Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-41209

network metrics daemon is exposing metrics unsecurely in pod network

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.16
    • Networking / multus
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      
metrics can be accessed from, for instance, an application pod insecurely. See below:


oc get pods -n openshift-multus -o wide | grep network-metrics | head -1
network-metrics-daemon-2zggs                   2/2     Running   0            3d4h   10.128.0.3    master-0.shrocp4upi416ovn.lab.upshift.rdu2.redhat.com   <none>           <none>


oc -n openshift-monitoring exec prometheus-k8s-0 -- curl http://10.128.0.3:9091/metrics
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13615    0 13615    0 # HELP pod_network_name_info Metric to identify network names of networks added to pods.
# TYPE pod_network_name_info gauge
pod_network_name_info{interface="eth0",namespace="openshift-apiserver",network_name="ovn-kubernetes",pod="apiserver-5b9cf4b94c-jbw2j"} 0
pod_network_name_info{interface="eth0",namespace="openshift-apiserver-operator",network_name="ovn-kubernetes",pod="openshift-apiserver-operator-84fc88fd69-hr9mq"} 0
....

      Version-Release number of selected component (if applicable):

       4.16

      How reproducible:

      Steps to Reproduce:

          1.
    2.
    3.

      Actual results:

      Expected results:

      Additional info:

              sdn-team-bot sdn-team bot
              rhn-support-gparente German Parente
              None
              None
              Weibin Liang Weibin Liang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: