-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS error when upstream is HTTPS #312
Comments
forgot to mention. |
The |
It will not match as by default, the controller-manager uses the /etc/kubernetes/pki/ca.crt to create/sign certs. What I was trying to use was my LetsEncrypt cert. |
As I dig deeper into this, it seems like the real issue has to do with certs within the controller-manager, kube-scheduler default deployed via kubeadm. So I think my plan to use this as the "middle-man" proxy to scrape metrics from a default kube-prometheus-stack deployment will not really work. |
That is quite common to give the metrics endpoint different certificates. It is a kind of "authentication" by cert :) I will close it. In case that you feel different, feel free to reopen the issue with more information. |
Situation/Reason:
The control-plane nodes are bound by CIS v1.9 security requirements. CIS 1.3.7 - controller-manager --bind-address=127.0.0.1. This means components like (controller-manager, etcd, kube-proxy, kube-scheduler) are only accessible from the host.
So I want to use kube-rbac-proxy as proxy to scrape metrics for kube-prometheus-stack v62.7.0 for any of the components prome cannot directly access (got this working for etcd so far).
Problem:
Receive error from kube-rbac-proxy when the upstream is HTTPS.
1 log.go:245] http: proxy error: tls: failed to verify certificate: x509: certificate signed by unknown authority
Environment:
Additional Notes:
I have attempted various kube-rbac-proxy flag options for the certificate error.
Token Validation:
I am able to use the token attached to the alpine-curl (test client) directly on the control-plane with curl and get the expected results. So the token has the correct permissions.
curl -k -s -vv -H "Authorization: Bearer $CMTOKEN" https://127.0.0.1:10257/metrics
output:
kube-rbac-proxy-svcacct.yaml
kube-rbac-proxy-daemonset-controller-manager.yaml
alpine-curl.yaml
LOGS:
kube-rbac-proxy-controller-manager
alpine-curl (test client):
The text was updated successfully, but these errors were encountered: