Allow disabling Kubelet Service Insecure Port #6799
Description
What happened?
Description
Currently when passed the kubelet-service flag, the operator creates the needed Kubelet service so Prom can scrape its metrics.
GKE recently announced that they would be disabling this port:
What you need to know
We have identified an unauthenticated "read-only" port (10255) in the Kubelet server, which could result in a potential data leak or compromise, if not turned off.
Due to this security issue, we will disable port 10255 in the following phases:
- GKE version 1.32 and higher: Port 10255 will be disabled by default on new clusters. You can still enable it, if necessary, but it is not recommended. Note: There is no change to port 10255 on existing clusters, even on clusters upgraded to 1.32.
- Future GKE versions: Port 10255 will be completely disabled with no option to enable it. Note: We will send further notifications before turning off port 10255 completely.
To ease the GCP automation overlords, and so that they don't continually mark this Port usage as insecure, we should be able to control the Prometheus Operator behaviour in order to still create the Kubelet Service, but only reference the secure HTTPS port
Steps to Reproduce
Deploy Prometheus Operator with the kubelet-service flag enabled.
Expected Result
We should be able to control if the HTTP insecure port reference is created in the generated service or not.
Actual Result
When the kubelet-service flag enabled a service is created inside the cluster referencing both HTTP and HTTPS ports (plus CAdvisor):
ports:
- name: https-metrics
port: 10250
protocol: TCP
targetPort: 10250
- name: http-metrics
port: 10255
protocol: TCP
targetPort: 10255
- name: cadvisor
port: 4194
protocol: TCP
targetPort: 4194Prometheus Operator Version
v0.74.0Kubernetes Version
v1.29Kubernetes Cluster Type
kubeadm
How did you deploy Prometheus-Operator?
helm chart:prometheus-community/kube-prometheus-stack
Manifests
No response
prometheus-operator log output
.Anything else?
No response