Skip to content

[Feature] Support TLS for Metrics endpoints

Problem Statement

Kyverno serves metrics over insecure HTTP only.

$ kubectl port-forward -n kyverno kyverno-admission-controller-55d7867496-xrb9q 8000 &
$ sslyze 127.0.0.1:8000

 CHECKING CONNECTIVITY TO SERVER(S)
 ----------------------------------

   127.1:8000                => ERROR: TLS probing failed: could not find a TLS version and cipher suite supported by the server; discarding scan.

 SCANS COMPLETED IN 10.41535 S

There are no options to configure TLS for Metrics in monitoring documentation either.

Solution Description

Add or apply TLS configuration options for Metrics endpoint. Certificates from TLS Secrets (ie. via CertManager and Kyverno self-signed) should be supported.

There are four metrics endpoints, one for each controller. Only admission-controller and cleanup-controller have CA / TLS pair currently defined. Implementation should cover all of the 4 controllers.

Option 1. Re-use the same Kyverno controller CA and TLS pairs (generate 2 more CA and pairs for controller missing them right now to follow suit how cleanup controller is setup) Option 2. Allow new configuring separate TLS Pair for Metrics in each, resulting in new config options and more support required in Charts etc

Alternatives

Continue serving insecure metrics only.

Additional Context

Ready when:

  • all 4 metrics endpoint can be configured to serve metrics over HTTPS
  • tests are implemented
  • monitoring plugin documentation is updated with configuration examples

Feel free to suggest design changes, implementation recommandation, and readiness criteria changes.

/assign I'm working on implementation already based on these assumptions and initial approval in Slack discussion below.

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1756973731361059

Research

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.