cluster: disable unauthenticated read only port on kubelets This port was leaking kubelet state, including information on running pods. No secrets were leaked (if they were not text-pasted into env/args), but this still shouldn't be available. As far as I can tell, nothing depends on this port, other than some enterprise load balancers that require HTTP for node 'health' checks. Change-Id: I9549b73e0168fe3ea4dce43cbe8fdc2ca4575961

commit: 42553cd044d8f360acc136d04ac2111b016bcafc [log] [tgz]
author: Sergiusz Bazanski <q3k@hackerspace.pl> Mon Sep 02 16:29:53 2019 +0200
committer: Sergiusz Bazanski <q3k@hackerspace.pl> Mon Sep 02 16:33:02 2019 +0200
tree: 75a070b71dc3dfaf7b3a37f50d3c508d3a71f997
parent: 896926c9214b981c74571f464bd422ca577c49d9 [diff] [blame]
diff --git a/cluster/nix/cluster-configuration.nix b/cluster/nix/cluster-configuration.nix
index fdfcbed..d8a73aa 100644
--- a/cluster/nix/cluster-configuration.nix
+++ b/cluster/nix/cluster-configuration.nix

@@ -221,7 +221,8 @@
       kubeconfig = pki.kube.kubelet.config;
       extraOpts = ''
         --cni-conf-dir=/opt/cni/conf \
-        --cni-bin-dir=/opt/cni/bin
+        --cni-bin-dir=/opt/cni/bin \
+        --read-only-port=0
       '';
     };
commit	42553cd044d8f360acc136d04ac2111b016bcafc	[log] [tgz]
author	Sergiusz Bazanski <q3k@hackerspace.pl>	Mon Sep 02 16:29:53 2019 +0200
committer	Sergiusz Bazanski <q3k@hackerspace.pl>	Mon Sep 02 16:33:02 2019 +0200
tree	75a070b71dc3dfaf7b3a37f50d3c508d3a71f997
parent	896926c9214b981c74571f464bd422ca577c49d9 [diff] [blame]