Merge "Improve security of default and example configurations"
This commit is contained in:
commit
bd9a1b00ca
|
@ -54,6 +54,7 @@ command_prefix:
|
|||
- --node-monitor-grace-period=20s
|
||||
- --pod-eviction-timeout=60s
|
||||
- --service-cluster-ip-range=10.96.0.0/16
|
||||
- --terminated-pod-gc-threshold=1000
|
||||
|
||||
secrets:
|
||||
tls:
|
||||
|
|
|
@ -14,9 +14,11 @@ data:
|
|||
command_prefix:
|
||||
- /apiserver
|
||||
- --authorization-mode=Node,RBAC
|
||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
||||
- --service-cluster-ip-range=10.96.0.0/16
|
||||
- --endpoint-reconciler-type=lease
|
||||
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||
- --repair-malformed-updates=false
|
||||
armada:
|
||||
target_manifest: cluster-bootstrap
|
||||
labels:
|
||||
|
|
|
@ -15,7 +15,8 @@ data:
|
|||
- --network-plugin=cni
|
||||
- --node-status-update-frequency=5s
|
||||
- --serialize-image-pulls=false
|
||||
- --v=5
|
||||
- --anonymous-auth=false
|
||||
- --v=3
|
||||
images:
|
||||
pause: gcr.io/google_containers/pause-amd64:3.0
|
||||
...
|
||||
|
|
|
@ -743,9 +743,11 @@ data:
|
|||
command_prefix:
|
||||
- /apiserver
|
||||
- --authorization-mode=Node,RBAC
|
||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
||||
- --service-cluster-ip-range=10.96.0.0/16
|
||||
- --endpoint-reconciler-type=lease
|
||||
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||
- --repair-malformed-updates=false
|
||||
apiserver:
|
||||
etcd:
|
||||
endpoints: https://127.0.0.1:2378
|
||||
|
|
|
@ -2,8 +2,15 @@
|
|||
#
|
||||
resolvconf --disable-updates
|
||||
|
||||
mkdir -p /etc/kubernetes
|
||||
chmod 700 /etc/kubernetes
|
||||
CURATED_DIRS=(
|
||||
/etc/kubernetes
|
||||
/var/lib/etcd
|
||||
)
|
||||
|
||||
for DIR in "${CURATED_DIRS[@]}"; do
|
||||
mkdir -p "${DIR}"
|
||||
chmod 700 "${DIR}"
|
||||
done
|
||||
|
||||
# Unpack prepared files into place
|
||||
#
|
||||
|
@ -15,6 +22,10 @@ echo "{{ encrypted_tarball | b64enc }}" | base64 -d | {{ decrypt_command }} | ta
|
|||
{{ decrypt_teardown_command }}
|
||||
set -x
|
||||
|
||||
for DIR in "${CURATED_DIRS[@]}"; do
|
||||
chmod go-rwx "${DIR}"
|
||||
done
|
||||
|
||||
# Adding apt repositories
|
||||
#
|
||||
set +x
|
||||
|
|
Loading…
Reference in New Issue