The manifests are automatically generated by kustomize. If you have specific need, then you can use kustomize to generate your own manifests.
- standalone-install.yaml - installs Kubelet Serving Certificate Approver into
kubelet-serving-cert-approvernamespace following the Principle of Least Privilege.
In nutshell:
- Configured Container Security Context
- All capabilities dropped
- Read-only root filesystem
- Runs unprivileged with disallowed privilege escalation
- Configured Pod Security Context
- Runs with non-root user
- No shell, uses distroless image
- Configured Pod Security Standards
- Applied Pod Security Admission labels onto the namespace with
restristedPod Security Standards profile - Only active when
PodSecurityfeature gate is enabled in your cluster
- Applied Pod Security Admission labels onto the namespace with
- ha-install.yaml - the same as Standalone Installation but with multiple replicas.
You can add extra argument to cert-approver container:
containers:
- name: cert-approver
args:
- --debugYou can install ServiceMonitor by the following example:
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: kubelet-serving-cert-approver
namespace: kubelet-serving-cert-approver
labels:
app.kubernetes.io/instance: kubelet-serving-cert-approver
app.kubernetes.io/name: kubelet-serving-cert-approver
spec:
selector:
matchLabels:
app.kubernetes.io/instance: kubelet-serving-cert-approver
app.kubernetes.io/name: kubelet-serving-cert-approver
endpoints:
- interval: 60s
path: /metrics
port: metrics
namespaceSelector:
matchNames:
- kubelet-serving-cert-approver