[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-01 UTC。"],[],[],null,["Overview\n\nThis document shows how to deploy a privileged DaemonSet in each node of\nGoogle Distributed Cloud to modify kubelet parameters to enable\nread-only ports. In version 1.16 and later, the kubelet read-only port is\ndisabled by default.\n\nPrerequisite\n\nMake sure your Google Distributed Cloud is healthy before running the following\npatch script. You can use this solution to patch 1.16 and later admin clusters\nand user clusters.\n\nCreate a DaemonSet file\n\nCreate and save a DaemonSet file named patch.yaml in your current directory,\nwith the following content:\n\n```\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: onprem-node-patcher\n namespace: kube-system\nspec:\n selector:\n matchLabels:\n name: onprem-node-patcher\n updateStrategy:\n type: RollingUpdate\n template:\n metadata:\n labels:\n name: onprem-node-patcher\n spec:\n tolerations:\n - operator: Exists\n volumes:\n - name: host\n hostPath:\n path: /\n hostPID: true\n initContainers:\n - name: read-only-patcher\n image: \"ubuntu\"\n env:\n - name: KUBELET_READONLY_PORT\n value: \"10255\"\n # Number of 1G hugepages. Update the value as desired.\n command:\n - /bin/bash\n - -c\n - |\n set -xeuo pipefail\n configfile=\"/host/var/lib/kubelet/config.yaml\"\n kubeletservice=\"/host/etc/systemd/system/kubelet.service\"\n # $1: The read-only port for the kubelet to serve on with no\n # authentication/authorization (set to 0 to disable)\n function set-readonly-port-in-config() {\n [[ \"$#\" -eq 1 ]] || return\n local readonlyport; readonlyport=\"$1\"\n local actual; actual=\"$(grep readOnlyPort \"${configfile}\")\"\n if [[ \"${actual}\" == \"\" ]]; then\n echo \"readOnlyPort: ${readonlyport}\" \u003e\u003e \"${configfile}\"\n else\n sed -E -i 's/readOnlyPort: [0-9]+/readOnlyPort: '\"${readonlyport}\"'/g' ${configfile}\n fi\n echo \"Successfully append readOnlyPort: ${readonlyport} to ${configfile}\"\n }\n sed -E -i 's/--read-only-port=[0-9]+/--read-only-port='\"${KUBELET_READONLY_PORT}\"'/g' ${kubeletservice}\n [[ -f ${configfile} ]] && set-readonly-port-in-config \"${KUBELET_READONLY_PORT}\"\n echo \"Restarting kubelet...\"\n chroot /host nsenter -a -t1 -- systemctl daemon-reload\n chroot /host nsenter -a -t1 -- systemctl restart kubelet.service\n echo \"Success!\"\n volumeMounts:\n - name: host\n mountPath: /host\n resources:\n requests:\n memory: 5Mi\n cpu: 5m\n securityContext:\n privileged: true\n containers:\n - image: gcr.io/google-containers/pause:3.2\n name: pause\n # Ensures that the pods will only run on the nodes having the correct\n # label.\n nodeSelector:\n \"kubernetes.io/os\": \"linux\"\n```\n\nUpdate the read-only port number\n\n- To change the port number, manually edit the environment variable `KUBELET_READONLY_PORT` in the DaemonSet YAML.\n\n- The default read-only port is `10255`, you should not pick `10250` as it will conflict with the predefined secure port.\n\nPatch the admin cluster\n\n```\n kubectl apply -f patch.yaml \\\n --kubeconfig ADMIN_CLUSTER_KUBECONFIG\n```\n\nPatch the user cluster\n\n```\n kubectl apply -f patch.yaml \\\n --kubeconfig USER_CLUSTER_KUBECONFIG\n```\n\nRestore\n\n- To disable the read-only port, manually edit the environment variable\n `KUBELET_READONLY_PORT` in the DaemonSet YAML.\n\n- After you save the changes, the DaemonSet will be re-run to modify the kubelet\n accordingly.\n\nCaveats\n\n- This patch has the same lifecycle as your installed 3P apps. You can run it\n anytime as a day 2 operation. But it might not persist after you re-create\n the cluster. To make this change persistent, deploy this DaemonSet as a step\n in the Google Distributed Cloud post-initialization action.\n\n- After running once, the kubelet configuration file should be modified and\n reloaded. You can safely run `kubectl delete -f patch.yaml` to clean up\n DaemonSet resources.\n\n- Google Distributed Cloud running on Windows does not support this patch.\n\n- Kubernetes does not perform any authentication or authorization checks on this\n insecure port `10255`. Enabling it will leave kubelet data unprotected and\n exposed to unauthorized users. The kubelet serves the same endpoint on the\n more secure, authenticated port `10250`, consider migrating to that secure\n port."]]
