veda/TODO.md

1.1 KiB

TODO

Enable Trusted Kubelet Serving Certificates

Context: Metrics Server currently uses --kubelet-insecure-tls because Talos kubelet serving certificates are not trusted by metrics-server by default.

Goal: Remove --kubelet-insecure-tls from apps/metrics-server/values.yaml.

Required work:

  • Enable kubelet server certificate rotation in the Talos machine config:
machine:
  kubelet:
    extraArgs:
      rotate-server-certificates: true
  • Add CSR approval for kubelet serving certificates, for example with kubelet-serving-cert-approver.
  • Apply the Talos config and reboot/restart kubelets as needed so new serving certificates are requested.
  • Confirm kubelet serving CSRs are approved and issued.
  • Remove --kubelet-insecure-tls from Metrics Server.
  • Verify Metrics Server still scrapes all nodes.

Verification:

kubectl get csr
kubectl -n kube-system logs deploy/metrics-server
kubectl top nodes
kubectl top pods -A

Reference: