Add debug port patch script and integrate

docs/gpu-offline-package.md

@@ -21,6 +21,7 @@ bash scripts/create-gpu-k8s-offline-package.sh
 - nerdctl CLI（v${NERDCTL_VERSION:-2.1.2}）
 - 必要的容器镜像，包括 `registry.k8s.io/pause:3.8`
 - GPU 环境检测脚本 `check-gpu-status.sh`
+- 可选的集群安全脚本 `close-k8s-debug-ports.sh`
 
 该离线包用于基于 `sealos` 部署 Kubernetes，最低推荐版本为 **1.29**，也可以使用更新的 `1.30` 等稳定版本。
 

scripts/close-k8s-debug-ports.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Close insecure debug ports for kube-scheduler and kube-controller-manager
+
+set -euo pipefail
+
+echo "🔧 Closing 10251 and 10252 debug ports..."
+
+for file in /etc/kubernetes/manifests/kube-scheduler.yaml \
+            /etc/kubernetes/manifests/kube-controller-manager.yaml; do
+  if grep -q -- '--port=' "$file"; then
+    sed -i 's/--port=[0-9]\+/--port=0/' "$file"
+  else
+    sed -i '/command:/a \    - --port=0' "$file"
+  fi
+done
+
+echo "✅ Done. kubelet will reload pods in 10 seconds."

scripts/create-gpu-k8s-offline-package.sh

@@ -102,6 +102,7 @@ curl -L -o "$WORKDIR/nvidia-gpgkey" https://nvidia.github.io/nvidia-docker/gpgke
 # Include deployment script
 cp "$(dirname "$0")/gpu-k8s.sh" "$WORKDIR/"
 cp "$(dirname "$0")/check-gpu-status.sh" "$WORKDIR/"
+cp "$(dirname "$0")/close-k8s-debug-ports.sh" "$WORKDIR/"
 
 # Create final archive
 TAR_NAME="gpu_k8s_offline_packages.tar.gz"

scripts/gpu-k8s.sh

@@ -191,6 +191,9 @@ deploy_k8s() {
     --env '{}' --cmd "kubeadm init --skip-phases=addon/kube-proxy"
 
   echo "[6.2] Kubernetes 部署完成 ✅"
+
+  echo "[6.3] 关闭调度器和控制器调试端口"
+  ${SCRIPT_DIR}/close-k8s-debug-ports.sh || true
 }