diff --git a/files/bootstrap.sh b/files/bootstrap.sh index ee8c8a211..7c9998b3f 100755 --- a/files/bootstrap.sh +++ b/files/bootstrap.sh @@ -331,3 +331,13 @@ fi systemctl daemon-reload systemctl enable kubelet systemctl start kubelet + +# Wait for the TLS certificate and private key to be present and add these to the config file so they are picked up the next time the kubelet starts. +# These cannot be added upfront because they are not present when the kubelet first starts, and adding them would cause the kubelet to crash. +TLS_CERT_FILE="/var/lib/kubelet/pki/kubelet-server-current.pem" +while [[ ! -f $TLS_CERT_FILE ]] +do + sleep 1 +done +echo "$(jq ".tlsCertFile=\"$TLS_CERT_FILE\"" $KUBELET_CONFIG)" > $KUBELET_CONFIG +echo "$(jq ".tlsPrivateKeyFile=\"$TLS_CERT_FILE\"" $KUBELET_CONFIG)" > $KUBELET_CONFIG diff --git a/files/kubelet-config.json b/files/kubelet-config.json index 3a41c2a95..f03c60bde 100644 --- a/files/kubelet-config.json +++ b/files/kubelet-config.json @@ -25,9 +25,12 @@ "hairpinMode": "hairpin-veth", "cgroupDriver": "cgroupfs", "cgroupRoot": "/", + "eventRecordQPS": 0, "featureGates": { "RotateKubeletServerCertificate": true }, + "protectKernelDefaults": true, + "readOnlyPort": 0, "serializeImagePulls": false, "serverTLSBootstrap": true } diff --git a/install-worker.sh b/install-worker.sh index 25acb7330..c370462ad 100644 --- a/install-worker.sh +++ b/install-worker.sh @@ -227,6 +227,16 @@ EOF sudo mv /tmp/release /etc/eks/release sudo chown root:root /etc/eks/* +################################################################################ +### Stuff required by "protectKernelDefaults=true" ############################# +################################################################################ + +cat <