Skip to content

Commit

Permalink
Add protectKernelDefaults option (default true) to kubelet config file
Browse files Browse the repository at this point in the history
  • Loading branch information
@floryut
floryut committed Sep 3, 2020
1 parent 2faf53b commit 9674618
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 0 deletions.
3 changes: 3 additions & 0 deletions roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ healthzPort: {{ kubelet_healthz_port }}
healthzBindAddress: {{ kubelet_healthz_bind_address }}
kubeletCgroups: {{ kubelet_kubelet_cgroups }}
clusterDomain: {{ dns_domain }}
{% if kubelet_protect_kernel_defaults|bool %}
protectKernelDefaults: true
{% endif %}
{% if kubelet_rotate_certificates|bool %}
rotateCertificates: true
{% endif %}
Expand Down
13 changes: 13 additions & 0 deletions roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,3 +61,16 @@
value: 1
state: present
reload: yes

- name: Ensure kube-bench parameters are set
sysctl:
sysctl_file: /etc/sysctl.d/bridge-nf-call.conf
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
reload: yes
with_items:
- { name: vm.overcommit_memory, value: 1 }
- { name: kernel.panic, value: 10 }
- { name: kernel.panic_on_oops, value: 1 }
when: kubelet_protect_kernel_defaults|bool
3 changes: 3 additions & 0 deletions roles/kubespray-defaults/defaults/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -395,6 +395,9 @@ kubelet_authorization_mode_webhook: true
# Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration
kubelet_rotate_certificates: true

# If set to true, kubelet errors if any of kernel tunables is different than kubelet defaults
kubelet_protect_kernel_defaults: true

## List of key=value pairs that describe feature gates for
## the k8s cluster.
kube_feature_gates: []
Expand Down

0 comments on commit 9674618

Please sign in to comment.