From cacedcd28a2267925c9aa37733569bb017774877 Mon Sep 17 00:00:00 2001 From: dave kormann Date: Tue, 3 Nov 2020 13:29:11 -0500 Subject: [PATCH] Security: disable kubelet debugging handlers flag Akraino security policy requires the --enable-debugging-handlers flag to be set to false -- the default value is "true". This change implements that requirement. signed-off-by: dave kormann Change-Id: Ic9bf21e9667fc925d03d546746f8cc3e1997fead --- ansible/roles/kubelet/defaults/main.yaml | 3 ++- caas-kubernetes.spec | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ansible/roles/kubelet/defaults/main.yaml b/ansible/roles/kubelet/defaults/main.yaml index 7ce5660..c9634b3 100644 --- a/ansible/roles/kubelet/defaults/main.yaml +++ b/ansible/roles/kubelet/defaults/main.yaml @@ -18,12 +18,13 @@ kubelet_healthcheck_port: 10248 kubelet_kubeconfig_path: "{% if nodename | search('caas_master') %}/etc/kubernetes/kubeconfig/kubeletc.yml{% else %}/root/kubeletc.yml{% endif %}" common_kubelet_params: - - "--hostname-override={{ networking.infra_internal.ip }}" + - "--hostname-override={{ hostname }}" - "--kubeconfig={{ kubelet_kubeconfig_path }}" - "--network-plugin=cni" - "--node-labels={{ lookup('template', 'node_labels.j2') | trim }}" - "--pod-infra-container-image={{ container_image_names | select('search', '/kubernetespause') | list | last }}" - "--register-node=true" + - "--enable-debugging-handlers=false" master_kubelet_params: - "--config=/etc/kubernetes/kubeconfig/master-config.yaml" diff --git a/caas-kubernetes.spec b/caas-kubernetes.spec index d387e7e..c5da7be 100644 --- a/caas-kubernetes.spec +++ b/caas-kubernetes.spec @@ -15,7 +15,7 @@ %define COMPONENT kubernetes %define RPM_NAME caas-%{COMPONENT} %define RPM_MAJOR_VERSION 1.16.2 -%define RPM_MINOR_VERSION 4 +%define RPM_MINOR_VERSION 5 %define IMAGE_TAG %{RPM_MAJOR_VERSION}-%{RPM_MINOR_VERSION} %define KUBERNETESPAUSE_VERSION 3.1 -- 2.16.6