-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable kube-rbac-proxy from prometheus-exporter-operator controller-manager #26
Conversation
/kind feature |
/lgtm |
LGTM label has been added. Git tree hash: 81832963d343714fa6597e71a85f79fc36b6afa0
|
/lgtm |
/shrug |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: slopezz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
containers: | ||
- name: manager | ||
args: | ||
- "--metrics-addr=0.0.0.0:8080" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@slopezz it means that ANY person can have access to your metrics it is not a good practice at all
You should ensure that your metrics endpoint is well protected.
kube-rbac-proxy is used by default on
operator-sdk
to protect operator metrics path, in case you don't want anyone in the cluster but only k8s authenticated resources can access to them.But there are 2 current issues with kube-rbac-proxy:
kube-rbac-proxy:v0.5.0
to latestkube-rbac-proxy:v0.8.0
Ansible operator-sdk v1.5.0 with updated kube-rbac-proxy:v0.8.0 fails to run with permission denied operator-framework/operator-sdk#4684 causes error on OpenShift 4.6+:openshift4/ose-kube-rbac-proxy:v4.7.0
(which works OK), but this image is behindregistry.redhat.io
registry which requires authenticated if not using Openshift (it doesn't work directly on vanilla k8s), so you need to maintain 2 different bundles with different proxy images if you want to run the operator on both OpenShift or K8s, which makes maintenance more complex.bearerTokenFile
field Prometheus ServiceMonitor failing to scrape operator metrics served though kube-proxy HTTPS 8443 port operator-framework/operator-sdk#4764 (comment) (which is needed to scrape metrics behind kube-rbac-proxy) , so it seems there is no way of having operator metrics with auth if using OCP UWM.For that reason, taking into account that operator metrics are not that important to have them with forced auth, I have disabled kube-rbac-proxy container (making a few changes to make that work with a new patch, and leaving default proxy yamls there, in case they want to be enabled easily in the future), so anyone once inside the cluster could check operator metrics without any problem on both OCP and k8s (even if using OCP UWM).