Howdy all 👋 Is it expected that the

kube-controller-manager

metrics on port 10252 are not exposed in RKE2 deployments. We are currently testing

v1.22.9+rke2r2

deployed via Rancher

v2.6.5

and are seeing the following differences from RKE deployments. Thanks a lot. RKE cluster:

# netstat -tulpn | grep kube-contro
tcp6       0      0 :::10252                :::*                    LISTEN      17396/kube-controll
tcp6       0      0 :::10257                :::*                    LISTEN      17396/kube-controll

RKE2 cluster:

# netstat -tulpn | grep kube-contro
tcp        0      0 127.0.0.1:10257         0.0.0.0:*               LISTEN      39961/kube-controll

you can override the default flags for that component with --kube-controller-manager-arg and change the bind-address value to 0.0.0.0 if you’d like to expose it.

would that also expose the metrics port missing on the RKE2 instance?

it’s just bind-address, it doesn’t have a separate listener for metrics

in RKE, the 10252 is an HTTP endpoint vs HTTPS 🤔

it depends on the Kubernetes version. They switched everything over to secure at some point.

seeing that now after validating on an RKE cluster running the same 1.22.9 version. working on updating our scrapers to use the https endpoint with auth now

I don't remember about this one specifically, but I think some had an option for insecure port enable to turn the HTTP port back on (I was looking at some Kubernetes lockdown guidance and it was saying to verify those options weren't present on 3-6 different items).