Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-1772

R&D Guard against heavy load through untrusted PromQL queries

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Obsolete
    • Icon: Minor Minor
    • None
    • None
    • Prometheus
    • False
    • False
    • NEW
    • NEW
    • Undefined

      Scenarios exist where it would be handy to run untrusted PromQL queries. This has the potential to DoS the queried prometheus instance by running very expensive queries.

      Prometheus has protections built in at the instance level (the -query.timeout and -query.max-samples cli arguments). These arguments are currently passed to the Querier when prometheus is started.
      Its not immediately obvious why this can't be a per query limit and this JIRA is intended to track investigations as to that.
      One major issue is likely how to provide a user interface to pass this limit.

              Unassigned Unassigned
              jfajersk@redhat.com Jan Fajerski
              Votes:
              10 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: