From 3b9d13fda97fcc07b8e31cf1babe3f73f5af8470 Mon Sep 17 00:00:00 2001
From: Sergey <luckysb75@gmail.com>
Date: Wed, 10 Apr 2019 22:20:08 +0300
Subject: [PATCH] Return back bind API server node loadbalancer to 127.0.0.1
 for security purposes. (#4489)

---
 roles/kubernetes/node/templates/haproxy.cfg.j2 | 2 +-
 roles/kubernetes/node/templates/nginx.conf.j2  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/kubernetes/node/templates/haproxy.cfg.j2 b/roles/kubernetes/node/templates/haproxy.cfg.j2
index 76466b008..6c467bda2 100644
--- a/roles/kubernetes/node/templates/haproxy.cfg.j2
+++ b/roles/kubernetes/node/templates/haproxy.cfg.j2
@@ -27,7 +27,7 @@ frontend healthz
 {% endif %}
 
 frontend kube_api_frontend
-  bind *:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }}
+  bind 127.0.0.1:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }}
   mode tcp
   option tcplog
   default_backend kube_api_backend
diff --git a/roles/kubernetes/node/templates/nginx.conf.j2 b/roles/kubernetes/node/templates/nginx.conf.j2
index 0c869d94a..bdd830d7d 100644
--- a/roles/kubernetes/node/templates/nginx.conf.j2
+++ b/roles/kubernetes/node/templates/nginx.conf.j2
@@ -19,7 +19,7 @@ stream {
   }
 
   server {
-    listen        {{ loadbalancer_apiserver_port|default(kube_apiserver_port) }};
+    listen        127.0.0.1:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }};
     proxy_pass    kube_apiserver;
     proxy_timeout 10m;
     proxy_connect_timeout 1s;
-- 
GitLab