Skip to content

fix: gardener has exposed kubelet CA to end user#3147

Open
rakesh-garimella wants to merge 2 commits intokyma-project:mainfrom
rakesh-garimella:add-some-comments-for-checkmarx
Open

fix: gardener has exposed kubelet CA to end user#3147
rakesh-garimella wants to merge 2 commits intokyma-project:mainfrom
rakesh-garimella:add-some-comments-for-checkmarx

Conversation

@rakesh-garimella
Copy link
Copy Markdown
Contributor

@rakesh-garimella rakesh-garimella commented Mar 16, 2026

Description

Changes proposed in this pull request (what was done and why):

  • Gardener has exposed kubelet CA to end user so we can enable TLS verification for kubelet stats receiver
  • Also add some comments to explain why insecure_skip_verify is set to false

Changes refer to particular issues, PRs or documents:

Traceability

  • The PR is linked to a GitHub issue.
  • The follow-up issues (if any) are linked in the Related Issues section.
  • If the change is user-facing, the documentation has been adjusted.
  • If a CRD is changed, the corresponding Busola ConfigMap has been adjusted.
  • The feature is unit-tested.
  • The feature is e2e-tested.

@rakesh-garimella rakesh-garimella requested a review from a team as a code owner March 16, 2026 15:56
@github-actions github-actions bot added this to the 1.60.0 milestone Mar 16, 2026
@github-actions github-actions bot added the kind/bug Categorizes issue or PR as related to a bug. label Mar 16, 2026
@rakesh-garimella rakesh-garimella added the area/metrics MetricPipeline label Mar 16, 2026
a-thaler
a-thaler reviewed Mar 16, 2026
View reviewed changes
internal/otelcollector/config/metricagent/testdata/http-with-custom-path.yaml
auth_type: serviceAccount
endpoint: https://${MY_NODE_NAME}:10250
insecure_skip_verify: true
insecure_skip_verify: false
Copy link
Copy Markdown
Collaborator

@a-thaler a-thaler Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That will not work without additional config. You need to tell the receiver from where to get the kublet CS as it is located in a gardener specific configmap.

@a-thaler a-thaler added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 17, 2026
@TeodorSAP TeodorSAP modified the milestones: 1.60.0, 1.61.0 Mar 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a-thaler a-thaler a-thaler left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/metrics MetricPipeline do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/bug Categorizes issue or PR as related to a bug.

Projects

None yet

Milestone

1.61.0

Development

Successfully merging this pull request may close these issues.

3 participants

@rakesh-garimella @a-thaler @TeodorSAP