-
Notifications
You must be signed in to change notification settings - Fork 716
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
provide workarounds for the kubelet self-signed serving certificate #1602
Comments
someone shared this operator: |
@neolit123 is #1753 going to fix this as well? |
@fabriziopandini no, this is about the kubelet self-signed serving cert. |
Helm workaround is to turn off TLS checking for the metrics server
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/lifecycle frozen |
Looking for this so that deploying metrics-server would work securely and out-of-the-box! |
Hello
|
I've written up the process and how to get metrics server to work securely with a kubeadm deployed Kubernetes system here: https://www.brightbox.com/blog/2020/09/15/secure-kubernetes-metrics/ Hope you find it useful. |
Thanks for the writeup, Neil. I wish we had a guide for using rbac proxy too. |
Hello @NeilW Thanks for the very good article . |
I've added another post about auto-signing the kubelet certificates using "rubber stamp" and why we believe that is an acceptable risk on kubeadm installed clusters. https://www.brightbox.com/blog/2020/09/24/auto-signing-kubernetes-server-certificates/ |
The situation has changed somewhat since this was opened. The current state is that cloud providers are or are going to implement CSR signers that verify the identity of the node via an out of band mechanism, and that would provide a stronger guarantee than the rubber stamp controller alone. We should probably direct users to look at the relevant cloud provider docs to see what their options are, and suggest they can use a rubber stamp or custom controller given the subject access review etc... |
i can summarize the state in the docs this cycle. |
opened PR for the kubeadm docs: |
TL;DR kubeadm manages a kubelet that self-signs it's serving certificate. this creates a blocker for metric server users that wish to scrape the kubelet as a server.
related issue:
#1223
related enhancement:
kubernetes/enhancements#267
official docs:
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation
this ticket is to track documenting a workaround in our TS guide:
https://kubernetes.io/docs/setup/independent/troubleshooting-kubeadm/
or alternatively as a MD file / guide in this repository under /docs.
The text was updated successfully, but these errors were encountered: