Enable insecure_skip_verify for kubelet scraping #726

pintohutch · 2023-12-20T15:42:06Z

We currently hardcode the scrape config for kubelet scraping. The configuration defaults to verifying the target certificate over https by leaving insecure_skip_verify as false.

However, this can result in errors on K8s clusters where nodes are not provisioned certificates to include the IP address in the certificate SAN field:

Get "https://10.223.3.45:10250/metrics/cadvisor": tls: failed to verify certificate: x509: cannot validate certificate for 10.223.3.45 because it doesn't contain any IP SAN

We should either:

Expose this field as a configuration option for kubelet scraping in the OperatorConfig, e.g.

collection:
  kubeletScraping:
    interval: 30s
    tlsSkipVerify: true

Change the default behavior to set insecure_skip_verify: true in the hardcoded config.

The text was updated successfully, but these errors were encountered:

pintohutch · 2023-12-20T15:44:27Z

Actually looks like this is a duplicate of #223.

pintohutch · 2023-12-20T15:44:39Z

I'll just close this then and refer to that.

github-actions bot assigned bwplotka Dec 20, 2023

pintohutch closed this as completed Dec 20, 2023

pintohutch reopened this Dec 20, 2023

pintohutch closed this as not planned Won't fix, can't repro, duplicate, stale Dec 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enable insecure_skip_verify for kubelet scraping #726

Enable insecure_skip_verify for kubelet scraping #726

pintohutch commented Dec 20, 2023

pintohutch commented Dec 20, 2023

pintohutch commented Dec 20, 2023

Enable insecure_skip_verify for kubelet scraping #726

Enable insecure_skip_verify for kubelet scraping #726

Comments

pintohutch commented Dec 20, 2023

pintohutch commented Dec 20, 2023

pintohutch commented Dec 20, 2023