From 11844c987cdba48e286f004028a97c7db50172cc Mon Sep 17 00:00:00 2001
From: Jonas Kongslund <jonas@kongslund.net>
Date: Tue, 16 Jan 2018 11:11:41 +0400
Subject: [PATCH] Make the Kubelet read-only port configurable and disable it
 by default. Fixes #2159.

---
 inventory/group_vars/all.yml                            | 3 +++
 roles/kubernetes/node/defaults/main.yml                 | 3 +++
 roles/kubernetes/node/templates/kubelet.kubeadm.env.j2  | 1 +
 roles/kubernetes/node/templates/kubelet.standard.env.j2 | 1 +
 4 files changed, 8 insertions(+)

diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
index 6d644ceef..996572fae 100644
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@@ -122,3 +122,6 @@ bin_dir: /usr/local/bin
 
 ## Set level of detail for etcd exported metrics, specify 'extensive' to include histogram metrics.
 #etcd_metrics: basic
+
+# The read-only port for the Kubelet to serve on with no authentication/authorization. Uncomment to enable.
+# kube_read_only_port: 10255
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 24775a541..c229912b5 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -86,3 +86,6 @@ kube_override_hostname: >-
 
 # cAdvisor port
 kube_cadvisor_port: 0
+
+# The read-only port for the Kubelet to serve on with no authentication/authorization.
+kube_read_only_port: 0
diff --git a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2 b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
index 7e0825b9e..f82f7e440 100644
--- a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
+++ b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
@@ -31,6 +31,7 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 --cgroup-driver={{ kubelet_cgroup_driver|default(kubelet_cgroup_driver_detected) }} \
 --docker-disable-shared-pid={{ kubelet_disable_shared_pid }} \
 --anonymous-auth=false \
+--read-only-port={{ kube_read_only_port }} \
 {% if kube_version | version_compare('v1.8', '<') %}
 --experimental-fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \
 {% else %}
diff --git a/roles/kubernetes/node/templates/kubelet.standard.env.j2 b/roles/kubernetes/node/templates/kubelet.standard.env.j2
index da4480f70..1929d4508 100644
--- a/roles/kubernetes/node/templates/kubelet.standard.env.j2
+++ b/roles/kubernetes/node/templates/kubelet.standard.env.j2
@@ -20,6 +20,7 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 --tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \
 --tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
 --anonymous-auth=false \
+--read-only-port={{ kube_read_only_port }} \
 {% if kube_version | version_compare('v1.6', '>=') %}
 {# flag got removed with 1.7.0 #}
 {% if kube_version | version_compare('v1.7', '<') %}
-- 
GitLab