✨ Apply md-0 KubeletConfiguration security hardening to control-plane#2015
Open
ashish1099 wants to merge 1 commit into
Open
✨ Apply md-0 KubeletConfiguration security hardening to control-plane#2015ashish1099 wants to merge 1 commit into
ashish1099 wants to merge 1 commit into
Conversation
kct-md-0-ubuntu.yaml ships a /etc/kubernetes/kubelet/config.yaml file
with the modern KubeletConfiguration shape and a hardened default
profile — anonymous=false, webhook auth/authz, eventRecordQPS=5,
readOnlyPort=0, serverTLSBootstrap=true, an explicit TLS cipher-suite
allow-list. The control-plane KCP templates (hcloud-kcp-ubuntu.yaml,
hetznerbaremetal-kcp-ubuntu.yaml) just have a minimal kubeletExtraArgs
list — no hardening, no KubeletConfiguration file.
Apply the same KubeletConfiguration file on the control plane:
- Replace the max-pods + resolv-conf kubeletExtraArgs entries with
a single --config pointer at /etc/kubernetes/kubelet/config.yaml.
- Add the new file under spec.kubeadmConfigSpec.files, identical in
shape to md-0's, with maxPods set to 120 (control-plane-appropriate)
instead of md-0's 220.
- Keep --cloud-provider=external as a kubeletExtraArg since it isn't
expressible via KubeletConfiguration and is set the same way upstream
in md-0.
Both initConfiguration and joinConfiguration get the same treatment
in each file, so a fresh init and a subsequent control-plane join
land on the same kubelet config.
Why this matters:
- md-0 nodes refuse anonymous kubelet API requests, run with
serverTLSBootstrap, and restrict event-record QPS; control-plane
nodes (which run the most sensitive workloads on the cluster) do
not. That asymmetry has no defensible reason.
- Single file is easier to audit than a flag-list. KubeletConfiguration
also gives access to fields without CLI flag equivalents (event
record QPS, server TLS bootstrap), so the hardening profile is
expressible end-to-end.
- max-pods stays at 120 (vs md-0's 220) because control-plane nodes
are sized smaller and typically only run system pods; bumping
further has historically caused etcd pressure.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
kct-md-0-ubuntu.yaml ships a /etc/kubernetes/kubelet/config.yaml file with the modern KubeletConfiguration shape and a hardened default profile — anonymous=false, webhook auth/authz, eventRecordQPS=5, readOnlyPort=0, serverTLSBootstrap=true, an explicit TLS cipher-suite allow-list. The control-plane KCP templates (hcloud-kcp-ubuntu.yaml, hetznerbaremetal-kcp-ubuntu.yaml) just have a minimal kubeletExtraArgs list — no hardening, no KubeletConfiguration file.
Apply the same KubeletConfiguration file on the control plane:
Both initConfiguration and joinConfiguration get the same treatment in each file, so a fresh init and a subsequent control-plane join land on the same kubelet config.
Why this matters:
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
TODOs: