Should we set insecureSkipTLSVerify: false in the APIService for production clusters and how do we provide a proper certificate? #681
Labels
kind/support
Categorizes issue or PR as a support question.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
Comments
k8s-ci-robot
added
the
needs-triage
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
|
We sadly don't have enough resources to look after support issues for prometheus-adapter right now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I couldn't help but notice that the APIService manifest https://github.com/kubernetes-sigs/prometheus-adapter/blob/master/deploy/manifests/api-service.yaml#L12 uses
insecureSkipTLSVerify: true.This means that the K8s Aggregator API would not verify the Prometheus' Adapter tls certificate.
In a production cluster, does it make sense to set the insecureSkipTLSVerify to false and instead provide a caBundle within the APIService? Is this how we're supposed to secure this connection?
I am not confident I understand how caBundle is supposed to work. Who is responsible for generating the caBundle certificates? How are those certificates getting injected into the Prometheus' adapter itself once we set them to the APIService caBundle?
In general, is there a documentation that explain best practices around how to setup prometheus adapter property for production clusters?
The text was updated successfully, but these errors were encountered: