I am on kubernetes 14.0.3 and want to use elastic’s metricbeat to get kubernetes logs and metrics to elasticsearch. Metricbeat is running as daemonset and wants to fetch node data via kubelet’s read-only-port (10255) at localhost which is currently disabled in my environment.
Details to installation and kubernetes manifests are here: https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-kubernetes.html
As I read here (https://groups.google.com/forum/#!topic/kubernetes-users/1cS3Wm9sETw) I can use port 10250 instead which is secured with TLS and which can use client authentication.
If I connect to https://localhost:10250/spec/ I get unauthorized. So I assume client authentication is needed.
As I understand client certificate authentication the pod’s hostname and the certificate needs to match and kubelet needs to trust the CA which issued the certificate.
Here are my questions:
- is kubelet’s port 10250 readonly to, or can an authenticated client do more than on port 10255?
- If 10250 is more privileged, how can I limit the permissions for metricbeat?
- How to automatically issue a client certificate for the metricbeat pod?
Thanks a lot,