Skip to main content

kubelet-serving-cert-approver

Automatically approves kubelet serving certificate signing requests.

kubelet-serving-cert-approver is a small controller that watches for CertificateSigningRequest objects from kubelets and auto-approves them when they meet the correct criteria. By default, Kubernetes does not auto-approve kubelet serving CSRs (only kubelet client CSRs), which prevents metrics-server and other components from scraping kubelet metrics over TLS without --kubelet-insecure-tls. This controller closes that gap.

Installation

Architecture

Deployed via a Flux Kustomization that pulls the upstream standalone-install.yaml directly from the kubelet-serving-cert-approver GitHub repo at tag v0.10.3. The namespace is labeled with pod-security.kubernetes.io/enforce: restricted. No HelmRelease; no local Helm chart.

Security

Namespace enforces the restricted Pod Security Standard (audit, warn, and enforce all set to restricted). The controller requires cluster-level RBAC to read and approve CertificateSigningRequest objects — tightly scoped to only the kubelet serving CSR sub-resource.

Updates

Managed by Renovate via the GitRepository tag reference (v0.10.3).

Administration

Usage

No operator interaction required after installation. The controller runs continuously and automatically approves kubelet serving CSRs as nodes rotate their serving certificates. This enables metrics-server and Prometheus to scrape kubelet /metrics endpoints using valid TLS without disabling certificate verification.

Cluster-specific deviations from the above live in the per-cluster README — see k8s/infrastructure/talos/controllers/kubelet-serving-cert-approver/README.md.

Cluster Deployment

kubelet-serving-cert-approver — Talos cluster

Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/platform/kubelet-serving-cert-approver.mdx.

Deviations from defaults

Defaults live in docusaurus/docs/platform/kubelet-serving-cert-approver.mdx — document anything this cluster does differently here, with a one-line reason.