Merge "Improve security of default and example configurations"

This commit is contained in:
Zuul 2018-10-03 15:14:07 +00:00 committed by Gerrit Code Review
commit bd9a1b00ca
5 changed files with 22 additions and 5 deletions

View File

@ -54,6 +54,7 @@ command_prefix:
- --node-monitor-grace-period=20s
- --pod-eviction-timeout=60s
- --service-cluster-ip-range=10.96.0.0/16
- --terminated-pod-gc-threshold=1000
secrets:
tls:

View File

@ -14,9 +14,11 @@ data:
command_prefix:
- /apiserver
- --authorization-mode=Node,RBAC
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
- --service-cluster-ip-range=10.96.0.0/16
- --endpoint-reconciler-type=lease
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
- --repair-malformed-updates=false
armada:
target_manifest: cluster-bootstrap
labels:

View File

@ -15,7 +15,8 @@ data:
- --network-plugin=cni
- --node-status-update-frequency=5s
- --serialize-image-pulls=false
- --v=5
- --anonymous-auth=false
- --v=3
images:
pause: gcr.io/google_containers/pause-amd64:3.0
...

View File

@ -743,9 +743,11 @@ data:
command_prefix:
- /apiserver
- --authorization-mode=Node,RBAC
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
- --service-cluster-ip-range=10.96.0.0/16
- --endpoint-reconciler-type=lease
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
- --repair-malformed-updates=false
apiserver:
etcd:
endpoints: https://127.0.0.1:2378

View File

@ -2,8 +2,15 @@
#
resolvconf --disable-updates
mkdir -p /etc/kubernetes
chmod 700 /etc/kubernetes
CURATED_DIRS=(
/etc/kubernetes
/var/lib/etcd
)
for DIR in "${CURATED_DIRS[@]}"; do
mkdir -p "${DIR}"
chmod 700 "${DIR}"
done
# Unpack prepared files into place
#
@ -15,6 +22,10 @@ echo "{{ encrypted_tarball | b64enc }}" | base64 -d | {{ decrypt_command }} | ta
{{ decrypt_teardown_command }}
set -x
for DIR in "${CURATED_DIRS[@]}"; do
chmod go-rwx "${DIR}"
done
# Adding apt repositories
#
set +x