible control host uses `eth0` to connect to the machine. In case you want to use `eth1` as the outgoing interface on which `kube-apiserver` connects to the `kubelet`s, you should override the variable in this way: `kubelet_secure_addresses: "192.168.1.110"`. * *node_labels* - Labels applied to nodes via kubelet --node-labels parameter. For example, labels can be set in the inventory as variables or more widely in group_vars. diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml index 46ba07c5c0b..6cf237ea199 100644 --- a/roles/kubernetes/node/defaults/main.yml +++ b/roles/kubernetes/node/defaults/main.yml @@ -26,7 +26,7 @@ kubelet_fail_swap_on: true kubelet_systemd_hardening: false # List of secure IPs for kubelet -kubelet_secure_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_host']) | join(' ') }}" +kubelet_secure_addresses: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_host']) | join(' ') }}" # Reserve this space for kube resources kube_memory_reserved: 256Mi diff --git a/roles/kubernetes/node/templates/kubelet.service.j2 b/roles/kubernetes/node/templates/kubelet.service.j2 index e3dd89e4de5..feb83742452 100644 --- a/roles/kubernetes/node/templates/kubelet.service.j2 +++ b/roles/kubernetes/node/templates/kubelet.service.j2 @@ -27,7 +27,7 @@ RestartSec=10s {% if kubelet_systemd_hardening %} # Hardening setup IPAddressDeny=any -IPAddressAllow={{ kubelet_secure_address }} +IPAddressAllow={{ kubelet_secure_addresses }} {% endif %} [Install]