Open slashben opened 4 months ago
@slashben do we want to fix that?
we must, but it should be fairly simple
it should be set up in ClientCA
in the SecureServingInfo
see more here
https://pkg.go.dev/k8s.io/apiserver/pkg/server#SecureServingInfo
it should be set up in
ClientCA
in theSecureServingInfo
see more here https://pkg.go.dev/k8s.io/apiserver/pkg/server#SecureServingInfo
nice, do we want to add a config entry for that certificate? or should we read it from somewhere in the downward API?
Wait, we have two problems here.
One is we need to have the client certificate of the API server (it can be take with kubectl get configmap -n kube-public cluster-info -o jsonpath='{.data.kubeconfig}' | yq | jq .clusters[0].cluster."certificate-authority-data"
, I guess we can read it during the helm installation)
The second is that we do not generate server certificate 😞
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
spec: │
insecureSkipTLSVerify: true
@matthyx see my PRs (they were tested locally)
The current implementation does not validate peer TLS certificates and any client can connect it and pull data. It should only be the Kubernetes API server that is allowed to do queries.