Merge pull request #1836 from lunarwhite/np-patch

cert-manager-prow[bot] · web-flow · commit 45563b304408 · 2025-11-06T10:48:38.000Z
Add network requirements for 'metrics server' to 'webhook, cainjector' for 1.16+ versions
diff --git a/content/docs/installation/best-practice.md b/content/docs/installation/best-practice.md
@@ -111,9 +111,9 @@ Here is an overview of the network requirements:
 
    > ℹ️ The acmesolver Pod **does not** require access to the Kubernetes API server.
 
-1. **TCP: Metrics Server -> cert-manager (controller)**:
-   The cert-manager controller has a metrics server which listens for HTTP connections on TCP port 9402.
-   Create a network policy which allows access to this service from your chosen metrics collector.
+1. **TCP: Metrics Collector -> cert-manager (controller, webhook, cainjector)**:
+   The cert-manager controller, webhook, and cainjector have metrics servers which listen for HTTP connections on TCP port 9402.
+   Create a network policy which allows access to these services from your chosen metrics collector.
 
 ## Isolate cert-manager on dedicated node pools
 
diff --git a/content/v1.16-docs/installation/best-practice.md b/content/v1.16-docs/installation/best-practice.md
@@ -111,9 +111,9 @@ Here is an overview of the network requirements:
 
    > ℹ️ The acmesolver Pod **does not** require access to the Kubernetes API server.
 
-1. **TCP: Metrics Server -> cert-manager (controller)**:
-   The cert-manager controller has a metrics server which listens for HTTP connections on TCP port 9402.
-   Create a network policy which allows access to this service from your chosen metrics collector.
+1. **TCP: Metrics Collector -> cert-manager (controller, webhook, cainjector)**:
+   The cert-manager controller, webhook, and cainjector have metrics servers which listen for HTTP connections on TCP port 9402.
+   Create a network policy which allows access to these services from your chosen metrics collector.
 
 ## Isolate cert-manager on dedicated node pools
 
diff --git a/content/v1.17-docs/installation/best-practice.md b/content/v1.17-docs/installation/best-practice.md
@@ -111,9 +111,9 @@ Here is an overview of the network requirements:
 
    > ℹ️ The acmesolver Pod **does not** require access to the Kubernetes API server.
 
-1. **TCP: Metrics Server -> cert-manager (controller)**:
-   The cert-manager controller has a metrics server which listens for HTTP connections on TCP port 9402.
-   Create a network policy which allows access to this service from your chosen metrics collector.
+1. **TCP: Metrics Collector -> cert-manager (controller, webhook, cainjector)**:
+   The cert-manager controller, webhook, and cainjector have metrics servers which listen for HTTP connections on TCP port 9402.
+   Create a network policy which allows access to these services from your chosen metrics collector.
 
 ## Isolate cert-manager on dedicated node pools
 
diff --git a/content/v1.18-docs/installation/best-practice.md b/content/v1.18-docs/installation/best-practice.md
@@ -111,9 +111,9 @@ Here is an overview of the network requirements:
 
    > ℹ️ The acmesolver Pod **does not** require access to the Kubernetes API server.
 
-1. **TCP: Metrics Server -> cert-manager (controller)**:
-   The cert-manager controller has a metrics server which listens for HTTP connections on TCP port 9402.
-   Create a network policy which allows access to this service from your chosen metrics collector.
+1. **TCP: Metrics Collector -> cert-manager (controller, webhook, cainjector)**:
+   The cert-manager controller, webhook, and cainjector have metrics servers which listen for HTTP connections on TCP port 9402.
+   Create a network policy which allows access to these services from your chosen metrics collector.
 
 ## Isolate cert-manager on dedicated node pools
 
