From 3c8dbb0984dc947c49e231b528c7038b5c5fc44f Mon Sep 17 00:00:00 2001 From: ilia1243 <8808144+ilia1243@users.noreply.github.com> Date: Wed, 17 Jan 2024 13:35:26 +0300 Subject: [PATCH] Clarify Hardening documentation --- documentation/internal/Hardening.md | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/documentation/internal/Hardening.md b/documentation/internal/Hardening.md index 45330c313..696ceea54 100644 --- a/documentation/internal/Hardening.md +++ b/documentation/internal/Hardening.md @@ -42,6 +42,11 @@ Useful links: The `--anonymous-auth` option manages anonymous requests to the `kube-apiserver`. By default, it enables anonymous requests. +**Note:** If you disable anonymous authentication for `kube-apiserver`, +some Kubemarine maintenance procedures will not work automatically, +and will require manual actions before and after the maintenance. +For more information, refer to [Limitations](#limitations). + ### Prerequisites - A working Kubernetes cluster. @@ -53,11 +58,7 @@ kind: ClusterRole metadata: name: healthz rules: -- nonResourceURLs: ["/readyz"] - verbs: ["get"] -- nonResourceURLs: ["/livez"] - verbs: ["get"] -- nonResourceURLs: ["/healthz"] +- nonResourceURLs: ["/readyz", "/livez", "/healthz"] verbs: ["get"] --- apiVersion: v1 @@ -82,13 +83,16 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: view + name: healthz subjects: - kind: ServiceAccount name: healthz namespace: kube-system ``` +**Note:** ClusterRole and ClusterRoleBinding are not required +if you have `system:discovery` or `system:public-info-viewer` ClusterRoleBindings installed on the cluster (default). + ### Disabling Procedure 1. Add `anonymous-auth: "false"` into the `kubeadm-config` configmap. For example: @@ -164,9 +168,10 @@ kubectl -n kube-system get secret token-healthz -o jsonpath='{.data.token}' | ba ### Limitations -If the `--anonymous-auth` is set to "false", the upgrade and node addition procedures need some changes in the workflow. The upgrade procedure needs enabling `anonymous-auth` before the `kubeadm upgrade` run. +If the `--anonymous-auth` is set to "false", the upgrade and node addition procedures need some changes in the workflow. +Both procedures needs enabling `anonymous-auth` on all existing nodes before the `kubeadm` run. -The node addition procedure is affected if the control plane node is being added. After the new control plane node is successfully added, the [Disabling Procedure](#disabling-procedure) should be performed on that node. +After the procedure is performed, the [Disabling Procedure](#disabling-procedure) should be performed on all control plane nodes. Besides, disabled anonymous requests to `kube-apiserver` need changes in the monitoring system, if the resources like `healthz`, `readyz`, and `livez` are used in the system.