Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure Heapster to source metrics from Kubelet authenticated API #323

Merged
merged 1 commit into from
Oct 19, 2018

Conversation

dghubble
Copy link
Member

@dghubble dghubble commented Oct 19, 2018

rel: #322

* Heapster can now get nodes (i.e. kubelets) from the apiserver and
source metrics from the Kubelet authenticated API (10250) instead of
the Kubelet HTTP read-only API (10255)
* https://github.com/kubernetes/heapster/blob/master/docs/source-configuration.md
* Use the heapster service account token via Kubelet bearer token
authn/authz.
* Permit Heapster to skip CA verification. The CA cert does not contain
IP SANs and cannot since nodes get random IPs that aren't known upfront.
Heapster obtains the node list from the apiserver, so the risk of
spoofing a node is limited. For the same reason, Prometheus scrapes
must skip CA verification for scraping Kubelet's provided by the apiserver.
* https://github.com/poseidon/typhoon/blob/v1.12.1/addons/prometheus/config.yaml#L68
* Create a heapster ClusterRole to work around the default Kubernetes
`system:heapster` ClusterRole lacking the proper GET `nodes/stats`
access. See kubernetes-retired/heapster#1936
@dghubble dghubble force-pushed the heapster-kubelet-auth branch from acf2d03 to bc750ae Compare October 19, 2018 04:03
@dghubble
Copy link
Member Author

This change should be the final piece to disable the Kubelet read-only port!

@dghubble dghubble merged commit bc750ae into master Oct 19, 2018
@dghubble dghubble deleted the heapster-kubelet-auth branch October 19, 2018 04:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant