Merge pull request #183 from caitong93/kubelet-ca

Add kubelet-certificate-authority flag
kubernetes-sigs · Mar 8, 2019 · ea4d74a · ea4d74a
2 parents 92d8412 + f724d6a
commit ea4d74a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/cmd/metrics-server/app/start.go b/cmd/metrics-server/app/start.go
@@ -61,6 +61,7 @@ func NewCommandStartMetricsServer(out, errOut io.Writer, stopCh <-chan struct{})
  flags.IntVar(&o.KubeletPort, "kubelet-port", o.KubeletPort, "The port to use to connect to Kubelets.")
  flags.StringVar(&o.Kubeconfig, "kubeconfig", o.Kubeconfig, "The path to the kubeconfig used to connect to the Kubernetes API server and the Kubelets (defaults to in-cluster config)")
  flags.StringSliceVar(&o.KubeletPreferredAddressTypes, "kubelet-preferred-address-types", o.KubeletPreferredAddressTypes, "The priority of node address types to use when determining which address to use to connect to a particular node")
+ flags.StringVar(&o.KubeletCAFile, "kubelet-certificate-authority", "", "Path to the CA to use to validate the Kubelet's serving certificates.")
 
  flags.MarkDeprecated("deprecated-kubelet-completely-insecure", "This is rarely the right option, since it leaves kubelet communication completely insecure. If you encounter auth errors, make sure you've enabled token webhook auth on the Kubelet, and if you're in a test cluster with self-signed Kubelet certificates, consider using kubelet-insecure-tls instead.")
 
@@ -89,6 +90,7 @@ type MetricsServerOptions struct {
  KubeletPort int
  InsecureKubeletTLS bool
  KubeletPreferredAddressTypes []string
+ KubeletCAFile string
 
  DeprecatedCompletelyInsecureKubelet bool
 }
@@ -171,7 +173,12 @@ func (o MetricsServerOptions) Run(stopCh <-chan struct{}) error {
  informerFactory := informers.NewSharedInformerFactory(kubeClient, 0)
 
  // set up the source manager
- kubeletConfig := summary.GetKubeletConfig(clientConfig, o.KubeletPort, o.InsecureKubeletTLS, o.DeprecatedCompletelyInsecureKubelet)
+ kubeletRestCfg := rest.CopyConfig(clientConfig)
+ if len(o.KubeletCAFile) > 0 {
+ kubeletRestCfg.TLSClientConfig.CAFile = o.KubeletCAFile
+ kubeletRestCfg.TLSClientConfig.CAData = nil
+ }
+ kubeletConfig := summary.GetKubeletConfig(kubeletRestCfg, o.KubeletPort, o.InsecureKubeletTLS, o.DeprecatedCompletelyInsecureKubelet)
  kubeletClient, err := summary.KubeletClientFor(kubeletConfig)
  if err != nil {
  return fmt.Errorf("unable to construct a client to connect to the kubelets: %v", err)

diff --git a/pkg/sources/summary/configs.go b/pkg/sources/summary/configs.go
@@ -21,8 +21,7 @@ import (
 )
 
 // GetKubeletConfig fetches connection config for connecting to the Kubelet.
-func GetKubeletConfig(baseKubeConfig *rest.Config, port int, insecureTLS bool, completelyInsecure bool) *KubeletClientConfig {
- cfg := rest.CopyConfig(baseKubeConfig)
+func GetKubeletConfig(cfg *rest.Config, port int, insecureTLS bool, completelyInsecure bool) *KubeletClientConfig {
  if completelyInsecure {
  cfg = rest.AnonymousClientConfig(cfg) // don't use auth to avoid leaking auth details to insecure endpoints
  cfg.TLSClientConfig = rest.TLSClientConfig{} // empty TLS config --> no TLS