Stay organized with collections
Save and categorize content based on your preferences.
Overview
This document shows how to deploy a privileged DaemonSet in each node of
Google Distributed Cloud to modify kubelet parameters to enable
read-only ports. In version 1.16 and later, the kubelet read-only port is
disabled by default.
Prerequisite
Make sure your Google Distributed Cloud is healthy before running the following
patch script. You can use this solution to patch 1.16 and later admin clusters
and user clusters.
Create a DaemonSet file
Create and save a DaemonSet file named patch.yaml in your current directory,
with the following content:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: onprem-node-patcher
namespace: kube-system
spec:
selector:
matchLabels:
name: onprem-node-patcher
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
name: onprem-node-patcher
spec:
tolerations:
- operator: Exists
volumes:
- name: host
hostPath:
path: /
hostPID: true
initContainers:
- name: read-only-patcher
image: "ubuntu"
env:
- name: KUBELET_READONLY_PORT
value: "10255"
# Number of 1G hugepages. Update the value as desired.
command:
- /bin/bash
- -c
- |
set -xeuo pipefail
configfile="/host/var/lib/kubelet/config.yaml"
kubeletservice="/host/etc/systemd/system/kubelet.service"
# $1: The read-only port for the kubelet to serve on with no
# authentication/authorization (set to 0 to disable)
function set-readonly-port-in-config() {
[[ "$#" -eq 1 ]] || return
local readonlyport; readonlyport="$1"
local actual; actual="$(grep readOnlyPort "${configfile}")"
if [[ "${actual}" == "" ]]; then
echo "readOnlyPort: ${readonlyport}" >> "${configfile}"
else
sed -E -i 's/readOnlyPort: [0-9]+/readOnlyPort: '"${readonlyport}"'/g' ${configfile}
fi
echo "Successfully append readOnlyPort: ${readonlyport} to ${configfile}"
}
sed -E -i 's/--read-only-port=[0-9]+/--read-only-port='"${KUBELET_READONLY_PORT}"'/g' ${kubeletservice}
[[ -f ${configfile} ]] && set-readonly-port-in-config "${KUBELET_READONLY_PORT}"
echo "Restarting kubelet..."
chroot /host nsenter -a -t1 -- systemctl daemon-reload
chroot /host nsenter -a -t1 -- systemctl restart kubelet.service
echo "Success!"
volumeMounts:
- name: host
mountPath: /host
resources:
requests:
memory: 5Mi
cpu: 5m
securityContext:
privileged: true
containers:
- image: gcr.io/google-containers/pause:3.2
name: pause
# Ensures that the pods will only run on the nodes having the correct
# label.
nodeSelector:
"kubernetes.io/os": "linux"
Update the read-only port number
To change the port number, manually edit the environment variable KUBELET_READONLY_PORT in the DaemonSet YAML.
The default read-only port is 10255, you should not pick 10250 as it will conflict with the predefined secure port.
To disable the read-only port, manually edit the environment variable
KUBELET_READONLY_PORT in the DaemonSet YAML.
After you save the changes, the DaemonSet will be re-run to modify the kubelet
accordingly.
Caveats
This patch has the same lifecycle as your installed 3P apps. You can run it
anytime as a day 2 operation. But it might not persist after you re-create
the cluster. To make this change persistent, deploy this DaemonSet as a step
in the Google Distributed Cloud post-initialization action.
After running once, the kubelet configuration file should be modified and
reloaded. You can safely run kubectl delete -f patch.yaml to clean up
DaemonSet resources.
Google Distributed Cloud running on Windows does not support this patch.
Kubernetes does not perform any authentication or authorization checks on this
insecure port 10255. Enabling it will leave kubelet data unprotected and
exposed to unauthorized users. The kubelet serves the same endpoint on the
more secure, authenticated port 10250, consider migrating to that secure
port.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["Overview\n\nThis document shows how to deploy a privileged DaemonSet in each node of\nGoogle Distributed Cloud to modify kubelet parameters to enable\nread-only ports. In version 1.16 and later, the kubelet read-only port is\ndisabled by default.\n\nPrerequisite\n\nMake sure your Google Distributed Cloud is healthy before running the following\npatch script. You can use this solution to patch 1.16 and later admin clusters\nand user clusters.\n\nCreate a DaemonSet file\n\nCreate and save a DaemonSet file named patch.yaml in your current directory,\nwith the following content:\n\n```\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: onprem-node-patcher\n namespace: kube-system\nspec:\n selector:\n matchLabels:\n name: onprem-node-patcher\n updateStrategy:\n type: RollingUpdate\n template:\n metadata:\n labels:\n name: onprem-node-patcher\n spec:\n tolerations:\n - operator: Exists\n volumes:\n - name: host\n hostPath:\n path: /\n hostPID: true\n initContainers:\n - name: read-only-patcher\n image: \"ubuntu\"\n env:\n - name: KUBELET_READONLY_PORT\n value: \"10255\"\n # Number of 1G hugepages. Update the value as desired.\n command:\n - /bin/bash\n - -c\n - |\n set -xeuo pipefail\n configfile=\"/host/var/lib/kubelet/config.yaml\"\n kubeletservice=\"/host/etc/systemd/system/kubelet.service\"\n # $1: The read-only port for the kubelet to serve on with no\n # authentication/authorization (set to 0 to disable)\n function set-readonly-port-in-config() {\n [[ \"$#\" -eq 1 ]] || return\n local readonlyport; readonlyport=\"$1\"\n local actual; actual=\"$(grep readOnlyPort \"${configfile}\")\"\n if [[ \"${actual}\" == \"\" ]]; then\n echo \"readOnlyPort: ${readonlyport}\" \u003e\u003e \"${configfile}\"\n else\n sed -E -i 's/readOnlyPort: [0-9]+/readOnlyPort: '\"${readonlyport}\"'/g' ${configfile}\n fi\n echo \"Successfully append readOnlyPort: ${readonlyport} to ${configfile}\"\n }\n sed -E -i 's/--read-only-port=[0-9]+/--read-only-port='\"${KUBELET_READONLY_PORT}\"'/g' ${kubeletservice}\n [[ -f ${configfile} ]] && set-readonly-port-in-config \"${KUBELET_READONLY_PORT}\"\n echo \"Restarting kubelet...\"\n chroot /host nsenter -a -t1 -- systemctl daemon-reload\n chroot /host nsenter -a -t1 -- systemctl restart kubelet.service\n echo \"Success!\"\n volumeMounts:\n - name: host\n mountPath: /host\n resources:\n requests:\n memory: 5Mi\n cpu: 5m\n securityContext:\n privileged: true\n containers:\n - image: gcr.io/google-containers/pause:3.2\n name: pause\n # Ensures that the pods will only run on the nodes having the correct\n # label.\n nodeSelector:\n \"kubernetes.io/os\": \"linux\"\n```\n\nUpdate the read-only port number\n\n- To change the port number, manually edit the environment variable `KUBELET_READONLY_PORT` in the DaemonSet YAML.\n\n- The default read-only port is `10255`, you should not pick `10250` as it will conflict with the predefined secure port.\n\nPatch the admin cluster\n\n```\n kubectl apply -f patch.yaml \\\n --kubeconfig ADMIN_CLUSTER_KUBECONFIG\n```\n\nPatch the user cluster\n\n```\n kubectl apply -f patch.yaml \\\n --kubeconfig USER_CLUSTER_KUBECONFIG\n```\n\nRestore\n\n- To disable the read-only port, manually edit the environment variable\n `KUBELET_READONLY_PORT` in the DaemonSet YAML.\n\n- After you save the changes, the DaemonSet will be re-run to modify the kubelet\n accordingly.\n\nCaveats\n\n- This patch has the same lifecycle as your installed 3P apps. You can run it\n anytime as a day 2 operation. But it might not persist after you re-create\n the cluster. To make this change persistent, deploy this DaemonSet as a step\n in the Google Distributed Cloud post-initialization action.\n\n- After running once, the kubelet configuration file should be modified and\n reloaded. You can safely run `kubectl delete -f patch.yaml` to clean up\n DaemonSet resources.\n\n- Google Distributed Cloud running on Windows does not support this patch.\n\n- Kubernetes does not perform any authentication or authorization checks on this\n insecure port `10255`. Enabling it will leave kubelet data unprotected and\n exposed to unauthorized users. The kubelet serves the same endpoint on the\n more secure, authenticated port `10250`, consider migrating to that secure\n port."]]
