Kubelet Serving Certificate Approver is a custom approving controller which approves kubernetes.io/kubelet-serving
Certificate Signing Request that kubelet use to serve TLS endpoints.
-
You want to securely - in terms of trusted Certificate Authoritity (CA) - reach kubelet endpoint
-
Signed serving certificates are honored as a valid kubelet serving certificate by the API server
-
Don't want to use
--kubelet-insecure-tls
flag during installation of metrics-server
No. Every Kubernetes cluster has a Cluster Root Certificate Authority (CA).
To install into your Kubernetes cluster, please navigate to deploy directory.
Note: your Kubernetes cluster must be configured with enabled TLS Bootstrapping and provided rotate-server-certificates: true
kubelet argument.
For older Kubernetes versions (v1.19
, v1.20
, v1.21
) please see older releases.
Version | Compatible |
---|---|
v1.22 |
✓ |
v1.23 |
✓ |
v1.24 |
✓ |
v1.25 |
✓ |
v1.26 |
✓ |
v1.27 |
✓ |
v1.28 |
✓ |
v1.29 |
✓ |
v1.30 |
✓ |
v1.31 |
✓ |
v1.32 |
✓ |
You can download Prometheus metrics /metrics
endpoint.
Metric | Description |
---|---|
kubelet_serving_cert_approver_approved_certificate_signing_request_count |
The number of approved Certificate Signing Request |
kubelet_serving_cert_approver_invalid_certificate_signing_request_count |
The number of invalid Certificate Signing Request |
- Original idea: https://github.com/kontena/kubelet-rubber-stamp which is unfortunately not maintained.
- Kubernetes TLS bootstrapping: https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/
- Conformant Rules: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
Apache License, Version 2.0, see LICENSE.