Kubelet serving cert approver
Kubelet Serving TLS Certificate Signing Request Approver
Kubelet Serving Certificate Approver is a custom approving controller which approves `kubernetes.io/kubelet-serving` Certificate Signing Request that kubelet use to serve TLS endpoints. The project is written primarily in Go, distributed under the Apache License 2.0 license, first published in 2021. Key topics include: certificate, go, golang, kind, kubelet.
Kubelet Serving Certificate Approver
Kubelet Serving Certificate Approver is a custom approving controller which approves kubernetes.io/kubelet-serving Certificate Signing Request that kubelet use to serve TLS endpoints.
Why should I use Kubelet Serving Certificate Approver?
-
You want to securely - in terms of trusted Certificate Authoritity (CA) - reach kubelet endpoint
-
Signed serving certificates are honored as a valid kubelet serving certificate by the API server
-
Don't want to use
--kubelet-insecure-tlsflag during installation of metrics-server
Do I need to have a commercial certificate?
No. Every Kubernetes cluster has a Cluster Root Certificate Authority (CA).
How do I use Kubelet Serving Certificate Approver?
To install into your Kubernetes cluster, please navigate to deploy directory.
Note: your Kubernetes cluster must be configured with enabled TLS Bootstrapping and provided rotate-server-certificates: true kubelet argument.
Kubernetes Compatibility Matrix
For older Kubernetes versions (v1.19, v1.20, v1.21) please see older releases.
The consumed API has been stable since v1.22. However, E2E tests have been removed from the CI pipeline following the removal of the node-role.kubernetes.io/master toleration from the deployment. For more information, refer to KEP-2067.
| Version | Compatible |
|---|---|
v1.24 | ✓ |
v1.25 | ✓ |
v1.26 | ✓ |
v1.27 | ✓ |
v1.28 | ✓ |
v1.29 | ✓ |
v1.30 | ✓ |
v1.31 | ✓ |
v1.32 | ✓ |
v1.33 | ✓ |
v1.34 | ✓ |
v1.35 | ✓ |
Prometheus Metrics
You can download Prometheus metrics /metrics endpoint.
Custom Metrics
| Metric | Description |
|---|---|
kubelet_serving_cert_approver_approved_certificate_signing_request_count | The number of approved Certificate Signing Request |
kubelet_serving_cert_approver_invalid_certificate_signing_request_count | The number of invalid Certificate Signing Request |
Reference
- Original idea: https://github.com/kontena/kubelet-rubber-stamp which is unfortunately not maintained.
- Kubernetes TLS bootstrapping: https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/
- Conformant Rules: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
License
Apache License, Version 2.0, see LICENSE.
Contributors
Showing top 3 contributors by commit count.
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)
Related Repositories
certbot/certbot
Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.
gravitational/teleport
The easiest, and most secure way to access and protect all of your infrastructure.
cert-manager/cert-manager
Automatically provision and manage TLS certificates in Kubernetes
go-acme/lego
Let's Encrypt/ACME client and library written in Go
certimate-go/certimate
An open-source and free self-hosted SSL certificates ACME tool, automates the full-cycle of issuance, deployment, renewal, and monitoring visually. 完全开源免费的自托管 SSL 证书 ACME 工具,申请、部署、续期、监控全流程自动化可视化,支持各大主流云厂商。
dehydrated-io/dehydrated
ACME client implemented as a simple shell-script – just add water