Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document securing connection between kube-apiserver <-> Metrics Server #545

Open
serathius opened this issue Jun 21, 2020 · 20 comments
Open

Document securing connection between kube-apiserver <-> Metrics Server #545

serathius opened this issue Jun 21, 2020 · 20 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/documentation Categorizes issue or PR as related to documentation. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@serathius
Copy link
Contributor

We should do a better job informing users how to secure communication between apiserver and Metrics server. It should mention disabling insecureSkipTLSVerify

/kind documentation
/help
@k8s-ci-robot
Copy link
Contributor

@serathius:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

We should do a better job informing users how to secure communication between apiserver and Metrics server. It should mention disabling insecureSkipTLSVerify

/kind documentation
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added kind/documentation Categorizes issue or PR as related to documentation. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Jun 21, 2020
@serathius serathius mentioned this issue Jun 21, 2020
Closed
@jenting
Copy link

jenting commented Aug 6, 2020

I had a repo https://github.com/jenting/secure-metrics-server to deploy metrics-server in secure, hope it would help 😄

@serathius
Copy link
Contributor Author

Thanks @jenting, it looks really interesting. I will talk with someone more familiar with apimachinery to confirm this is aligned with current best practices. Would you be interested in contributing this to MS documentation?

@jenting
Copy link

jenting commented Aug 6, 2020

To here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely, right?

@serathius
Copy link
Contributor Author

Yes, before starting work let me get lgtm from someone from SIG-apimachinery & SIG-security. I think your instructions are very good, still it's could be possible to improve them with some feedback from area experts.

@serathius
Copy link
Contributor Author

serathius commented Aug 6, 2020
edited
Loading

@logicalhan, are you know who should we ask about securing kube-apiserver -> extension apiserver communication and what is current recommended approach?

Would it be ok for us to recommend manual certificate creation like described here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely

@serathius serathius changed the title Improve documentation about making MS more secure Document securing connection between kube-apiserver <-> Metrics Server Aug 25, 2020
@serathius
Copy link
Contributor Author

ping @logicalhan

@logicalhan
Copy link

@liggitt probably has a better idea about this than me.

@agilgur5 agilgur5 mentioned this issue Oct 8, 2020
Merged
@serathius
Copy link
Contributor Author

/triage accepted

@k8s-ci-robot k8s-ci-robot added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Nov 15, 2020
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 13, 2021
@serathius
Copy link
Contributor Author

/remove-lifecycle stale
ping @liggitt

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 13, 2021
@liggitt
Copy link

liggitt commented Feb 15, 2021

Would it be ok for us to recommend manual certificate creation like described here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely

redirect to @deads2k

@serathius
Copy link
Contributor Author

ping @deads2k

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 15, 2021
@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jul 16, 2021
@serathius
Copy link
Contributor Author

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. labels Jul 17, 2021
@serathius serathius mentioned this issue Nov 16, 2021
Closed
@jmvcollaborator
Copy link

just get the file from all the versions components.yaml add and apply:

 k8s-app: metrics-server

spec:

  containers:

  - args:

    **- --kubelet-insecure-tls**

@kubernetes-sigs kubernetes-sigs deleted a comment from fejta-bot Jun 15, 2022
@kubernetes-sigs kubernetes-sigs deleted a comment from fejta-bot Jun 15, 2022
@k8s-triage-robot
Copy link

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

  • Confirm that this issue is still relevant with /triage accepted (org members only)
  • Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Jun 15, 2023
@Constantin07
Copy link

/triage accepted

@k8s-ci-robot
Copy link
Contributor

@Constantin07: The label triage/accepted cannot be applied. Only GitHub organization members can add the label.

In response to this:

/triage accepted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mkilchhofer mkilchhofer mentioned this issue Jul 14, 2023
Merged
@dashpole
Copy link

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 10, 2023
@k8s-triage-robot
Copy link

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

  • Confirm that this issue is still relevant with /triage accepted (org members only)
  • Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/documentation Categorizes issue or PR as related to documentation. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@logicalhan @liggitt @dashpole @serathius @Constantin07 @k8s-ci-robot @fejta-bot @jenting @k8s-triage-robot @jmvcollaborator