From c1e77d07022a368a653fe35a34a397608d7fbb19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFc=20Huard?= Date: Tue, 23 Nov 2021 11:48:59 +0100 Subject: [PATCH 1/2] Update the default value of the `bearer_token` parameter to send the bearer token only to secure https endpoints and not to clear text http endpoints. --- kube_scheduler/assets/configuration/spec.yaml | 6 +++--- .../datadog_checks/kube_scheduler/data/auto_conf.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/kube_scheduler/assets/configuration/spec.yaml b/kube_scheduler/assets/configuration/spec.yaml index 1d58b279813ab..c86130125a4bf 100644 --- a/kube_scheduler/assets/configuration/spec.yaml +++ b/kube_scheduler/assets/configuration/spec.yaml @@ -77,9 +77,9 @@ files: against the APIServer to retrieve metrics. enabled: true value: - type: boolean - example: true - default: false + type: string + example: tls_only + default: "false" - name: bearer_token_path description: Used to specify the path where the service account token is located. value: diff --git a/kube_scheduler/datadog_checks/kube_scheduler/data/auto_conf.yaml b/kube_scheduler/datadog_checks/kube_scheduler/data/auto_conf.yaml index 805ae3b663785..eaff9e3467e70 100644 --- a/kube_scheduler/datadog_checks/kube_scheduler/data/auto_conf.yaml +++ b/kube_scheduler/datadog_checks/kube_scheduler/data/auto_conf.yaml @@ -31,11 +31,11 @@ instances: # # prometheus_url: http://%%host%%:10251/metrics - ## @param bearer_token_auth - boolean - optional - default: true + ## @param bearer_token_auth - string - optional - default: tls_only ## Used if you are using RBACs and need the Agent to authenticate ## against the APIServer to retrieve metrics. # - bearer_token_auth: true + bearer_token_auth: tls_only ## @param bearer_token_path - string - optional - default: /var/run/secrets/kubernetes.io/serviceaccount/token ## Used to specify the path where the service account token is located. From 02b5660b5675444bbf66835bdd2fa49f9c5ec8a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFc=20Huard?= Date: Fri, 10 Dec 2021 12:57:18 +0100 Subject: [PATCH 2/2] Apply suggestions from code review --- kube_scheduler/assets/configuration/spec.yaml | 6 ++++-- .../datadog_checks/kube_scheduler/data/auto_conf.yaml | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/kube_scheduler/assets/configuration/spec.yaml b/kube_scheduler/assets/configuration/spec.yaml index c86130125a4bf..865268428dd5e 100644 --- a/kube_scheduler/assets/configuration/spec.yaml +++ b/kube_scheduler/assets/configuration/spec.yaml @@ -77,9 +77,11 @@ files: against the APIServer to retrieve metrics. enabled: true value: - type: string example: tls_only - default: "false" + default: false + anyOf: + - type: boolean + - type: string - name: bearer_token_path description: Used to specify the path where the service account token is located. value: diff --git a/kube_scheduler/datadog_checks/kube_scheduler/data/auto_conf.yaml b/kube_scheduler/datadog_checks/kube_scheduler/data/auto_conf.yaml index eaff9e3467e70..fc3a3d3de6b93 100644 --- a/kube_scheduler/datadog_checks/kube_scheduler/data/auto_conf.yaml +++ b/kube_scheduler/datadog_checks/kube_scheduler/data/auto_conf.yaml @@ -31,7 +31,7 @@ instances: # # prometheus_url: http://%%host%%:10251/metrics - ## @param bearer_token_auth - string - optional - default: tls_only + ## @param bearer_token_auth - boolean or string - optional - default: tls_only ## Used if you are using RBACs and need the Agent to authenticate ## against the APIServer to retrieve metrics. #