Code Review / icn.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Update documentation for Cluster-API and Flux
[icn.git] / deploy / cluster / resources / harden_k8s.sh
1 #!/usr/bin/env bash
2 set -eux -o pipefail
3
4 # Remove visibility of /version
5 kubectl --kubeconfig=/etc/kubernetes/admin.conf replace -f - <<EOF
6 apiVersion: rbac.authorization.k8s.io/v1
7 kind: ClusterRole
8 metadata:
9   annotations:
10     rbac.authorization.kubernetes.io/autoupdate: "false"
11   labels:
12     kubernetes.io/bootstrapping: rbac-defaults
13   name: system:public-info-viewer
14 rules:
15 - nonResourceURLs:
16   - /healthz
17   - /livez
18   - /readyz
19   verbs:
20   - get
21 EOF
22
23 # Opt out of automatic mounting of SA token
24 kubectl --kubeconfig=/etc/kubernetes/admin.conf replace -f - <<EOF
25 apiVersion: v1
26 kind: ServiceAccount
27 metadata:
28   name: default
29 automountServiceAccountToken: false
30 EOF