Using kube-rbac-proxy to secure Kubernetes workloads

While working on and around monitoring Kubernetes clusters with Prometheus, I have noticed a reoccurring problem: metrics that are retrieved by Prometheus may potentially contain sensitive information (for example the Prometheus node-exporter exposes the Kernel version of the host), which a potential intruder may use in order to exploit their way through a respective Kubernetes cluster. So I asked myself the question: How does one authenticate and authorize requests from Prometheus so that Prometheus and only Prometheus can retrieve metrics from an application running in a Pod?

Read More

kube-state-metrics the past, the present, and the future

The kube-state-metrics project is a service you can deploy in your Kubernetes cluster. It watches Kubernetes objects, in order to expose metrics in the Prometheus format. The project lives under the umbrella of the Kubernetes organization and was started by Sam Ghods at Box in May 2016. There has been a growing popularity in the project, so I wanted to share the current state of the project and what I believe the future holds. This post will particularly focus on the architectural changes that the project has undergone and explain the reasoning for the more significant ones.

Read More