External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-03-11 14:39:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

feat: add kubelet systemd service hardening option (#9194)

Browse Source 
* feat: add kubelet systemd service hardening option

* refactor: move variable name to kubelet_secure_addresses

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* docs: add diagram about kubelet_secure_addresses variable

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
This commit is contained in:
Alessio Greggi
2022-08-30 20:18:55 +02:00
committed by GitHub
parent 220f149299
commit acb6f243fd
5 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/kubernetes/node/defaults/main.yml
View File

@@ -22,6 +22,12 @@ kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
### fail with swap on (default true)
kubelet_fail_swap_on: true
# Set systemd service hardening features
kubelet_systemd_hardening: false
# List of secure IPs for kubelet
kubelet_secure_addresses: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_host']) | join(' ') }}"
# Reserve this space for kube resources
kube_memory_reserved: 256Mi
kube_cpu_reserved: 100m