From efa07b8a7a8bdf890e7b63c2bdaaca79b46ad9c5 Mon Sep 17 00:00:00 2001
From: Yoan Moscatelli <yoan.moscatelli@scality.con>
Date: Fri, 16 Aug 2024 14:09:08 +0000
Subject: [PATCH] k8s control plane hardening

---
 salt/metalk8s/kubernetes/apiserver/installed.sls | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/salt/metalk8s/kubernetes/apiserver/installed.sls b/salt/metalk8s/kubernetes/apiserver/installed.sls
index b907e1f99f..9053a5f4c8 100644
--- a/salt/metalk8s/kubernetes/apiserver/installed.sls
+++ b/salt/metalk8s/kubernetes/apiserver/installed.sls
@@ -85,17 +85,21 @@ Create kube-apiserver Pod manifest:
           - kube-apiserver
           - --advertise-address={{ host }}
           - --allow-privileged=true
+          - --anonymous-auth=false
           - --authorization-mode=Node,RBAC
           - --client-ca-file=/etc/kubernetes/pki/ca.crt
-          - --enable-admission-plugins=NodeRestriction
+          - --disable-admission-plugins=DenyServiceExternalIPs
+          - --enable-admission-plugins=NodeRestriction,AlwaysPullImages
           - --enable-bootstrap-token-auth=true
           - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
           - --etcd-certfile={{ certificates.client.files['apiserver-etcd'].path }}
           - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
           - --etcd-servers={{ etcd_servers | join(",") }}
+          - --kubelet-certificate-authority=/etc/kubernetes/pki/ca.crt
           - --kubelet-client-certificate={{ certificates.client.files['apiserver-kubelet'].path }}
           - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
           - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+          - --profiling=false
           - --proxy-client-cert-file={{ certificates.client.files['front-proxy'].path }}
           - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
           - --requestheader-allowed-names=front-proxy-client