mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-03-14 22:52:29 -04:00
698ac55852
Automatic merge from submit-queue (batch tested with PRs 64174, 64187, 64216, 63265, 64223). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubeadm: Improve the kubelet default configuration security-wise **What this PR does / why we need it**: - Disables the readonly port for the kubelets in the cluster - Enables delegated SA token authentication for the secure kubelet port (GCE also did this ref: https://github.com/kubernetes/kubernetes/pull/58178) - Follows up https://github.com/kubernetes/kubernetes/pull/63912 to move the last flag from the system dropin to the ComponentConfig **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes https://github.com/kubernetes/kubeadm/issues/732 Fixes https://github.com/kubernetes/kubeadm/issues/650 Replaces https://github.com/kubernetes/kubernetes/pull/57997 **Special notes for your reviewer**: In order to make sure this actually works, or that clusters actually are secure, we're adding e2e tests for this: https://github.com/kubernetes/kubeadm/issues/838 & https://github.com/kubernetes/kubernetes/pull/64140 Depends on https://github.com/kubernetes/kubernetes/pull/63912 **Release note**: ```release-note [action required] kubeadm: kubelets in kubeadm clusters now disable the readonly port (10255). If you're relying on unauthenticated access to the readonly port, please switch to using the secure port (10250). Instead, you can now use ServiceAccount tokens when talking to the secure port, which will make it easier to get access to e.g. the `/metrics` endpoint of the kubelet securely. ``` @kubernetes/sig-cluster-lifecycle-pr-reviews @kubernetes/sig-auth-pr-reviews FYI |
||
|---|---|---|
| .. | ||
| clicheck | ||
| cloud-controller-manager | ||
| controller-manager | ||
| gendocs | ||
| genkubedocs | ||
| genman | ||
| genswaggertypedocs | ||
| genutils | ||
| genyaml | ||
| hyperkube | ||
| importverifier | ||
| kube-apiserver | ||
| kube-controller-manager | ||
| kube-proxy | ||
| kube-scheduler | ||
| kubeadm | ||
| kubectl | ||
| kubelet | ||
| kubemark | ||
| linkcheck | ||
| BUILD | ||
| OWNERS | ||