Skip to content

Commit

Permalink
Merge pull request #586 from olljanat/k8s-hardening-1
Browse files Browse the repository at this point in the history 
fix: k8s: Disable Node authorization
  • Loading branch information
@FabianKramm
FabianKramm committed Jul 6, 2022
2 parents 951db3b + 02728b2 commit 5d09f25
Showing 1 changed file with 2 additions and 6 deletions.
8 changes: 2 additions & 6 deletions charts/k8s/templates/api-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,17 +75,13 @@ spec:
- kube-apiserver
- '--advertise-address=0.0.0.0'
- '--allow-privileged=true'
- '--authorization-mode=Node,RBAC'
- '--authorization-mode=RBAC'
- '--client-ca-file=/run/config/pki/ca.crt'
- '--enable-admission-plugins=NodeRestriction'
- '--enable-bootstrap-token-auth=true'
- '--etcd-cafile=/run/config/pki/etcd-ca.crt'
- '--etcd-certfile=/run/config/pki/apiserver-etcd-client.crt'
- '--etcd-keyfile=/run/config/pki/apiserver-etcd-client.key'
- '--etcd-servers=https://{{ .Release.Name }}-etcd:2379'
- '--kubelet-client-certificate=/run/config/pki/apiserver-kubelet-client.crt'
- '--kubelet-client-key=/run/config/pki/apiserver-kubelet-client.key'
- '--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname'
- '--proxy-client-cert-file=/run/config/pki/front-proxy-client.crt'
- '--proxy-client-key-file=/run/config/pki/front-proxy-client.key'
- '--requestheader-allowed-names=front-proxy-client'
Expand Down Expand Up @@ -150,4 +146,4 @@ spec:
{{- end }}
resources:
{{ toYaml .Values.api.resources | indent 10 }}
{{- end }}
{{- end }}

0 comments on commit 5d09f25

Please sign in to comment.