205e8adafa
* disable kubelet anonymous-auth * enable kubelet webhook-(token) authorization * disable kubelet cadvisor and read-only ports * listen kubelet only on internal ipv4 ip * update kubelet certs * Update heapster RBAC to access kubelets * update api config to access kubelet over https Closes-Bug: #1758672 Change-Id: I2c6046ce5921a63a2d56f51435433497b1ff30ba
13 lines
672 B
YAML
13 lines
672 B
YAML
---
|
|
fixes:
|
|
- |
|
|
Fix bug #1758672 [1] to protect kubelet in the k8s_fedora_atomic driver.
|
|
Before this patch kubelet was listening to 0.0.0.0 and for clusters with
|
|
floating IPs the kubelet was exposed. Also, even on clusters without fips
|
|
the kubelet was exposed inside the cluster. This patch allows access to
|
|
the kubelet only over https and with the appropriate roles. The apiserver
|
|
and heapster have the appropriate roles to access it. Finally, all
|
|
read-only ports have been closed to not expose any cluster data. The only
|
|
remaining open ports without authentication are for healthz.
|
|
[1] https://bugs.launchpad.net/magnum/+bug/1758672
|