kubelet: conditionalize staticPodPath location (#12433)

shaleenbathla · tico88612 · web-flow · commit 082507cff2cb · 2025-08-18T06:51:11.000-07:00
Add variable to set kubelet staticPodPath location.
It can be set to empty so that we can choose to disable it for some nodes.
STIG recommendation is to disable it.

Signed-off-by: Shaleen Bathla &lt;shaleenbathla@gmail.com&gt;
Co-authored-by: ChengHao Yang &lt;17496418+tico88612@users.noreply.github.com&gt;
diff --git a/docs/operations/hardening.md b/docs/operations/hardening.md
@@ -96,6 +96,8 @@ kubelet_make_iptables_util_chains: true
 kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
 kubelet_seccomp_default: true
 kubelet_systemd_hardening: true
+# To disable kubelet's staticPodPath (for nodes that don't use static pods like worker nodes)
+kubelet_static_pod_path: ""
 # In case you have multiple interfaces in your
 # control plane nodes and you want to specify the right
 # IP addresses, kubelet_secure_addresses allows you
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
@@ -188,6 +188,8 @@ conntrack_modules:
   - nf_conntrack
   - nf_conntrack_ipv4
 
+# Set this option to "" (empty) to disable staticPodPath (See docs/operations/hardening.md)
+kubelet_static_pod_path: "{{ kube_manifest_dir }}"
 
 ## Enable distributed tracing for kubelet
 kubelet_tracing: false
diff --git a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
@@ -22,7 +22,7 @@ enforceNodeAllocatable:
 - {{ item }}
 {% endfor %}
 {% endif %}
-staticPodPath: {{ kube_manifest_dir }}
+staticPodPath: "{{ kubelet_static_pod_path }}"
 cgroupDriver: {{ kubelet_cgroup_driver | default('systemd') }}
 containerLogMaxFiles: {{ kubelet_logfiles_max_nr }}
 containerLogMaxSize: {{ kubelet_logfiles_max_size }}
