From 1b870a186238816822cd98ecd48e1f89320160e2 Mon Sep 17 00:00:00 2001
From: Barry M <9964974+bmelbourne@users.noreply.github.com>
Date: Thu, 11 Apr 2024 08:58:27 +0100
Subject: [PATCH] Update kubelet systemd service default allowed IP addresses
 for cluster hardening (#11061)

Signed-off-by: bmelbourne <barry.melbourne0@gmail.com>
---
 docs/hardening.md                       | 2 +-
 roles/kubernetes/node/defaults/main.yml | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/hardening.md b/docs/hardening.md
index 77d70f9b6..2cf54850b 100644
--- a/docs/hardening.md
+++ b/docs/hardening.md
@@ -107,7 +107,7 @@ kubelet_systemd_hardening: true
 # IP addresses, kubelet_secure_addresses allows you
 # to specify the IP from which the kubelet
 # will receive the packets.
-kubelet_secure_addresses: "192.168.10.110 192.168.10.111 192.168.10.112"
+kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} 192.168.10.110 192.168.10.111 192.168.10.112"
 
 # additional configurations
 kube_owner: root
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 7366b263f..69cfa4540 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -24,10 +24,11 @@ kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
 kubelet_systemd_hardening: false
 
 # List of secure IPs for kubelet
-kubelet_secure_addresses: >-
-  {%- for host in groups['kube_control_plane'] -%}
+kube_node_addresses: >-
+  {%- for host in (groups['kube_control_plane'] + groups['kube_node'] + groups['etcd']) | unique -%}
     {{ hostvars[host]['ip'] | default(fallback_ips[host]) }}{{ ' ' if not loop.last else '' }}
   {%- endfor -%}
+kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} {{ kube_node_addresses }}"
 
 # Reserve this space for kube resources
 # Set to true to reserve resources for kube daemons
-- 
GitLab