Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-2240

Investigate removal of kube-rbac-proxy from prometheus-operator

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • prometheus-operator
    • False
    • False
    • NEW
    • NEW
    • Sprint 214

      kube-rbac-proxy currently protects the /metric endpoint in the prometheus-operator.

      The operator is deployed as a TLS enabled server, and its metrics endpoint is scraped by Prometheus through kube-rbac-proxy over mTLS.

      This task is to investigate the removal of kube-rbac-proxy entirely since the current setup allows anyone to query other endpoints from any pod in the cluster

      For example, the following will return a 200 response.

      curl -k 'https://prometheus-operator.openshift-monitoring.svc:8080/apis/monitoring.coreos.com/v1/namespaces/openshift-monitoring/prometheuses/k8s/status'
       

              pgough@redhat.com Philip Gough
              pgough@redhat.com Philip Gough
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: