cluster: disable unauthenticated read only port on kubelets
This port was leaking kubelet state, including information on running
pods. No secrets were leaked (if they were not text-pasted into
env/args), but this still shouldn't be available.
As far as I can tell, nothing depends on this port, other than some
enterprise load balancers that require HTTP for node 'health' checks.
Change-Id: I9549b73e0168fe3ea4dce43cbe8fdc2ca4575961
diff --git a/cluster/nix/cluster-configuration.nix b/cluster/nix/cluster-configuration.nix
index fdfcbed..d8a73aa 100644
--- a/cluster/nix/cluster-configuration.nix
+++ b/cluster/nix/cluster-configuration.nix
@@ -221,7 +221,8 @@
kubeconfig = pki.kube.kubelet.config;
extraOpts = ''
--cni-conf-dir=/opt/cni/conf \
- --cni-bin-dir=/opt/cni/bin
+ --cni-bin-dir=/opt/cni/bin \
+ --read-only-port=0
'';
};