forked from hswaw/hscloud
cluster: disable unauthenticated read only port on kubelets
This port was leaking kubelet state, including information on running pods. No secrets were leaked (if they were not text-pasted into env/args), but this still shouldn't be available. As far as I can tell, nothing depends on this port, other than some enterprise load balancers that require HTTP for node 'health' checks. Change-Id: I9549b73e0168fe3ea4dce43cbe8fdc2ca4575961master
parent
896926c921
commit
42553cd044
|
@ -221,7 +221,8 @@ in rec {
|
|||
kubeconfig = pki.kube.kubelet.config;
|
||||
extraOpts = ''
|
||||
--cni-conf-dir=/opt/cni/conf \
|
||||
--cni-bin-dir=/opt/cni/bin
|
||||
--cni-bin-dir=/opt/cni/bin \
|
||||
--read-only-port=0
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue