diff --git a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 index f2341e3b78b..3c4a43ea0ec 100644 --- a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 +++ b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 @@ -31,6 +31,9 @@ healthzPort: {{ kubelet_healthz_port }} healthzBindAddress: {{ kubelet_healthz_bind_address }} kubeletCgroups: {{ kubelet_kubelet_cgroups }} clusterDomain: {{ dns_domain }} +{% if kubelet_protect_kernel_defaults|bool %} +protectKernelDefaults: true +{% endif %} {% if kubelet_rotate_certificates|bool %} rotateCertificates: true {% endif %} diff --git a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml index 03716c38aa0..35cc0b0d5dc 100644 --- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml +++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml @@ -61,3 +61,16 @@ value: 1 state: present reload: yes + +- name: Ensure kube-bench parameters are set + sysctl: + sysctl_file: /etc/sysctl.d/bridge-nf-call.conf + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + reload: yes + with_items: + - { name: vm.overcommit_memory, value: 1 } + - { name: kernel.panic, value: 10 } + - { name: kernel.panic_on_oops, value: 1 } + when: kubelet_protect_kernel_defaults|bool diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index dcbec258619..5e1be5ea51b 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -395,6 +395,9 @@ kubelet_authorization_mode_webhook: true # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration kubelet_rotate_certificates: true +# If set to true, kubelet errors if any of kernel tunables is different than kubelet defaults +kubelet_protect_kernel_defaults: true + ## List of key=value pairs that describe feature gates for ## the k8s cluster. kube_feature_gates: []