Skip to content

k8s_fedora: Add kubelet authentication/authorization

Spyridon Trigazis requested to merge OS-6336-protect-kubelet into cern-queens

Cherry-picked from: https://review.openstack.org/#/c/556214/2 OS-6336

  • disable kubelet anonymous-auth
  • enable kubelet webhook-(token) authorization
  • disable kubelet cadvisor and read-only ports
  • listen kubelet only on internal ipv4 ip
  • update kubelet certs
  • Update heapster RBAC to access kubelets
  • update api config to access kubelet over https

Closes-Bug: #1758672 Change-Id: I2c6046ce5921a63a2d56f51435433497b1ff30ba (cherry-picked from f570abf0c97da521c34719a6369fa5fcad97aa7f)

Merge request reports