x509-certificate-exporter icon indicating copy to clipboard operation
x509-certificate-exporter copied to clipboard

Published 20 hours ago verified publisher icon enix

Use hostPath to watch all certificates in node (if running in daemonset mode)

Open Dentrax opened this issue 2 years ago • 2 comments

We can use hostPath to bind the current node's /etc/kubernetes/ path to watch all certificates if running mode is DaemonSet.

  • /etc/kubernetes/pki/*.crt
  • /etc/kubernetes/ssl/*.crt 
/etc/kubernetes/pki/apiserver.crt
/etc/kubernetes/pki/apiserver-etcd-client.crt
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/front-proxy-client.crt
/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/client.crt
/etc/kubernetes/pki/etcd/peer.crt
/etc/kubernetes/pki/etcd/server.crt

Wdyt?

Dentrax avatar Sep 17 '22 19:09 Dentrax

Hi @Dentrax

What you're looking for sounds like issue #48. Is that correct? The goal being to to enhance watchDirectories: [] with regexp support.

I can see that we work on the feature if the contribution is unlikely.

Cheers

npdgm avatar Sep 17 '22 20:09 npdgm

Thanks for reference! It's exactly what was I looking for. But I still want to propose we can merge those both issues. We can watch aforementioned paths in the issue by default. Also, users can pass custom watchDirectories: [] additionally. Because /etc/kubernetes path is Kubernetes standard.

Security Concern

If cluster admin do not want to use hostPath due to security concerns, it's fine. We can create a custom feature flag such as watchKubernetesCertsOnHost to enable this feature if exporter deployed as DaemonSet. (Otherwise it would redundant since Deployment does not roll out pods to all nodes)

Wdyt?

Dentrax avatar Sep 17 '22 21:09 Dentrax