From 6db6c8678c31621934c2253faa331174bf9fa49a Mon Sep 17 00:00:00 2001
From: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
Date: Wed, 31 Aug 2022 14:53:00 +0300
Subject: [PATCH] disable kubelet_authorization_mode_webhook by default (#9238)

---
 docs/hardening.md                           | 1 -
 roles/kubespray-defaults/defaults/main.yaml | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/hardening.md b/docs/hardening.md
index 7a5cddb85..b91d9e66c 100644
--- a/docs/hardening.md
+++ b/docs/hardening.md
@@ -74,7 +74,6 @@ kube_kubeadm_scheduler_extra_args:
 etcd_deployment_type: kubeadm
 
 ## kubelet
-kubelet_authorization_mode_webhook: true
 kubelet_authentication_token_webhook: true
 kube_read_only_port: 0
 kubelet_rotate_server_certificates: true
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 364b82129..82053c71f 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -474,7 +474,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
 kubelet_authentication_token_webhook: true
 
 # When enabled, access to the kubelet API requires authorization by delegation to the API server
-kubelet_authorization_mode_webhook: true
+kubelet_authorization_mode_webhook: false
 
 # kubelet uses certificates for authenticating to the Kubernetes API
 # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration
-- 
GitLab