-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--kubelet-insecure-tls is still present #3
Comments
The metrics-server is a server as part of kube-apiserver, also a client to gathering the CPU/memory from kubelet server. The repo makes the metrics-server server part secure with TLS. Since However, K8s distro (like kubeadm) bootstrapped cluster, the kubelet server are run in self-signed certificate in each nodes. Therefore, we can't make the metrics-server client run with TLS. |
much appreciated for your answer and explanation, we've been doing certificates resigning to specifically get rid of the |
Yes, you could resign all node's kubelet server certificate issued by your trusted CA. |
One might also let the kubelet do the job, when spinning up the cluster using this configuration: apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
serverTLSBootstrap: true If you pass this configuration to kubeadm, each kubelet issues a CSR like you do in your script. Those can be approved in the same manner and you can omit the flag |
Thank you, correct! You could reference my another project https://github.com/SUSE/kucero if you are interested which focus on rotates kubeadm-managed and kubelet client&server certificates automatically. |
@jenting that's another great option to address kubernetes/kubeadm#1602 |
with regard to my original question, do we really need these lines after all? or maybe README.md file should have step 6 to omit the flag with |
Well, if you have prepared
then the https://github.com/jenting/secure-metrics-server/blob/main/secure-metrics-server.sh#L129-L131 is not needed. |
which is only possible by using some kind of workaround, because kubelet (re)generated certificates will have 0600 permissions on files (so that only the user running kubelet daemon will be able to access them), what do you think? |
Hi,
I'm wondering whether the following line increases said security, could you please comment?
secure-metrics-server/secure-metrics-server.sh
Line 131 in 87c714b
The text was updated successfully, but these errors were encountered: