-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reason for insecureSkipTLSVerify in APIService #544
Comments
Thanks for asking this question. If your interested in security of metrics server I would really appreciate your feedback about current configuration, options and documentation available. It would be really great if we could improve things. Ad 1 Disabling this flag would require users to generate certificates to Metrics Server and correctly pass them to both Metrics Server and Apiserver. In vast majority of cases this is hard (complicates configuration, requires users to setup up certificate rotation etc) or impossible (users run on Kubernetes as a Service platform without access to apiserver). For ease of use default configuration just sets this flag to false. For super users that want 100% security I started to write a guide how to setup MS https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely. I think we should add instruction to set Ad 2: Having |
Created #545 |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Closing as original question was answered |
Currently (v0.3.6) APIService
v1beta1.metrics.k8s.io
enablesinsecureSkipTLSVerify: true
If we disable it we are not able to retrieve any metrics.
Error from server (ServiceUnavailable): the server is currently unable to handle the request (get nodes.metrics.k8s.io)
insecureSkipTLSVerify
?The manifest in question:
/triage support
The text was updated successfully, but these errors were encountered: