Rke: Secure kubelet port

Available in v0.1.3-rc1

Tested using v0.1.3-rc1:

• https endpoint on port 10250 now requires authentication.

Apologies if I missed this somewhere/this is better for Stack Overflow, but is there any way to get this update to apply to an existing cluster created with rke? I just downloaded v0.1.3-rc1 and re-ran rke up; however, it looks like, for instance, the /pods endpoint is still accessible. Thanks!

@doubleswirve on which port ?

10250 -- full request command: curl --insecure https://NODE_IP:10250/pods. Thanks for the quick response!

Can you please provide:

• Previous version you used to build the cluster.
• Log from running rke up -d
• docker inspect kubelet output

Sorry, we kept getting hit w/ the same mining software mentioned here so I ended up just removing the cluster and starting from scratch. FWIW, we were using the v0.1.1 release.

On the bright side, w/ a fresh rke up w/ v0.1.3-rc1, curl'ing that endpoint is now Unauthorized, so thanks for the patch

I am sorry to hear that. I would recommend to firewalling all critical kubernetes ports as per the official documentation.

Could you please release v0.1.3 officially. Having a critical security fix lingering as a RC without a release is only putting those that are helping you test RKE and Rancher 2 at risk.

@scriptjs We are working on releasing v0.1.3 as soon as possible. In the mean time, the fix is available in master.

How about the other 2 ports (10255, 4194)? For Rancher 1.6 there's the issue https://github.com/rancher/rancher/issues/12142 - Should we create a similar one for RKE?