Open serathius opened 4 years ago
@serathius: This request has been marked as needing help from a contributor.
Please ensure the request meets the requirements listed here.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help
command.
I had a repo https://github.com/jenting/secure-metrics-server to deploy metrics-server in secure, hope it would help :smile:
Thanks @jenting, it looks really interesting. I will talk with someone more familiar with apimachinery to confirm this is aligned with current best practices. Would you be interested in contributing this to MS documentation?
Yes, before starting work let me get lgtm from someone from SIG-apimachinery & SIG-security. I think your instructions are very good, still it's could be possible to improve them with some feedback from area experts.
@logicalhan, are you know who should we ask about securing kube-apiserver -> extension apiserver communication and what is current recommended approach?
Would it be ok for us to recommend manual certificate creation like described here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely
ping @logicalhan
@liggitt probably has a better idea about this than me.
/triage accepted
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale
/remove-lifecycle stale ping @liggitt
Would it be ok for us to recommend manual certificate creation like described here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely
redirect to @deads2k
ping @deads2k
/lifecycle frozen
just get the file from all the versions components.yaml add and apply:
k8s-app: metrics-server
spec:
containers:
- args:
**- --kubelet-insecure-tls**
This issue has not been updated in over 1 year, and should be re-triaged.
You can:
/triage accepted
(org members only)/close
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/
/remove-triage accepted
/triage accepted
@Constantin07: The label triage/accepted
cannot be applied. Only GitHub organization members can add the label.
/triage accepted
This issue has not been updated in over 1 year, and should be re-triaged.
You can:
/triage accepted
(org members only)/close
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/
/remove-triage accepted
We should do a better job informing users how to secure communication between apiserver and Metrics server. It should mention disabling
insecureSkipTLSVerify
/kind documentation /help