Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Skip the verification of the kubelet's certificate
This is currently needed only for Gardener managed seeds, because the Kubelet's certificate is not issued by the default CA. Maybe the Gardenlet in the soil could copy the Kubelet CA to the kube-system namespace of its child shoot, and the Gardenlet in the seed, if it finds a ca-kubelet secret in the kube-system namespace (i.e. a managed seed), could copy it to the garden namespace. A conditional Prometheus volume could be used to mount this ca-kubelet to Prometheus if it exists (managed seed) or mount kube-root-ca.crt otherwise. This condition handling has to happen in Gardener because Prometheus expects a single CA in its configuration. > KEP-3257: Cluster Trust Bundles > https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3257-cluster-trust-bundles could be also a good approach to make the Kubelet CA-s available for the workload. The cluster internal communication is still encrypted (protection against a passively eavesdropping entity), but the certificate is not verified, which could allow for a man in the middle attack by an active entity. For the cluster internal scraping of the kubelet metrics, this might be acceptable. Both the ideas above might not be feasible short term, so with this PR, the certificate verification is skipped.
- Loading branch information