x509-certificate-exporter in a hardened Kubernetes cluster #193
ErikLundJensen
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
The x509-certificate-exporter requires access to the files that are watched. This requires that the pod running x509-certificate-exporter actually has access to the files via hostPath. In a hardened Kubernetes cluster the hostPath should be restricted and giving pods access to private keys/certificates of the cluster is a potential threat.
Have you ever discussed if x509-certificate-exporter also could watch certificates returned by a URL?
For example, monitor the kube-api-server using the URL of the API in stead of the files at the nodes.
Beta Was this translation helpful? Give feedback.
All reactions