How to access kubelet read only https port with client authentication from a pod?

Hi,

I am on kubernetes 14.0.3 and want to use elastic’s metricbeat to get kubernetes logs and metrics to elasticsearch. Metricbeat is running as daemonset and wants to fetch node data via kubelet’s read-only-port (10255) at localhost which is currently disabled in my environment.

Details to installation and kubernetes manifests are here: https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-kubernetes.html

As I read here (https://groups.google.com/forum/#!topic/kubernetes-users/1cS3Wm9sETw) I can use port 10250 instead which is secured with TLS and which can use client authentication.
If I connect to https://localhost:10250/spec/ I get unauthorized. So I assume client authentication is needed.

As I understand client certificate authentication the pod’s hostname and the certificate needs to match and kubelet needs to trust the CA which issued the certificate.

Here are my questions:

  • is kubelet’s port 10250 readonly to, or can an authenticated client do more than on port 10255?
  • If 10250 is more privileged, how can I limit the permissions for metricbeat?
  • How to automatically issue a client certificate for the metricbeat pod?

Thanks a lot,
Andreas