Kubelet Serving Certificate Approver is a custom approving controller which approves kubernetes.io/kubelet-serving Certificate Signing Request that kubelet use to serve TLS endpoints.
-
You want to securely - in terms of trusted Certificate Authoritity (CA) - reach kubelet endpoint
-
Signed serving certificates are honored as a valid kubelet serving certificate by the API server
-
Don't want to use
--kubelet-insecure-tlsflag during installation of metrics-server
No. Every Kubernetes cluster has a Cluster Root Certificate Authority (CA).
To install into your Kubernetes cluster, please navigate to deploy directory.
Note: your Kubernetes cluster must be configured with enabled TLS Bootstrapping and provided rotate-server-certificates: true kubelet argument.
For older Kubernetes versions (v1.19, v1.20, v1.21) please see older releases.
| Version | Compatible |
|---|---|
v1.22 |
✓ |
v1.23 |
✓ |
v1.24 |
✓ |
v1.25 |
✓ |
v1.26 |
✓ |
v1.27 |
✓ |
v1.28 |
✓ |
v1.29 |
✓ |
v1.30 |
✓ |
v1.31 |
✓ |
You can download Prometheus metrics /metrics endpoint.
| Metric | Description |
|---|---|
kubelet_serving_cert_approver_approved_certificate_signing_request_count |
The number of approved Certificate Signing Request |
kubelet_serving_cert_approver_invalid_certificate_signing_request_count |
The number of invalid Certificate Signing Request |
- Original idea: https://github.com/kontena/kubelet-rubber-stamp which is unfortunately not maintained.
- Kubernetes TLS bootstrapping: https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/
- Conformant Rules: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
Apache License, Version 2.0, see LICENSE.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}