Security: disable kubelet debugging handlers flag

Akraino security policy requires the --enable-debugging-handlers flag
to be set to false -- the default value is "true".  This change implements
that requirement.

signed-off-by: dave kormann  <davek@research.att.com>
Change-Id: Ic9bf21e9667fc925d03d546746f8cc3e1997fead

diff --git a/ansible/roles/kubelet/defaults/main.yaml b/ansible/roles/kubelet/defaults/main.yaml
index 7ce5660..c9634b3 100644 (file)
--- a/ansible/roles/kubelet/defaults/main.yaml
+++ b/ansible/roles/kubelet/defaults/main.yaml
@@ -18,12 +18,13 @@ kubelet_healthcheck_port: 10248
 kubelet_kubeconfig_path: "{% if nodename | search('caas_master') %}/etc/kubernetes/kubeconfig/kubeletc.yml{% else %}/root/kubeletc.yml{% endif %}"
 
 common_kubelet_params:
-  - "--hostname-override={{ networking.infra_internal.ip }}"
+  - "--hostname-override={{ hostname }}"
   - "--kubeconfig={{ kubelet_kubeconfig_path }}"
   - "--network-plugin=cni"
   - "--node-labels={{ lookup('template', 'node_labels.j2') | trim }}"
   - "--pod-infra-container-image={{ container_image_names | select('search', '/kubernetespause') | list | last }}"
   - "--register-node=true"
+  - "--enable-debugging-handlers=false"
 
 master_kubelet_params:
   - "--config=/etc/kubernetes/kubeconfig/master-config.yaml"

diff --git a/caas-kubernetes.spec b/caas-kubernetes.spec
index d387e7e..c5da7be 100644 (file)
--- a/caas-kubernetes.spec
+++ b/caas-kubernetes.spec
@@ -15,7 +15,7 @@
 %define COMPONENT kubernetes
 %define RPM_NAME caas-%{COMPONENT}
 %define RPM_MAJOR_VERSION 1.16.2
-%define RPM_MINOR_VERSION 4
+%define RPM_MINOR_VERSION 5
 %define IMAGE_TAG %{RPM_MAJOR_VERSION}-%{RPM_MINOR_VERSION}
 %define KUBERNETESPAUSE_VERSION 3.1