Merge "Improve security of default and example configurations"
This commit is contained in:
commit
bd9a1b00ca
|
@ -54,6 +54,7 @@ command_prefix:
|
||||||
- --node-monitor-grace-period=20s
|
- --node-monitor-grace-period=20s
|
||||||
- --pod-eviction-timeout=60s
|
- --pod-eviction-timeout=60s
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
|
- --terminated-pod-gc-threshold=1000
|
||||||
|
|
||||||
secrets:
|
secrets:
|
||||||
tls:
|
tls:
|
||||||
|
|
|
@ -14,9 +14,11 @@ data:
|
||||||
command_prefix:
|
command_prefix:
|
||||||
- /apiserver
|
- /apiserver
|
||||||
- --authorization-mode=Node,RBAC
|
- --authorization-mode=Node,RBAC
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
- --endpoint-reconciler-type=lease
|
- --endpoint-reconciler-type=lease
|
||||||
|
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||||
|
- --repair-malformed-updates=false
|
||||||
armada:
|
armada:
|
||||||
target_manifest: cluster-bootstrap
|
target_manifest: cluster-bootstrap
|
||||||
labels:
|
labels:
|
||||||
|
|
|
@ -15,7 +15,8 @@ data:
|
||||||
- --network-plugin=cni
|
- --network-plugin=cni
|
||||||
- --node-status-update-frequency=5s
|
- --node-status-update-frequency=5s
|
||||||
- --serialize-image-pulls=false
|
- --serialize-image-pulls=false
|
||||||
- --v=5
|
- --anonymous-auth=false
|
||||||
|
- --v=3
|
||||||
images:
|
images:
|
||||||
pause: gcr.io/google_containers/pause-amd64:3.0
|
pause: gcr.io/google_containers/pause-amd64:3.0
|
||||||
...
|
...
|
||||||
|
|
|
@ -743,9 +743,11 @@ data:
|
||||||
command_prefix:
|
command_prefix:
|
||||||
- /apiserver
|
- /apiserver
|
||||||
- --authorization-mode=Node,RBAC
|
- --authorization-mode=Node,RBAC
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
- --endpoint-reconciler-type=lease
|
- --endpoint-reconciler-type=lease
|
||||||
|
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||||
|
- --repair-malformed-updates=false
|
||||||
apiserver:
|
apiserver:
|
||||||
etcd:
|
etcd:
|
||||||
endpoints: https://127.0.0.1:2378
|
endpoints: https://127.0.0.1:2378
|
||||||
|
|
|
@ -2,8 +2,15 @@
|
||||||
#
|
#
|
||||||
resolvconf --disable-updates
|
resolvconf --disable-updates
|
||||||
|
|
||||||
mkdir -p /etc/kubernetes
|
CURATED_DIRS=(
|
||||||
chmod 700 /etc/kubernetes
|
/etc/kubernetes
|
||||||
|
/var/lib/etcd
|
||||||
|
)
|
||||||
|
|
||||||
|
for DIR in "${CURATED_DIRS[@]}"; do
|
||||||
|
mkdir -p "${DIR}"
|
||||||
|
chmod 700 "${DIR}"
|
||||||
|
done
|
||||||
|
|
||||||
# Unpack prepared files into place
|
# Unpack prepared files into place
|
||||||
#
|
#
|
||||||
|
@ -15,6 +22,10 @@ echo "{{ encrypted_tarball | b64enc }}" | base64 -d | {{ decrypt_command }} | ta
|
||||||
{{ decrypt_teardown_command }}
|
{{ decrypt_teardown_command }}
|
||||||
set -x
|
set -x
|
||||||
|
|
||||||
|
for DIR in "${CURATED_DIRS[@]}"; do
|
||||||
|
chmod go-rwx "${DIR}"
|
||||||
|
done
|
||||||
|
|
||||||
# Adding apt repositories
|
# Adding apt repositories
|
||||||
#
|
#
|
||||||
set +x
|
set +x
|
||||||
|
|
Loading…
Reference in New Issue