kube-rbac-proxy should have a valid TLS certificate

[nkinkade]

We are using kube-rbac-proxy to proxy requests to node_exporter. It is using TLS, but with a self-signed certificate. Prometheus scrapes the proxy over TLS, but with insecure-skip-verify: true. This is probably okay for cluster-internal IP addresses, but since kube-rbac-proxy will be listening on the public interface of all platform nodes, then this subjects Prometheus scraping to MITM attacks. A successful attack would provide the attacker with prometheus ServiceAccount default bearer token, which in turn could provide the attacker with any privileges in the cluster that the prometheus ServiceAccount has. The ServiceAccount has only read-only access, but to quite a lot of things.

We need to figure out a way to generate a valid certificate for kube-rbac-proxy to secure scraping node_exporter via kube-rbac-proxy on platform nodes.

[nkinkade]

These could be helpful:

https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#create-a-certificate-signing-request https://db-blog.web.cern.ch/blog/lukas-gedvilas/2018-02-creating-tls-certificates-using-kubernetes-api

A question I have is what CN and SANs need to be specified for these pods?