-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[kube-state-metrics] Readiness probe not working with rbac proxy #4992
Comments
same here e5dcb61#diff-964657bf9c31e2d1338046dc10aff7a7d28dc34813c6cd09d84228512e966132L203 Broke the readiness probe with rbacproxy enabled |
same here. The issue is the following: |
The purpose of using kube-rbac-proxy is to prevent unauthorized access to the kube-state-metrics endpoints. However, binding it to 0.0.0.0 so that the kubelet can use it for probes defeats this purpose because it allows direct access to the kube-state-metrics port, bypassing kube-rbac-proxy entirely. So, we should bind both ports of kube-state-metrics to 127.0.0.1, which unfortunately would cause the kubelet probes to stop working. One solution would be to disable probes when using kube-rbac-proxy, similar to how it is done in kube-prometheus: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/kubeStateMetrics-deployment.yaml |
Describe the bug a clear and concise description of what the bug is.
After upgrading to chart version v5.27.0, the kube-state-metrics pod is never marked as ready if the kube-rbac-proxy feature is enabled. The deployment configures the telemetry host to 127.0.0.1 when
kubeRBACProxy.enabled
is true and the readiness probe uses the pod IP to attempt to reach the telemetry host so it is not reachable.What's your helm version?
version.BuildInfo{Version:"v3.16.2", GitCommit:"13654a52f7c70a143b1dd51416d633e1071faffb", GitTreeState:"clean", GoVersion:"go1.22.7"}
What's your kubectl version?
Client Version: v1.31.2 Kustomize Version: v5.4.2 Server Version: v1.31.2
Which chart?
kube-state-metrics
What's the chart version?
5.27.0
What happened?
No response
What you expected to happen?
No response
How to reproduce it?
No response
Enter the changed values of values.yaml?
Enter the command that you execute and failing/misfunctioning.
helm install -n monitoring ksm prometheus-community/kube-state-metrics --set "kubeRBACProxy.enabled=true"
Anything else we need to know?
No response
The text was updated successfully, but these errors were encountered: