Thanks to https://github.com/openshift/cluster-monitoring-operator/pull/1282, Prometheus is able to authenticate using TLS certificates instead of bearer tokens when scraping metrics. This improves the reliability of metrics collection and lowers the load on the API server since there's no additional round-trip to the authentication/authorization APIs. The initial work targeted kubelet, kube-state-metrics, node_exporter and prometheus-operator. We need to follow up for all other monitoring components:
Prometheus adapter(no kube-rbac-proxy - would require #425)
- Thanos querier
- UWM components
- Prometheus scrapes monitoring components using TLS certificates.
- Bearer tokens are removed from all monitoring service monitors.