Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-2240

Investigate removal of kube-rbac-proxy from prometheus-operator

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • prometheus-operator
    • False
    • False
    • NEW
    • NEW
    • Sprint 214
    • 0

      kube-rbac-proxy currently protects the /metric endpoint in the prometheus-operator.

      The operator is deployed as a TLS enabled server, and its metrics endpoint is scraped by Prometheus through kube-rbac-proxy over mTLS.

      This task is to investigate the removal of kube-rbac-proxy entirely since the current setup allows anyone to query other endpoints from any pod in the cluster

      For example, the following will return a 200 response.

      curl -k 'https://prometheus-operator.openshift-monitoring.svc:8080/apis/monitoring.coreos.com/v1/namespaces/openshift-monitoring/prometheuses/k8s/status'
       

        1. Screenshot 2022-02-09 at 10.19.51.png
          156 kB
          Philip Gough
        2. Screenshot 2022-02-04 at 13.07.23.png
          239 kB
          Philip Gough

            pgough@redhat.com Philip Gough
            pgough@redhat.com Philip Gough
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: