Dalton Hubble
545bd79624
Update Grafana from v8.0.4 to v8.0.6
...
* https://github.com/grafana/grafana/releases/tag/v8.0.6
2021-07-16 12:02:36 -07:00
Dalton Hubble
c7e327417b
Update Prometheus and Grafana addons
2021-07-04 10:02:44 -07:00
Dalton Hubble
b0e9b1fa60
Update Prometheus and Grafana addons
...
* https://github.com/prometheus/prometheus/releases/tag/v2.28.0
* https://github.com/grafana/grafana/releases/tag/v8.0.3
2021-06-27 14:46:43 -07:00
Dalton Hubble
30cfeec6c1
Update nginx-ingress from v0.46.0 to v0.47.0
...
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.47.0
2021-06-07 10:11:07 -07:00
Dalton Hubble
24e63bd134
Update Prometheus, Grafana, kube-state-metrics addons
2021-06-07 09:40:06 -07:00
Dalton Hubble
75b063c586
Update Prometheus from v2.25.2 to v2.27.0
...
* Update Grafana from v7.5.4 to v7.5.6
* https://github.com/prometheus/prometheus/releases/tag/v2.27.0
* https://github.com/grafana/grafana/releases/tag/v7.5.6
2021-05-12 11:47:07 -07:00
Dalton Hubble
bc96443710
Update nginx-ingress from v0.45.0 to v0.46.0
...
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.46.0
2021-05-05 12:06:20 -07:00
Dalton Hubble
e535ddd15a
Update Grafana from v7.5.3 to v7.5.4
...
* https://github.com/grafana/grafana/releases/tag/v7.5.4
2021-04-17 11:38:14 -07:00
Dalton Hubble
5752a8f041
Update kube-state-metrics from v2.0.0-rc.1 to v2.0.0
...
* https://github.com/kubernetes/kube-state-metrics/releases/tag/v2.0.0
2021-04-17 11:34:52 -07:00
Dalton Hubble
2eb1ac1b4d
Update nginx-ingress from v0.44.0 to v0.45.0
...
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.45.0
2021-04-12 00:18:47 -07:00
Dalton Hubble
cb2721ef7d
Update Grafana from v7.5.2 to v7.5.3
...
* https://github.com/grafana/grafana/releases/tag/v7.5.3
2021-04-12 00:17:22 -07:00
Dalton Hubble
1a6481df04
Update Grafana from v7.5.1 to v7.5.2
...
* https://github.com/grafana/grafana/releases/tag/v7.5.2
2021-04-04 18:20:02 -07:00
Dalton Hubble
7372d33af8
Update kube-state-metrics and Grafana
...
* https://github.com/kubernetes/kube-state-metrics/releases/tag/v2.0.0-rc.1
* https://github.com/grafana/grafana/releases/tag/v7.5.1
2021-03-28 10:53:52 -07:00
Dalton Hubble
048f1f514e
Update Grafana from v7.4.3 to v7.4.5
...
* https://github.com/grafana/grafana/releases/tag/v7.4.5
2021-03-19 11:51:52 -07:00
Dalton Hubble
b825cd9afe
Update Prometheus from v2.25.1 to v2.25.2
...
* https://github.com/prometheus/prometheus/releases/tag/v2.25.2
2021-03-19 11:49:38 -07:00
Dalton Hubble
4d58be0816
Update Prometheus from v2.25.0 to v2.25.1
...
* https://github.com/prometheus/prometheus/releases/tag/v2.25.1
2021-03-14 09:43:15 -07:00
Dalton Hubble
5bc1cd28c3
Switch kube-state-metrics image from quay to k8s.gcr.io
...
* kube-state-metrics is continuing publishing container images
to `k8s.gcr.io` instead of `quay.io`
Rel: https://github.com/kubernetes/kube-state-metrics/issues/1409
2021-03-11 10:56:18 -08:00
Dalton Hubble
13fbac6c79
Update Grafana from v7.4.2 to v7.4.3
...
* https://github.com/grafana/grafana/releases/tag/v7.4.3
2021-03-05 17:19:54 -08:00
Dalton Hubble
a8fa4a9a06
Update node-exporter and kube-state-metrics
...
* https://github.com/kubernetes/kube-state-metrics/releases/tag/v2.0.0-rc.0
* https://github.com/prometheus/node_exporter/releases/tag/v1.1.2
2021-03-05 17:13:45 -08:00
Dalton Hubble
ec389295fe
Update Grafana from v7.4.0 to v7.4.2
...
* https://github.com/grafana/grafana/releases/tag/v7.4.2
2021-02-19 00:18:39 -08:00
Dalton Hubble
3c807f3478
Update Prometheus from v2.24.1 to v2.25.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.25.0
2021-02-19 00:16:35 -08:00
Dalton Hubble
c32a54db40
Update node-exporter from v1.0.1 to v1.1.1
...
* https://github.com/prometheus/node_exporter/releases/tag/v1.1.1
2021-02-14 14:30:28 -08:00
Dalton Hubble
3b933e1ab3
Update Grafana from v7.3.7 to v7.4.0
...
* https://github.com/grafana/grafana/releases/tag/v7.4.0
2021-02-07 21:42:18 -08:00
Dalton Hubble
58d8f6f505
Update Prometheus from v2.24.0 to v2.24.1
...
* https://github.com/prometheus/prometheus/releases/tag/v2.24.1
2021-02-04 22:28:32 -08:00
Dalton Hubble
56853fe222
Update nginx-ingress from v0.43.0 to v0.44.0
...
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.44.0
2021-02-04 22:19:58 -08:00
Dalton Hubble
11c434915f
Update Grafana from v7.3.6 to v7.3.7
...
* https://github.com/grafana/grafana/releases/tag/v7.3.7
2021-01-16 10:46:56 -08:00
Dalton Hubble
6a6af4aa16
Update Prometheus from v2.24.0-rc.0 to v2.24.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.24.0
2021-01-12 20:49:18 -08:00
Dalton Hubble
3dcd10f3b8
Update Prometheus v2.23.0 to v2.24.0-rc.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.24.0-rc.0
2021-01-01 13:49:28 -08:00
Dalton Hubble
22503993b9
Update nginx-ingress from v0.41.2 to v0.43.0
...
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.43.0
* https://github.com/kubernetes/ingress-nginx/issues/6696
2021-01-01 13:44:45 -08:00
Dalton Hubble
cf3aa8885b
Update Prometheus rules and Grafana dashboards
...
* Update Grafana from v7.3.5 to v7.3.6
2020-12-19 14:56:42 -08:00
Dalton Hubble
96172ad269
Update Grafana from v7.3.4 to v7.3.5
...
* https://github.com/grafana/grafana/releases/tag/v7.3.5
2020-12-11 00:24:43 -08:00
Dalton Hubble
85eb502f19
Update Prometheus from v2.23.0-rc.0 to v2.23.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.23.0
2020-11-29 19:59:27 -08:00
Dalton Hubble
22565e57e0
Update kube-state-metrics from v2.0.0-alpha.2 to v2.0.0-alpha.3
...
* https://github.com/kubernetes/kube-state-metrics/releases/tag/v2.0.0-alpha.3
2020-11-25 14:30:11 -08:00
Dalton Hubble
026e1f3648
Update Grafana from v7.3.3 to v7.3.4
...
* https://github.com/grafana/grafana/releases/tag/v7.3.4
2020-11-25 14:25:15 -08:00
Dalton Hubble
ba8d972c76
Update Prometheus from v2.22.2 to v2.23.0-rc.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.23.0-rc.0
2020-11-24 10:54:42 -08:00
Dalton Hubble
be28495d79
Update Prometheus from v2.22.1 to v2.22.2
...
* https://github.com/prometheus/prometheus/releases/tag/v2.22.2
2020-11-19 21:50:48 -08:00
Dalton Hubble
f1356fec24
Update Grafana from v7.3.2 to v7.3.3
...
* https://github.com/grafana/grafana/releases/tag/v7.3.3
2020-11-19 21:49:11 -08:00
Dalton Hubble
f5a83667e8
Update Grafana from v7.3.1 to v7.3.2
...
* https://github.com/grafana/grafana/releases/tag/v7.3.2
2020-11-14 13:30:30 -08:00
Dalton Hubble
a911367c2e
Update nginx-ingress from v0.41.0 to v0.41.2
...
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.41.2
2020-11-14 13:27:06 -08:00
Dalton Hubble
f884de847e
Discard Prometheus etcd gRPC failure alert
...
* Kubernetes watch expiry is not a gRPC code we care about
* Background: This rule is typically removed, but was added back in
2020-11-14 13:17:56 -08:00
Dalton Hubble
133d325013
Update nginx-ingress from v0.40.2 to v0.41.0
...
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.41.0
2020-11-08 14:34:52 -08:00
Dalton Hubble
4b05c0180e
Update Grafana from v7.3.0 to v7.3.1
...
* https://github.com/grafana/grafana/releases/tag/v7.3.1
2020-11-08 14:13:39 -08:00
Dalton Hubble
f49ab3a6ee
Update Prometheus from v2.22.0 to v2.22.1
...
* https://github.com/prometheus/prometheus/releases/tag/v2.22.1
2020-11-08 14:12:24 -08:00
Dalton Hubble
cda5b93b09
Update kube-state-metrics from v2.0.0-alpha.1 to v2.0.0-alpha.2
...
* https://github.com/kubernetes/kube-state-metrics/releases/tag/v2.0.0-alpha.2
2020-10-28 18:49:40 -07:00
Dalton Hubble
3e9f5f34de
Update Grafana from v7.2.2 to v7.3.0
...
* https://github.com/grafana/grafana/releases/tag/v7.3.0
2020-10-28 17:46:26 -07:00
Dalton Hubble
fc62e51b2a
Update Grafana from v7.2.1 to v7.2.2
...
* https://github.com/grafana/grafana/releases/tag/v7.2.2
2020-10-22 00:14:04 -07:00
Dalton Hubble
9fbfbdb854
Update Prometheus from v2.21.0 to v2.22.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.22.0
2020-10-17 12:38:25 -07:00
Dalton Hubble
394e496cc7
Update Grafana from v7.2.0 to v7.2.1
...
* https://github.com/grafana/grafana/releases/tag/v7.2.1
2020-10-11 13:21:25 -07:00
Dalton Hubble
7881f4bd86
Update kube-state-metrics from v1.9.7 to v2.0.0-alpha.1
...
* https://github.com/kubernetes/kube-state-metrics/releases/tag/v2.0.0-alpha
* https://github.com/kubernetes/kube-state-metrics/releases/tag/v2.0.0-alpha.1
2020-10-11 12:35:43 -07:00
Dalton Hubble
d5b5b7cb02
Update nginx-ingress from v0.40.0 to v0.40.2
...
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.40.2
2020-10-06 23:52:15 -07:00
Dalton Hubble
b39a1d70da
Update nginx-ingress from v0.35.0 to v0.40.0
...
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.40.0
2020-10-02 01:00:35 -07:00
Dalton Hubble
d65085ce14
Update Grafana from v7.1.5 to v7.2.0
...
* https://github.com/grafana/grafana/releases/tag/v7.2.0
2020-09-24 20:58:32 -07:00
Dalton Hubble
bc7ad25c60
Update Grafana dashboard for Kubelet v1.19
...
* Fix Kubelet pod and container count metrics dashboard
* https://github.com/kubernetes-monitoring/kubernetes-mixin/pull/499
2020-09-15 23:21:56 -07:00
Dalton Hubble
e838d4dc3d
Refresh Prometheus rules/alerts and Grafana dashboards
...
* Refresh upstream Prometheus rules/alerts and Grafana dashboards
2020-09-13 15:03:27 -07:00
Dalton Hubble
979c092ef6
Reduce apiserver metrics cardinality of non-core APIs
...
* Reduce `apiserver_request_duration_seconds_count` cardinality
by dropping series for non-core Kubernetes APIs. This is done
to match `apiserver_request_duration_seconds_count` relabeling
* These two relabels must be performed the same way to avoid
affecting new SLO calculations (upcoming)
* See https://github.com/kubernetes-monitoring/kubernetes-mixin/issues/498
Related: https://github.com/poseidon/typhoon/pull/596
2020-09-13 14:47:49 -07:00
Dalton Hubble
eb093af9ed
Drop Kubelet labelmap relabel for node_name
...
* Originally, Kubelet and CAdvisor metrics used a labelmap
relabel to add Kubernetes SD node labels onto timeseries
* With https://github.com/poseidon/typhoon/pull/596 that
relabel was dropped since node labels aren't usually that
valuable. `__meta_kubernetes_node_name` was retained but
the field name is empty
* Favor just using Prometheus server-side `instance` in
queries that require some node identifier for aggregation
or debugging
Fix https://github.com/poseidon/typhoon/issues/823
2020-09-12 19:40:00 -07:00
Dalton Hubble
d236628e53
Update Prometheus from v2.20.0 to v2.21.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.21.0
2020-09-12 19:20:54 -07:00
Dalton Hubble
000c11edf6
Update IngressClass resources to networking.k8s.io/v1
...
* Kubernetes v1.19 graduated Ingress and IngressClass from
networking.k8s.io/v1beta1 to networking.k8s.io/v1
2020-09-10 23:25:53 -07:00
Dalton Hubble
29b16c3fc0
Change seccomp annotations to seccompProfile
...
* seccomp graduated to GA in Kubernetes v1.19. Support for
seccomp alpha annotations will be removed in v1.22
* Replace seccomp annotations with the GA seccompProfile
field in the PodTemplate securityContext
* Switch profile from `docker/default` to `runtime/default`
(no effective change, since docker is the runtime)
* Verify with docker inspect SecurityOpt. Without the profile,
you'd see `seccomp=unconfined`
Related: https://github.com/poseidon/terraform-render-bootstrap/pull/215
2020-09-10 01:15:07 -07:00
Dalton Hubble
d45dfdbf91
Update nginx-ingress from v0.34.1 to v0.35.0
...
* Repo changed to k8s.gcr.io/ingress-nginx/controller
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.35.0
2020-08-29 13:38:28 -07:00
Dalton Hubble
a504264e24
Update Grafana from v7.1.4 to v7.1.5
...
* https://github.com/grafana/grafana/releases/tag/v7.1.5
2020-08-27 08:52:07 -07:00
Dalton Hubble
58def65a09
Update Grafana from v7.1.3 to v7.1.4
...
* https://github.com/grafana/grafana/releases/tag/v7.1.4
2020-08-22 15:40:09 -07:00
Dalton Hubble
e1d6ab2f24
Update Grafana from v7.1.1 to v7.1.3
...
* https://github.com/grafana/grafana/releases/tag/v7.1.3
* https://github.com/grafana/grafana/releases/tag/v7.1.2
2020-08-08 18:59:49 -07:00
Dalton Hubble
2aef42d4f6
Update Prometheus from v2.19.2 to v2.20.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.20.0
2020-07-25 16:37:28 -07:00
Dalton Hubble
b7d67757de
Update Grafana from v7.1.0 to v7.1.1
...
* https://github.com/grafana/grafana/releases/tag/v7.1.1
2020-07-25 16:33:40 -07:00
Dalton Hubble
618f8b30fd
Update CoreDNS from v1.6.7 to v1.7.0
...
* https://coredns.io/2020/06/15/coredns-1.7.0-release/
* Update Grafana dashboard with revised metrics names
2020-07-25 15:51:31 -07:00
Dalton Hubble
efd4a0319d
Update Grafana from v7.0.6 to v7.1.0
...
* https://github.com/grafana/grafana/releases/tag/v7.1.0
2020-07-18 13:54:56 -07:00
Dalton Hubble
a8d3d3bb12
Update ingress-nginx from v0.33.0 to v0.34.1
...
* Switch to ingress-nginx controller images from us.grc.io (eu, asia
can also be used if desired)
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.34.1
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.34.0
2020-07-15 22:43:49 -07:00
Dalton Hubble
dfd2a0ec23
Update Grafana from v7.0.5 to v7.0.6
...
* https://github.com/grafana/grafana/releases/tag/v7.0.6
2020-07-09 21:10:48 -07:00
Dalton Hubble
e3bf7d8f9b
Update Prometheus from v2.19.1 to v2.19.2
...
* https://github.com/prometheus/prometheus/releases/tag/v2.19.2
2020-07-09 21:08:55 -07:00
Dalton Hubble
74e025c9e4
Update Grafana from v7.0.4 to v7.0.5
...
* https://github.com/grafana/grafana/releases/tag/v7.0.5
2020-07-05 15:49:34 -07:00
Dalton Hubble
21178868db
Revert "Update Prometheus from v2.19.1 to v2.19.2"
...
* Prometheus has not published the v1.19.2
* This reverts commit 81b6f54169
.
2020-06-27 14:53:58 -07:00
Dalton Hubble
81b6f54169
Update Prometheus from v2.19.1 to v2.19.2
...
* https://github.com/prometheus/prometheus/releases/tag/v2.19.2
2020-06-27 14:34:30 -07:00
Dalton Hubble
a79ad34ba3
Update Grafana from v7.0.3 to v7.0.4
...
* https://github.com/grafana/grafana/releases/tag/v7.0.4
2020-06-26 02:06:38 -07:00
Dalton Hubble
99a11442c7
Update Prometheus from v2.19.0 to v2.19.1
...
* https://github.com/prometheus/prometheus/releases/tag/v2.19.1
2020-06-26 02:01:58 -07:00
Dalton Hubble
bc9b808d44
Update nginx-ingress from v0.32.0 to v0.33.0
...
* https://github.com/kubernetes/ingress-nginx/releases/tag/controller-0.33.0
2020-06-16 18:44:40 -07:00
Dalton Hubble
04520e447c
Update node-exporter from v1.0.0 to v1.0.1
...
* https://github.com/prometheus/node_exporter/releases/tag/v1.0.1
2020-06-16 17:57:09 -07:00
Dalton Hubble
c9059d3fe9
Update Prometheus from v2.19.0-rc.0 to v2.19.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.19.0
2020-06-09 23:05:03 -07:00
Dalton Hubble
31d02b0221
Update Prometheus from v2.18.1 to v2.19.0-rc.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.19.0-rc.0
2020-06-05 00:16:45 -07:00
Dalton Hubble
8f875f80f5
Update Grafana from v7.0.1 to v7.0.3
...
* https://github.com/grafana/grafana/releases/tag/v7.0.2
* https://github.com/grafana/grafana/releases/tag/v7.0.3
2020-06-03 12:31:58 -07:00
Dalton Hubble
16c0b9152b
Update kube-state-metrics from v1.9.6 to v1.9.7
...
* https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.9.7
2020-06-03 11:35:10 -07:00
Dalton Hubble
187bb17d39
Update Grafana from v7.0.0 to v7.0.1
...
* https://github.com/grafana/grafana/releases/tag/v7.0.1
2020-05-27 21:35:24 -07:00
Dalton Hubble
abc31c3711
Update node-exporter from v1.0.0-rc.1 to v1.0.0
...
* https://github.com/prometheus/node_exporter/releases/tag/v1.0.0
2020-05-27 21:33:03 -07:00
Dalton Hubble
3bdddc452c
Update Grafana from v7.0.0-beta2 to v7.0.0
...
* https://grafana.com/docs/grafana/latest/guides/whats-new-in-v7-0/
2020-05-18 23:42:32 -07:00
Dalton Hubble
2578be1f96
Rollback Grafana to v7.0.0-beta3, v7.0.0 image is missing
...
* Grafana hasn't published the v7.0.0 image yet
2020-05-16 12:32:10 -07:00
Dalton Hubble
90edcd3d77
Update node-exporter from v1.0.0-rc.0 to v1.0.0-rc.1
...
* https://github.com/prometheus/node_exporter/releases/tag/v1.0.0-rc.1
2020-05-15 18:03:19 -07:00
Dalton Hubble
a927c7c790
Update kube-state-metrics from v1.9.5 to v1.9.6
...
* https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.9.6
2020-05-15 17:42:24 -07:00
Dalton Hubble
d952576d2f
Update Grafana from v7.0.0-beta3 to v7.0.0
...
* https://github.com/grafana/grafana/releases/tag/7.0.0
2020-05-15 17:38:59 -07:00
Dalton Hubble
f4194cd57a
Update Grafana from v7.0.0-beta2 to v7.0.0-beta.3
...
* https://github.com/grafana/grafana/releases/tag/v7.0.0-beta3
2020-05-09 17:50:40 -07:00
Dalton Hubble
3f0a5d2715
Update Grafana from v7.0.0-beta1 to v7.0.0-beta2
...
* https://github.com/grafana/grafana/releases/tag/v7.0.0-beta2
2020-05-07 23:04:44 -07:00
Dalton Hubble
33173c0206
Update Prometheus from v2.18.0 to v2.18.1
...
* https://github.com/prometheus/prometheus/releases/tag/v2.18.1
2020-05-07 22:59:11 -07:00
Dalton Hubble
70f30d9c07
Update Prometheus from v2.18.0-rc.1 to v2.18.0
...
* https://github.com/prometheus/prometheus/releases/tag/v2.18.0
2020-05-05 22:31:11 -07:00
Dalton Hubble
6afc1643d9
Update nginx-ingress from v0.30.0 to v0.32.0
...
* Add support for IngressClass and RBAC authorization
* Since our nginx ingress controller example uses the flag
`--ingress-class=public`, add an IngressClass to go along
with it
Rel: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
2020-05-03 23:24:19 -07:00
Dalton Hubble
e71e27e769
Update Prometheus from v2.17.2 to v2.18.0-rc.1
...
* https://github.com/prometheus/prometheus/releases/tag/v2.18.0-rc.1
2020-04-29 20:57:48 -07:00
Dalton Hubble
64035005d4
Update Grafana from v6.7.2 to v7.0.0-beta1
...
* https://github.com/grafana/grafana/releases/tag/v7.0.0-beta1
2020-04-29 20:53:30 -07:00
Dalton Hubble
fd044ee117
Enable Kubelet TLS bootstrap and NodeRestriction
...
* Enable bootstrap token authentication on kube-apiserver
* Generate the bootstrap.kubernetes.io/token Secret that
may be used as a bootstrap token
* Generate a bootstrap kubeconfig (with a bootstrap token)
to be securely distributed to nodes. Each Kubelet will use
the bootstrap kubeconfig to authenticate to kube-apiserver
as `system:bootstrappers` and send a node-unique CSR for
kube-controller-manager to automatically approve to issue
a Kubelet certificate and kubeconfig (expires in 72 hours)
* Add ClusterRoleBinding for bootstrap token subjects
(`system:bootstrappers`) to have the `system:node-bootstrapper`
ClusterRole
* Add ClusterRoleBinding for bootstrap token subjects
(`system:bootstrappers`) to have the csr nodeclient ClusterRole
* Add ClusterRoleBinding for bootstrap token subjects
(`system:bootstrappers`) to have the csr selfnodeclient ClusterRole
* Enable NodeRestriction admission controller to limit the
scope of Node or Pod objects a Kubelet can modify to those of
the node itself
* Ability for a Kubelet to delete its Node object is retained
as preemptible nodes or those in auto-scaling instance groups
need to be able to remove themselves on shutdown. This need
continues to have precedence over any risk of a node deleting
itself maliciously
Security notes:
1. Issued Kubelet certificates authenticate as user `system:node:NAME`
and group `system:nodes` and are limited in their authorization
to perform API operations by Node authorization and NodeRestriction
admission. Previously, a Kubelet's authorization was broader. This
is the primary security motivation.
2. The bootstrap kubeconfig credential has the same sensitivity
as the previous generated TLS client-certificate kubeconfig.
It must be distributed securely to nodes. Its compromise still
allows an attacker to obtain a Kubelet kubeconfig
3. Bootstrapping Kubelet kubeconfig's with a limited lifetime offers
a slight security improvement.
* An attacker who obtains the kubeconfig can likely obtain the
bootstrap kubeconfig as well, to obtain the ability to renew
their access
* A compromised bootstrap kubeconfig could plausibly be handled
by replacing the bootstrap token Secret, distributing the token
to new nodes, and expiration. Whereas a compromised TLS-client
certificate kubeconfig can't be revoked (no CRL). However,
replacing a bootstrap token can be impractical in real cluster
environments, so the limited lifetime is mostly a theoretical
benefit.
* Cluster CSR objects are visible via kubectl which is nice
4. Bootstrapping node-unique Kubelet kubeconfigs means Kubelet
clients have more identity information, which can improve the
utility of audits and future features
Rel: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/
Rel: https://github.com/poseidon/terraform-render-bootstrap/pull/185
2020-04-28 19:35:33 -07:00
Dalton Hubble
84ed0a31c3
Update Prometheus from v2.17.1 to v2.17.2
...
* https://github.com/prometheus/prometheus/releases/tag/v2.17.2
2020-04-20 18:09:24 -07:00
Dalton Hubble
2b5dfece93
Update Grafana from v6.7.1 to v6.7.2
...
* https://github.com/grafana/grafana/releases/tag/v6.7.2
2020-04-04 13:13:19 -07:00
Dalton Hubble
d47d40b517
Refresh Prometheus rules/alerts and Grafana dashboards
...
* Refresh upstream Prometheus rules and alerts and Grafana
dashboards
* All Loki recording rules for convenience
2020-03-31 21:53:01 -07:00
Dalton Hubble
076b8e3c42
Update Prometheus from v2.17.0 to v2.17.1
...
* https://github.com/prometheus/prometheus/releases/tag/v2.17.1
2020-03-26 22:17:13 -07:00