Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-3845

metrics-server /metrics authz independently on the apiserver

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • None
    • False
    • NEW
    • NEW

      Currently, Metrics-server is using the Subjectaccessreviews API to authorize calls to its /metrics, we may want to change that to be less dependent and less demanding on the apiserver.

      kube-rbac-proxy that we use in front of the other /metrics endpoints does support local authz e.g.
      Maybe sth similar is already available in metrics-server or can be added.

      Seen after enabling debug logs:

      """
      2024-04-25T22:01:20.689015950Z I0425 22:01:20.688976 1 request.go:1212] Request Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":

      {"creationTimestamp":null}

      ,"spec":{"nonResourceAttributes":

      {"path":"/metrics","verb":"get"}

      ,"user":"system:serviceaccount:openshift-monitoring:prometheus-k8s","groups":["system:authenticated"]},"status":{"allowed":false}}
      2024-04-25T22:01:20.689112170Z I0425 22:01:20.689097 1 round_trippers.go:466] curl -v -XPOST -H "User-Agent: metrics-server/atomic (linux/amd64) kubernetes/85012b0" -H "Authorization: Bearer <masked>" -H "Accept: application/json, /" -H "Content-Type: application/json" 'https://172.30.0.1:443/apis/authorization.k8s.io/v1/subjectaccessreviews?timeout=10s'
      2024-04-25T22:01:20.693391245Z I0425 22:01:20.693350 1 round_trippers.go:553] POST https://172.30.0.1:443/apis/authorization.k8s.io/v1/subjectaccessreviews?timeout=10s 201 Created in 4 milliseconds
      2024-04-25T22:01:20.693391245Z I0425 22:01:20.693376 1 round_trippers.go:570] ...
      2024-04-25T22:01:20.693502687Z I0425 22:01:20.693475 1 request.go:1212] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null,"managedFields":[{"manager":"metrics-server","operation":"Update","apiVersion":"authorization.k8s.io/v1","time":"2024-04-25T22:01:20Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:groups":{},"f:nonResourceAttributes":{".":{},"f:path":{},"f:verb":{}},"f:user":{}}}}]},"spec":{"nonResourceAttributes":

      {"path":"/metrics","verb":"get"}

      ,"user":"system:serviceaccount:openshift-monitoring:prometheus-k8s","groups":["system:authenticated"]},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"prometheus-k8s\" of ClusterRole \"prometheus-k8s\" to ServiceAccount \"prometheus-k8s/openshift-monitoring\""}}
      2024-04-25T22:01:20.693616547Z I0425 22:01:20.693599 1 handler.go:153] metrics-server: GET "/metrics" satisfied by nonGoRestful
      2024-04-25T22:01:20.693616547Z I0425 22:01:20.693611 1 pathrecorder.go:241] metrics-server: "/metrics" satisfied by exact match
      2024-04-25T22:01:20.700321918Z I0425 22:01:20.700287 1 httplog.go:132] "HTTP" verb="GET" URI="/metrics" latency="11.655726ms" userAgent="Prometheus/2.51.2" audit-ID="b81a561e-da16-4450-991d-fce087f2f103" srcIP="10.128.0.139:47110" resp=200
      """

            Unassigned Unassigned
            rh-ee-amrini Ayoub Mrini
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: