Kubelet Serving Certificate Approver is a custom approving controller which approves kubernetes.io/kubelet-serving Certificate Signing Request that kubelet use to serve TLS endpoints.
-
You want to securely - in terms of trusted Certificate Authoritity (CA) - reach kubelet endpoint
-
Signed serving certificates are honored as a valid kubelet serving certificate by the API server
-
Don't want to use
--kubelet-insecure-tlsflag during installation of metrics-server
No. Every Kubernetes cluster has a Cluster Root Certificate Authority (CA).
To install into your Kubernetes cluster, please navigate to deploy directory.
Note: your Kubernetes cluster must be configured with enabled TLS Bootstrapping and provided rotate-server-certificates: true kubelet argument.
For older Kubernetes versions (v1.19, v1.20, v1.21) please see older releases.
The consumed API has been stable since v1.22. However, E2E tests have been removed from the CI pipeline following the removal of the node-role.kubernetes.io/master toleration from the deployment. For more information, refer to KEP-2067.
| Version | Compatible |
|---|---|
v1.24 |
✓ |
v1.25 |
✓ |
v1.26 |
✓ |
v1.27 |
✓ |
v1.28 |
✓ |
v1.29 |
✓ |
v1.30 |
✓ |
v1.31 |
✓ |
v1.32 |
✓ |
v1.33 |
✓ |
v1.34 |
✓ |
v1.35 |
✓ |
You can download Prometheus metrics /metrics endpoint.
| Metric | Description |
|---|---|
kubelet_serving_cert_approver_approved_certificate_signing_request_count |
The number of approved Certificate Signing Request |
kubelet_serving_cert_approver_invalid_certificate_signing_request_count |
The number of invalid Certificate Signing Request |
- Original idea: https://github.com/kontena/kubelet-rubber-stamp which is unfortunately not maintained.
- Kubernetes TLS bootstrapping: https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/
- Conformant Rules: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
Apache License, Version 2.0, see LICENSE.