From 99d6e772e1f6d436f7785feccd7cb20b7e1f6a28 Mon Sep 17 00:00:00 2001
From: Peter Svensson <peter@sparetimecoders.com>
Date: Thu, 15 Aug 2024 19:04:00 +0200
Subject: [PATCH] feat: disable kubelet anonymous auth

Kubelet anonymousAuth is currently turned on. This allows RBAC escalation and remote code execution possibilities.
It is highly recommended you turn it off by setting '\''spec.kubelet.anonymousAuth'\'' to '\''false'\'' via '\''kops edit cluster'\''

See https://kops.sigs.k8s.io/security/#kubelet-api
---
 k8s.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/k8s.tf b/k8s.tf
index c60bb92..90df412 100644
--- a/k8s.tf
+++ b/k8s.tf
@@ -201,6 +201,9 @@ resource "kops_cluster" "k8s" {
   }
 
   kubelet {
+    anonymous_auth {
+      value = false
+  }
   }
 
   metrics_server {