Skip to content

Kubelet Serving TLS Certificate Signing Request Approver

License

Notifications You must be signed in to change notification settings

alex1989hu/kubelet-serving-cert-approver

Repository files navigation

Kubelet Serving Certificate Approver

CI e2e-test codecov

Kubelet Serving Certificate Approver is a custom approving controller which approves kubernetes.io/kubelet-serving Certificate Signing Request that kubelet use to serve TLS endpoints.

Why should I use Kubelet Serving Certificate Approver?

  • You want to securely - in terms of trusted Certificate Authoritity (CA) - reach kubelet endpoint

  • Signed serving certificates are honored as a valid kubelet serving certificate by the API server

  • Don't want to use --kubelet-insecure-tls flag during installation of metrics-server

Do I need to have a commercial certificate?

No. Every Kubernetes cluster has a Cluster Root Certificate Authority (CA).

How do I use Kubelet Serving Certificate Approver?

To install into your Kubernetes cluster, please navigate to deploy directory.

Note: your Kubernetes cluster must be configured with enabled TLS Bootstrapping and provided rotate-server-certificates: true kubelet argument.

Kubernetes Compatibility Matrix

For older Kubernetes versions (v1.19, v1.20, v1.21) please see older releases.

Version Compatible
v1.22
v1.23
v1.24
v1.25
v1.26
v1.27
v1.28
v1.29
v1.30
v1.31

Prometheus Metrics

You can download Prometheus metrics /metrics endpoint.

Custom Metrics

Metric Description
kubelet_serving_cert_approver_approved_certificate_signing_request_count The number of approved Certificate Signing Request
kubelet_serving_cert_approver_invalid_certificate_signing_request_count The number of invalid Certificate Signing Request

Reference

License

Apache License, Version 2.0, see LICENSE.