rackerlabs · mikeruu · Oct 1, 2025 · Sep 30, 2025 · Oct 1, 2025 · Oct 1, 2025
diff --git a/iac/provider/kubespray/main.tf b/iac/provider/kubespray/main.tf
@@ -86,6 +86,8 @@ resource "local_file" "k8s_hardening" {
       k8s_api_port                            = var.k8s_api_port
       kube_vip_enabled                        = var.kube_vip_enabled
       network_plugin                          = var.network_plugin
+      subnet_pods                             = var.subnet_pods
+      subnet_nodes                            = var.subnet_nodes
       subnet_join                             = var.subnet_join
       kube_pod_security_exemptions_namespaces = var.kube_pod_security_exemptions_namespaces
       kubelet_rotate_server_certificates      = var.kubelet_rotate_server_certificates

diff --git a/iac/provider/kubespray/templates/hardening.tpl b/iac/provider/kubespray/templates/hardening.tpl
@@ -76,15 +76,16 @@ kube_profiling: true
 remove_anonymous_access: false
 
 # ## kube-controller-manager
-kube_controller_manager_bind_address: 127.0.0.1
+kube_controller_manager_bind_address: 0.0.0.0
 kube_controller_terminated_pod_gc_threshold: 50
 kube_controller_feature_gates: ["RotateKubeletServerCertificate=true"] # False until I figure how to deploy a helm chart after the cni is deployed
 
 ## kube-scheduler
-kube_scheduler_bind_address: 127.0.0.1
+kube_scheduler_bind_address: 0.0.0.0
 
 ## etcd
 etcd_deployment_type: kubeadm
+etcd_listen_metrics_urls: "http://0.0.0.0:2381"
 
 # ## kubelet
 kubelet_authorization_mode_webhook: true
@@ -111,9 +112,9 @@ kubelet_csr_approver_values:
 # # to specify the IP from which the kubelet
 # # will receive the packets.
 %{ if network_plugin == "kube-ovn" ~}
-kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnets | regex_replace(',', ' ') }} {{ kube_node_addresses }} {{ loadbalancer_apiserver.address | default('') }} ${subnet_join}"
+kubelet_secure_addresses: "localhost link-local ${subnet_pods} ${subnet_nodes} ${vrrp_ip} ${subnet_join}"
 %{ else ~}
-kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnets | regex_replace(',', ' ') }} {{ kube_node_addresses }} {{ loadbalancer_apiserver.address | default('') }}"
+kubelet_secure_addresses: "localhost link-local ${subnet_pods} ${subnet_nodes} ${vrrp_ip}"
 %{ endif ~}
 # # additional configurations
 kube_owner: root