x509-certificate-exporter in a hardened Kubernetes cluster

[ErikLundJensen]

The x509-certificate-exporter requires access to the files that are watched. This requires that the pod running x509-certificate-exporter actually has access to the files via hostPath. In a hardened Kubernetes cluster the hostPath should be restricted and giving pods access to private keys/certificates of the cluster is a potential threat.

Have you ever discussed if x509-certificate-exporter also could watch certificates returned by a URL?
For example, monitor the kube-api-server using the URL of the API in stead of the files at the nodes.