fix: bind loadbalancer healthcheck endpoint to localhost by default (#12809)

Author: hadi2f244

roles/kubernetes/node/defaults/main.yml

@@ -143,6 +143,12 @@ kubelet_healthz_port: 10248
 # Bind address for healthz for Kubelet
 kubelet_healthz_bind_address: 127.0.0.1
 
+# Bind addresses for healthz for the internal load balancer (nginx/haproxy)
+# Defaults to localhost for security. Set to 0.0.0.0 if external health checks are needed.
+loadbalancer_apiserver_healthcheck_bind_address: 127.0.0.1
+# Defaults to IPv6 localhost. Set to :: if external health checks are needed.
+loadbalancer_apiserver_healthcheck_bind_address_ipv6: ::1
+
 # sysctl_file_path to add sysctl conf to
 sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
 

roles/kubernetes/node/templates/loadbalancer/haproxy.cfg.j2

@@ -21,9 +21,9 @@ defaults
 
 {% if loadbalancer_apiserver_healthcheck_port is defined -%}
 frontend healthz
-  bind 0.0.0.0:{{ loadbalancer_apiserver_healthcheck_port }}
+  bind {{ loadbalancer_apiserver_healthcheck_bind_address }}:{{ loadbalancer_apiserver_healthcheck_port }}
   {% if ipv6_stack -%}
-  bind :::{{ loadbalancer_apiserver_healthcheck_port }}
+  bind [{{ loadbalancer_apiserver_healthcheck_bind_address_ipv6 }}]:{{ loadbalancer_apiserver_healthcheck_port }}
   {% endif -%}
   mode http
   monitor-uri /healthz

roles/kubernetes/node/templates/loadbalancer/nginx.conf.j2

@@ -43,9 +43,9 @@ http {
 
   {% if loadbalancer_apiserver_healthcheck_port is defined -%}
   server {
-    listen {{ loadbalancer_apiserver_healthcheck_port }};
+    listen {{ loadbalancer_apiserver_healthcheck_bind_address }}:{{ loadbalancer_apiserver_healthcheck_port }};
     {% if ipv6_stack -%}
-    listen [::]:{{ loadbalancer_apiserver_healthcheck_port }};
+    listen [{{ loadbalancer_apiserver_healthcheck_bind_address_ipv6 }}]:{{ loadbalancer_apiserver_healthcheck_port }};
     {% endif -%}
     location /healthz {
       access_log off;