kubespray-monitoring

The kubespray-monitoring fragment provides a coherent, functional baseline for deploying a kube-prometheus-stack with etcd metrics and Grafana dashboards. However, it contains security and supply-chain weaknesses: plaintext credentials, unencrypted metrics exposure, static network exposure, and external dashboard downloads without integrity guarantees. To bring this to a security-conscious posture, replace plaintext credentials with Secrets, enable TLS/MTLS for etcd metrics, reduce surface area with Ingress or restricted NodePorts, and implement dashboard integrity rules (hash verification or signing). If these controls are implemented, the pattern remains a practical monitoring deployment with manageable risk.