Document securing connection between kube-apiserver <-> Metrics Server

kubernetes-sigs / metrics-server

Scalable and efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines.

https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/

Apache License 2.0

5.73k stars 1.86k forks source link

Document securing connection between kube-apiserver <-> Metrics Server #545

Open serathius opened 4 years ago

serathius commented 4 years ago

We should do a better job informing users how to secure communication between apiserver and Metrics server. It should mention disabling insecureSkipTLSVerify

/kind documentation /help

k8s-ci-robot commented 4 years ago

@serathius: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/kubernetes-sigs/metrics-server/issues/545): >We should do a better job informing users how to secure communication between apiserver and Metrics server. It should mention disabling `insecureSkipTLSVerify` > >/kind documentation >/help Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

jenting commented 4 years ago

I had a repo https://github.com/jenting/secure-metrics-server to deploy metrics-server in secure, hope it would help :smile:

serathius commented 4 years ago

Thanks @jenting, it looks really interesting. I will talk with someone more familiar with apimachinery to confirm this is aligned with current best practices. Would you be interested in contributing this to MS documentation?

jenting commented 4 years ago

To here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely, right?

serathius commented 4 years ago

Yes, before starting work let me get lgtm from someone from SIG-apimachinery & SIG-security. I think your instructions are very good, still it's could be possible to improve them with some feedback from area experts.

serathius commented 4 years ago

@logicalhan, are you know who should we ask about securing kube-apiserver -> extension apiserver communication and what is current recommended approach?

Would it be ok for us to recommend manual certificate creation like described here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely

serathius commented 4 years ago

ping @logicalhan

logicalhan commented 4 years ago

@liggitt probably has a better idea about this than me.

serathius commented 3 years ago

/triage accepted

fejta-bot commented 3 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

serathius commented 3 years ago

/remove-lifecycle stale ping @liggitt

liggitt commented 3 years ago

Would it be ok for us to recommend manual certificate creation like described here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely

redirect to @deads2k

serathius commented 3 years ago

ping @deads2k

serathius commented 3 years ago

/lifecycle frozen

jmvcollaborator commented 2 years ago

just get the file from all the versions components.yaml add and apply:

 k8s-app: metrics-server

spec:

  containers:

  - args:

    **- --kubelet-insecure-tls**

k8s-triage-robot commented 1 year ago

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

Confirm that this issue is still relevant with /triage accepted (org members only)
Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

Constantin07 commented 1 year ago

/triage accepted

k8s-ci-robot commented 1 year ago

@Constantin07: The label triage/accepted cannot be applied. Only GitHub organization members can add the label.

In response to [this](https://github.com/kubernetes-sigs/metrics-server/issues/545#issuecomment-1593311449): >/triage accepted Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

dashpole commented 1 year ago

/triage accepted

k8s-triage-robot commented 1 month ago

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

Confirm that this issue is still relevant with /triage accepted (org members only)
Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted