0

I`ve running a kubernetes cluster with a deployment of some pods. One pod provides metrics on a https secured endpoint. The problem is, that this pod create and use his own self-signed certificate and prometheus does not trust them.

It's ok for me, but how can I add the insecure_skip_verify property of the tls_config via annotation or adapt the prometheus scrape config section to allow self-signed certificates for pods with a specific label?

First attempt was to find a solution via the relable_config, but it seems to be, that it's not possible to add new properties based on an annotation.

Does anyone have a solution for this problem?

Volker Raschek
  • 347
  • 1
  • 5
  • 17

1 Answers1

0

By using this configuration it will create separate scrape configs for cluster components like API server and node and the services will use different authentication configs. also note Kubernetes labels will be added as Prometheus.

scrape_configs:

  • job_name: "kubernetes-apiservers"

    kubernetes_sd_configs:

    • role: endpoints

    **# Default to scraping over https. If required, just disable this or change to http

    scheme: https

    **# This TLS & authorization config is used to connect to the actual scrape endpoints for cluster components. This is separate to discovery auth configuration because discovery & scraping are two separate concerns in Prometheus. The discovery auth config is automatic if Prometheus runs inside the cluster. Otherwise, more config options have to be provided within the

    <kubernetes_sd_config>.****

    tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

    If your node certificates are self-signed or use a different CA to the master CA, then disable certificate verification below. Note that certificate verification is an integral part of a secure infrastructure, so this should only be disabled in a controlled environment.You can disable certificate verification by uncommenting the line below.

    insecure_skip_verify: true

    authorization:

    credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token

    **# Keep only the default/kubernetes service endpoints for the https port. This will add targets for each API server which Kubernetes adds an endpoint to the default/kubernetes service.

    relabel_configs:

    • source_labels:

      [

      __meta_kubernetes_namespace,


__meta_kubernetes_service_name,


__meta_kubernetes_endpoint_port_name,

      ]

      action: keep

      regex: default;kubernetes;https

Please refer to this document for more information.

Ramesh kollisetty
  • 136
  • 4