Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the basic-auth-file entry.
kubernetesMasterConfig: apiServerArguments: basic-auth-file: - /path/to/any/file
Edit the kubernetes master config file /etc/origin/master/master-config.yaml and change it to match the below.
kubeletClientInfo: ca: ca-bundle.crt certFile: master.kubelet-client.crt keyFile: master.kubelet-client.key port: 10250
Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the insecure-bind-address entry.
kubernetesMasterConfig: apiServerArguments: insecure-bind-address: - 127.0.0.1
Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the insecure-port entry.
kubernetesMasterConfig: apiServerArguments: insecure-port: - 0
Edit the kubernetes master config file /etc/origin/master/master-config.yaml and either remove the secure-port parameter or set it to a different (non-zero) desired port.
kubernetesMasterConfig: apiServerArguments: secure-port: - 8443
Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the repair-malformed-updates entry or set repair-malformed-updates=true.
Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the entry below.
AlwaysAdmit: configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: false
Edit the kubernetes master config file /etc/origin/master/master-config.yaml and add the entry below.
admissionConfig: pluginConfig: AlwaysPullImages: configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: false
Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the following entry.
NamespaceLifecycle: configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: true
Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the following entry and restart the API server.
auditConfig: auditFilePath: “"/etc/origin/master/audit-ocp.log”" enabled: true maximumFileRetentionDays: 30 maximumFileSizeMegabytes: 10 maximumRetainedFiles: 10
Make the same changes in the inventory/ansible variables so the changes are not lost when an upgrade occurs.
Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileRetentionDays entry and restart the API server.
auditConfig: auditFilePath: “"/etc/origin/master/audit-ocp.log”" enabled: true maximumFileRetentionDays: 30 maximumFileSizeMegabytes: 10 maximumRetainedFiles: 10
Make the same changes in the inventory/ansible variables so the changes are not lost when an upgrade occurs.
Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumRetainedFiles entry, set enabled to true and restart the API server.
auditConfig: auditFilePath: “"/etc/origin/master/audit-ocp.log”" enabled: true maximumFileRetentionDays: 30 maximumFileSizeMegabytes: 10 maximumRetainedFiles: 10
Make the same changes in the inventory/ansible variables so the changes are not lost when an upgrade occurs.
Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileSizeMegabytes entry, set enabled to true and restart the API server.
auditConfig: auditFilePath: “"/etc/origin/master/audit-ocp.log”" enabled: true maximumFileRetentionDays: 30 maximumFileSizeMegabytes: 10 maximumRetainedFiles: 10
Make the same changes in the inventory/ansible variables so the changes are not lost when an upgrade occurs.
Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the authorization-mode entry.
kubernetesMasterConfig: apiServerArguments: authorization-mode: - AllowAll
Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the token-auth-file entry under apiserverArguments section.
kubernetesMasterConfig: apiServerArguments: token-auth-file: - /path/to/file
Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the following configuration under apiserverArguments section.
kubernetesMasterConfig: apiServerArguments: kubelet-certificat-authority: - /path/to/ca
Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following configuration under kubeletClientInfo
kubeletClientInfo: ca: ca-bundle.crt certFile: master.kubelet-client.crt keyFile: master.kubelet-client.key port: 10250
OpenShift API server does not use the service-account-key-file argument. Even if value is set in master-config.yaml, it will not be used to verify service account tokens, as it is in upstream Kubernetes. The ServiceAccount token authenticator is configured with serviceAccountConfig.publicKeyFiles in the master-config.yaml. OpenShift does not reuse the apiserver TLS key.
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set the privateKeyFile and publicKeyFile configuration under serviceAccountConfig.
serviceAccountConfig: limitSecretReferences: false managedNames: - default - builder - deployer masterCA: ca-bundle.crt privateKeyFile: serviceaccounts.private.key publicKeyFiles: - serviceaccounts.public.key
Verify that privateKeyFile and publicKeyFile exist and set.
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under etcdClientInfo like below.
etcdClientInfo: ca: master.etcd-ca.crt certFile: master.etcd-client.crt keyFile: master.etcd-client.key
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount admission control policy.
ServiceAccount: configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: false
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo.
servingInfo: bindAddress: 0.0.0.0:8443 bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key maxRequestsInFlight: 500 requestTimeoutSeconds: 3600
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set clientCA under servingInfo.
servingInfo: bindAddress: 0.0.0.0:8443 bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key maxRequestsInFlight: 500 requestTimeoutSeconds: 3600
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo.
etcdClientInfo: ca: master.etcd-ca.crt certFile: master.etcd-client.crt keyFile: master.etcd-client.key
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo.
NodeRestriction: configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: false
Follow the instructions in the documentation to configure encryption. https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config. See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.
Follow the documentation to enable the EventRateLimit plugin. https://docs.openshift.com/container-platform/3.10/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable AdvancedAuditing,
kubernetesMasterConfig: apiServerArguments: feature-gates: - AdvancedAuditing=true
[Manual test] change the request-timeout value in the /etc/origin/master/master-config.yaml