New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure security hardening of the KaaS monitoring solution - inner cluster communication #495
Comments
See the following GitHub comment on how to secure connections between Kubernetes control plane components (kube-controller-manager, kube-scheduler, kube-proxy, etcd) and Prometheus Server: prometheus-community/helm-charts#204 (comment) |
kube-controller-manager, kube-schedulerAfter a deeper investigation, it seems that the Prometheus server running in the worker node can not fully securely access the kube-controller-manager and kube-scheduler metrics endpoints (without some workaround), read an explanation here.
Two approaches are discussed to workaround the above issues:
etcdEtcd DB can expose metrics via HTTPS. The metrics endpoint should be configured as follows kube-apiserverkube-prometheus-stack creates a token and mounts k8s/PKI dir to the prometheus container. Prometheus uses them, so the connection from prometheus to the Kubernetes API metrics endpoint is already secure. - job_name: serviceMonitor/default/kube-prometheus-apiserver/0
metrics_path: /metrics
scheme: https
authorization:
type: Bearer
credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
server_name: kubernetes
insecure_skip_verify: false kube-proxyIt seems that kube-proxy does not support TLS, hence secure communication with its metrics endpoint is not possible (directly), see kubernetes/kubernetes#106870 As a possible workaround the ztunnel is recommended. kubelet
The above could be resolved as follows:
- job_name: serviceMonitor/default/kube-prometheus-kubelet/0
metrics_path: /metrics
scheme: https
authorization:
type: Bearer
credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true The above scenario has been successfully tested using kind:
|
Good research for TLS-by-default, thanks! 👍 |
As a CSP, I require a secure KaaS cluster monitoring solution I offer
Explore the k8s-observability repository and identify the TODOs that highlight instances where an insecure (HTTP) connection is used for the KaaS monitoring solution to collect metrics from Kubernetes control plane components (kube-controller-manager, etcd, kube-proxy, scheduler, etc.)
Definition of Ready:
Definition of Done:
The text was updated successfully, but these errors were encountered: