search

kubernetes-sigs / kubespray

Deploy a Production Ready Kubernetes Cluster
Apache License 2.0
16.19k stars 6.48k forks source link

Need to understand the concept, why still metric server needs "metrics_server_kubelet_insecure_tls: true" argument #10310

Closed manikandanmr closed 7 months ago

manikandanmr commented 1 year ago

Issue Description:

Summary:

I'm trying to understand the concept behind the metrics_server_kubelet_insecure_tls: true argument in the metric server configuration.

Details:

Scenario-1

When i am using kubeadm to bootstrap the cluster, i just simply pass serverTLSBootstrap: true argument on the kubelet config, it will create CSR which need to be approve manually for all nodes and after aprroved. Then i can deploy metrics server without --kubelet-insecure-tls argument.

Scenario-2

In kubespray, I have added serverTLSBootstrap: true (By default) & metrics_server_kubelet_insecure_tls: false and then deploying the metric server, got certificate error.

Questions:

  1. Did i miss anything?
  2. Is it fine with insecure mode for production environment?
  3. Are there any alternatives or more secure configurations for the metric server to access nodes metrics?

I would appreciate any insights, documentation references, or best practices regarding this issue. Understanding the rationale behind this requirement will help me make more informed decisions for our cluster's security.

Thank you :smile:

yankay commented 1 year ago

Thanks @manikandanmr

The question is very interesting :-)

I think the kubespray needs to support a more secure configurations for the metric server with a cert-manager, like:

manikandanmr commented 1 year ago

Ya, i think so, because its production grade tool and adopted by some many enterprises.

k8s-triage-robot commented 9 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 8 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 7 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 7 months ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/kubespray/issues/10310#issuecomment-2018595281): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.