diff --git a/manifests/kube-state-metrics-deployment.yaml b/manifests/kube-state-metrics-deployment.yaml
index 7477545e6c52f66f284bd28d01ed26cf1d1dfd04..7c0398b68e3b16e8c3d797a42280c64d09fc039b 100644
--- a/manifests/kube-state-metrics-deployment.yaml
+++ b/manifests/kube-state-metrics-deployment.yaml
@@ -18,7 +18,12 @@ spec:
app.kubernetes.io/version: v1.9.4
spec:
containers:
- - image: quay.io/coreos/kube-state-metrics:v1.9.4
+ - args:
+ - --host=127.0.0.1
+ - --port=8081
+ - --telemetry-host=127.0.0.1
+ - --telemetry-port=8082
+ image: quay.io/coreos/kube-state-metrics:v1.9.4
livenessProbe:
httpGet:
path: /healthz
@@ -26,11 +31,7 @@ spec:
initialDelaySeconds: 5
timeoutSeconds: 5
name: kube-state-metrics
- ports:
- - containerPort: 8080
- name: http-metrics
- - containerPort: 8081
- name: telemetry
+ ports: null
readinessProbe:
httpGet:
path: /
@@ -39,6 +40,26 @@ spec:
timeoutSeconds: 5
securityContext:
runAsUser: 65534
+ - args:
+ - --logtostderr
+ - --secure-listen-address=:8443
+ - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ - --upstream=http://127.0.0.1:8081/
+ image: quay.io/coreos/kube-rbac-proxy:v0.4.1
+ name: kube-rbac-proxy-main
+ ports:
+ - containerPort: 8443
+ name: https-main
+ - args:
+ - --logtostderr
+ - --secure-listen-address=:9443
+ - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ - --upstream=http://127.0.0.1:8082/
+ image: quay.io/coreos/kube-rbac-proxy:v0.4.1
+ name: kube-rbac-proxy-self
+ ports:
+ - containerPort: 9443
+ name: https-self
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: kube-state-metrics
diff --git a/manifests/kube-state-metrics-service.yaml b/manifests/kube-state-metrics-service.yaml
index fd4b655c603f4dce0237de14f6fa3ed7a9ffa408..842e32939ca3c47dcf0c8e9d041a67327bddf3e7 100644
--- a/manifests/kube-state-metrics-service.yaml
+++ b/manifests/kube-state-metrics-service.yaml
@@ -9,11 +9,11 @@ metadata:
spec:
clusterIP: None
ports:
- - name: http-metrics
- port: 8080
- targetPort: http-metrics
- - name: telemetry
- port: 8081
- targetPort: telemetry
+ - name: https-main
+ port: 8443
+ targetPort: https-main
+ - name: https-self
+ port: 9443
+ targetPort: https-self
selector:
app.kubernetes.io/name: kube-state-metrics
diff --git a/manifests/kube-state-metrics-serviceMonitor.yaml b/manifests/kube-state-metrics-serviceMonitor.yaml
index b396ddcd2816551a8f586da188955e80ffcf7728..afb96734cb850cf8bd2dd5f5563b8187c3c4831b 100644
--- a/manifests/kube-state-metrics-serviceMonitor.yaml
+++ b/manifests/kube-state-metrics-serviceMonitor.yaml
@@ -3,22 +3,29 @@ kind: ServiceMonitor
metadata:
labels:
app.kubernetes.io/name: kube-state-metrics
- app.kubernetes.io/version: v1.9.4
+ app.kubernetes.io/version: 1.9.4
name: kube-state-metrics
namespace: monitoring
spec:
endpoints:
- - honorLabels: true
+ - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ honorLabels: true
interval: 30s
- port: http-metrics
+ port: https-main
relabelings:
- action: labeldrop
regex: (pod|service|endpoint|namespace)
+ scheme: https
scrapeTimeout: 30s
- - interval: 30s
- port: telemetry
+ tlsConfig:
+ insecureSkipVerify: true
+ - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ interval: 30s
+ port: https-self
+ scheme: https
+ tlsConfig:
+ insecureSkipVerify: true
jobLabel: app.kubernetes.io/name
selector:
matchLabels:
app.kubernetes.io/name: kube-state-metrics
- app.kubernetes.io/version: v1.9.4