Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Secure Kubelet's componentconfig defaults while maintaining CLI compatibility #59666
This updates the Kubelet's componentconfig defaults, while applying the legacy defaults to values from options.NewKubeletConfiguration(). This keeps defaults the same for the command line and improves the security of defaults when you load config from a file.
We should find way of generating documentation for config file defaults, so that people can easily look up what's different from flags.
Feb 9, 2018
referenced this pull request
Feb 9, 2018
5 times, most recently
Feb 13, 2018
[APPROVALNOTIFIER] This PR is APPROVED
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these OWNERS Files:
Approvers can indicate their approval by writing
Feb 14, 2018
12 of 13 checks passed
pushed a commit
this pull request
Feb 15, 2018
Experiencing this on 1.6.14 (Rancher) running Kubernetes 1.8.6 - lock down ports first - upgrading now
ubuntu@cd-r:~$ sudo ps -ef | grep stratum
No. Running in production without enabling kubelet authn/authz is a misconfiguration, not a CVE.
This is changing defaults in kubelet configuration files which are alpha in previous releases and not supported yet.
@sathieu kubeadm enables kubelet authorization (https://github.com/kubernetes/release/blob/master/rpm/10-kubeadm-pre-1.8.conf#L6), so anonymous requests cannot make kubelet API calls by default (they get 403 forbidden errors)
But this doesn't apply to the readonly port :
(tested on 1.9.4).