This pulls in an update from our bootkube fork that adds security
hardening to the control plane. The following was changed:
- API server now uses an EncryptionConfig for encrypting secrets
- API server now has an audit policy
- Profiling was disabled on all control plane components
- PodSecurityPolicy is enabled
- API server TLS cipher suites were set to the recommended ciphers by CIS
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This changes the controlplane logic to write the audit policy to disk
from a common template instead of using trustd to distribute it.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This change allows us to generate the EncryptionConfig on each
controlplane node. The benefit is that we no longer need to distibute
the EncryptionConfig via trustd.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This TODO no longer applies. We have setteled on a fixed boot size. This
also removes variables no longer needed.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This PR will move to using the external kubeadm v1beta2 structs for our
code base. This will hopefully allow for more stable integrations with
kubeadm in the long term, as well as solve some needs we have in the
machine config rewrite.
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
