We should do a better job informing users how to secure communication between apiserver and Metrics server. It should mention disabling insecureSkipTLSVerify
/kind documentation
/help
@serathius:
This request has been marked as needing help from a contributor.
Please ensure the request meets the requirements listed here.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.
In response to this:
We should do a better job informing users how to secure communication between apiserver and Metrics server. It should mention disabling
insecureSkipTLSVerify/kind documentation
/help
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
I had a repo https://github.com/jenting/secure-metrics-server to deploy metrics-server in secure, hope it would help :smile:
Thanks @jenting, it looks really interesting. I will talk with someone more familiar with apimachinery to confirm this is aligned with current best practices. Would you be interested in contributing this to MS documentation?
To here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely, right?
Yes, before starting work let me get lgtm from someone from SIG-apimachinery & SIG-security. I think your instructions are very good, still it's could be possible to improve them with some feedback from area experts.
@logicalhan, are you know who should we ask about securing kube-apiserver -> extension apiserver communication and what is current recommended approach?
Would it be ok for us to recommend manual certificate creation like described here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely
ping @logicalhan
@liggitt probably has a better idea about this than me.
/triage accepted
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
ping @liggitt
Would it be ok for us to recommend manual certificate creation like described here https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely
redirect to @deads2k
ping @deads2k
Most helpful comment
I had a repo https://github.com/jenting/secure-metrics-server to deploy metrics-server in secure, hope it would help :smile: