Skip to content

List of all secrets does not work in restricted cluster - SSL Exporter needs to scope secret listing to a single namespace where possible #159

New issue
New issue
Open
#179
Open
List of all secrets does not work in restricted cluster - SSL Exporter needs to scope secret listing to a single namespace where possible#159
#179
@deviarchscs

Description

@deviarchscs
deviarchscs
opened on Feb 16, 2024

We are running the SSL Exporter in a restricted k8s cluster where we don't have access to all namespaces and all resources.
When we try monitoring a certificate in a k8s secret, the script first try to list every secrets in the cluster. This step is failing with a Forbidden message by the API server.
Listing is done by following line:

ssl_exporter/prober/kubernetes.go

Line 47 in 890c510

secrets, err := client.CoreV1().Secrets("").List(ctx, metav1.ListOptions{FieldSelector: "type=kubernetes.io/tls"})

A solution would be to list secrets ONLY in the particular namespace when it is possible (ie: when the namespace is complete and does not contain any wildcards/regex).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions