kube-rbac-proxy should have a valid TLS certificate #126
Comments
|
These could be helpful: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#create-a-certificate-signing-request A question I have is what CN and SANs need to be specified for these pods? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are using kube-rbac-proxy to proxy requests to node_exporter. It is using TLS, but with a self-signed certificate. Prometheus scrapes the proxy over TLS, but with
insecure-skip-verify: true. This is probably okay for cluster-internal IP addresses, but since kube-rbac-proxy will be listening on the public interface of all platform nodes, then this subjects Prometheus scraping to MITM attacks. A successful attack would provide the attacker with prometheus ServiceAccount default bearer token, which in turn could provide the attacker with any privileges in the cluster that the prometheus ServiceAccount has. The ServiceAccount has only read-only access, but to quite a lot of things.We need to figure out a way to generate a valid certificate for kube-rbac-proxy to secure scraping node_exporter via kube-rbac-proxy on platform nodes.
The text was updated successfully, but these errors were encountered: