Client Authentication against the API server and kubelet

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

By default the Agent authenticates against the API server and kubelet with its service account bearer token. If you want to specify its path, set the options below. If X509 client certificates are set, either for the kubelet or API server, they are used instead. The recommended way to expose these files to the Agent is by using Kubernetes Secrets.

bearer_token_path: /var/run/secrets/kubernetes.io/serviceaccount/token
apiserver_client_crt: /path/to/client.crt
apiserver_client_key: /path/to/client.key
kubelet_client_crt: /path/to/client.crt
kubelet_client_key: /path/to/client.key

Server authentication for API server and kubelet

Datadog uses the default CA certificate of the Agent’s service account to verify the API server’s identity. To use custom certificates, specify the path in your configuration file.

apiserver_ca_cert: /path/to/cacert.crt
kubelet_client_ca: /path/to/ca.pem

The default for kubelet traffic is to first try to use the read-only port that doesn’t require TLS and then to fall back to the HTTPS API with simple TLS validation. Providing a cert forces TLS validation on. Explicitly disabling tls_verify should be used with caution: if an attacker sniffs the Agent requests they will see the Agent’s service account bearer token.

kubelet_tls_verify: True

Alternate option: kubeconfig

Alternately, you can use kubeconfig for API server authentication. Use the DD_KUBERNETES_KUBECONFIG_PATH environment variable to specify the path, or the equivalent option in datadog.yaml.

kubernetes_kubeconfig_path: /path/to/file
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft