cluster: disable unauthenticated read only port on kubelets

This port was leaking kubelet state, including information on running
pods. No secrets were leaked (if they were not text-pasted into
env/args), but this still shouldn't be available.

As far as I can tell, nothing depends on this port, other than some
enterprise load balancers that require HTTP for node 'health' checks.

Change-Id: I9549b73e0168fe3ea4dce43cbe8fdc2ca4575961

cluster/nix/cluster-configuration.nix

@@ -221,7 +221,8 @@ in rec {
       kubeconfig = pki.kube.kubelet.config;
       extraOpts = ''
         --cni-conf-dir=/opt/cni/conf \
-        --cni-bin-dir=/opt/cni/bin
+        --cni-bin-dir=/opt/cni/bin \
+        --read-only-port=0
       '';
     };