From 396a2ebb83848b444bbcb9b144713baefc70e5ee Mon Sep 17 00:00:00 2001
From: shenlan <manbuzhe2009@qq.com>
Date: Mon, 21 Jul 2025 12:15:32 +0800
Subject: [PATCH] Add debug port patch script and integrate

---
 docs/gpu-offline-package.md               |  1 +
 scripts/close-k8s-debug-ports.sh          | 18 ++++++++++++++++++
 scripts/create-gpu-k8s-offline-package.sh |  1 +
 scripts/gpu-k8s.sh                        |  3 +++
 4 files changed, 23 insertions(+)
 create mode 100755 scripts/close-k8s-debug-ports.sh

diff --git a/docs/gpu-offline-package.md b/docs/gpu-offline-package.md
index c503240..cfa8c43 100644
--- a/docs/gpu-offline-package.md
+++ b/docs/gpu-offline-package.md
@@ -21,6 +21,7 @@ bash scripts/create-gpu-k8s-offline-package.sh
 - nerdctl CLI（v${NERDCTL_VERSION:-2.1.2}）
 - 必要的容器镜像，包括 `registry.k8s.io/pause:3.8`
 - GPU 环境检测脚本 `check-gpu-status.sh`
+- 可选的集群安全脚本 `close-k8s-debug-ports.sh`
 
 该离线包用于基于 `sealos` 部署 Kubernetes，最低推荐版本为 **1.29**，也可以使用更新的 `1.30` 等稳定版本。
 
diff --git a/scripts/close-k8s-debug-ports.sh b/scripts/close-k8s-debug-ports.sh
new file mode 100755
index 0000000..1f358fa
--- /dev/null
+++ b/scripts/close-k8s-debug-ports.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Close insecure debug ports for kube-scheduler and kube-controller-manager
+
+set -euo pipefail
+
+echo "🔧 Closing 10251 and 10252 debug ports..."
+
+for file in /etc/kubernetes/manifests/kube-scheduler.yaml \
+            /etc/kubernetes/manifests/kube-controller-manager.yaml; do
+  if grep -q -- '--port=' "$file"; then
+    sed -i 's/--port=[0-9]\+/--port=0/' "$file"
+  else
+    sed -i '/command:/a \    - --port=0' "$file"
+  fi
+done
+
+echo "✅ Done. kubelet will reload pods in 10 seconds."
diff --git a/scripts/create-gpu-k8s-offline-package.sh b/scripts/create-gpu-k8s-offline-package.sh
index b26d80d..bc25985 100755
--- a/scripts/create-gpu-k8s-offline-package.sh
+++ b/scripts/create-gpu-k8s-offline-package.sh
@@ -102,6 +102,7 @@ curl -L -o "$WORKDIR/nvidia-gpgkey" https://nvidia.github.io/nvidia-docker/gpgke
 # Include deployment script
 cp "$(dirname "$0")/gpu-k8s.sh" "$WORKDIR/"
 cp "$(dirname "$0")/check-gpu-status.sh" "$WORKDIR/"
+cp "$(dirname "$0")/close-k8s-debug-ports.sh" "$WORKDIR/"
 
 # Create final archive
 TAR_NAME="gpu_k8s_offline_packages.tar.gz"
diff --git a/scripts/gpu-k8s.sh b/scripts/gpu-k8s.sh
index 23e2717..6d8c1fd 100644
--- a/scripts/gpu-k8s.sh
+++ b/scripts/gpu-k8s.sh
@@ -191,6 +191,9 @@ deploy_k8s() {
     --env '{}' --cmd "kubeadm init --skip-phases=addon/kube-proxy"
 
   echo "[6.2] Kubernetes 部署完成 ✅"
+
+  echo "[6.3] 关闭调度器和控制器调试端口"
+  ${SCRIPT_DIR}/close-k8s-debug-ports.sh || true
 }