Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-59763

openshift-marketplace marketplace-operator-metrics endpoint 8081 port exposed all the information without any authorization

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.20.0
    • OLM
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • Rejected
    • Oddish Sprint 275, Pikachu Sprint 276, Quagsire Sprint 277, Rhydon Sprint 278
    • 4
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      see similar bug OCPBUGS-57585

      checked in 4.20.0-0.nightly-2025-07-20-021531, openshift-marketplace marketplace-operator-metrics endpoint 8081 port exposed all the information without any authorization

      as shown in https://rhobs-handbook.netlify.app/products/openshiftmonitoring/collecting_metrics.md/#exposing-metrics-for-prometheus

      should implement proper authentication

      $ oc -n openshift-marketplace get pod -o wide
      NAME                                    READY   STATUS    RESTARTS   AGE     IP             NODE                                        NOMINATED NODE   READINESS GATES
      certified-operators-7btcn               1/1     Running   0          172m    10.128.0.226   ip-10-0-25-174.us-east-2.compute.internal   <none>           <none>
      community-operators-8wn9t               1/1     Running   0          4h18m   10.128.0.205   ip-10-0-25-174.us-east-2.compute.internal   <none>           <none>
      marketplace-operator-7cf9c8998f-9wg79   1/1     Running   0          11h     10.129.0.12    ip-10-0-77-233.us-east-2.compute.internal   <none>           <none>
      redhat-marketplace-sxfxk                1/1     Running   0          3h10m   10.130.0.95    ip-10-0-43-21.us-east-2.compute.internal    <none>           <none>
      redhat-operators-kl2df                  1/1     Running   0          3h32m   10.130.0.93    ip-10-0-43-21.us-east-2.compute.internal    <none>           <none>
      
      $ oc -n openshift-marketplace get ep
      Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice
      NAME                           ENDPOINTS                           AGE
      certified-operators            10.128.0.226:50051                  11h
      community-operators            10.128.0.205:50051                  11h
      marketplace-operator-metrics   10.129.0.12:8081,10.129.0.12:8383   11h
      redhat-marketplace             10.130.0.95:50051                   11h
      redhat-operators               10.130.0.93:50051                   11h
      
      $ oc -n openshift-marketplace exec marketplace-operator-7cf9c8998f-9wg79 -- curl -k https://10.129.0.12:8081/metrics | head
      # HELP go_gc_duration_seconds A summary of the wall-time pause (stop-the-world) duration in garbage collection cycles.
      # TYPE go_gc_duration_seconds summary
      go_gc_duration_seconds{quantile="0"} 1.2806e-05
      go_gc_duration_seconds{quantile="0.25"} 3.2796e-05
      go_gc_duration_seconds{quantile="0.5"} 4.6059e-05
      go_gc_duration_seconds{quantile="0.75"} 6.8716e-05
      go_gc_duration_seconds{quantile="1"} 0.000933347
      go_gc_duration_seconds_sum 2.429422671
      go_gc_duration_seconds_count 32262
      # HELP go_gc_gogc_percent Heap size target percentage configured by the user, otherwise 100. This value is set by the GOGC environment variable, and the runtime/debug.SetGCPercent function. Sourced from /gc/gogc:percent.

      Version-Release number of selected component (if applicable):

      $ oc get clusterversion
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.20.0-0.nightly-2025-07-20-021531   True        False         11h     Cluster version is 4.20.0-0.nightly-2025-07-20-021531

      How reproducible:

      always

      Steps to Reproduce:

      1. see descriptions

      Actual results:

      openshift-marketplace marketplace-operator-metrics endpoint 8081 port exposed all the information without any authorization

      Expected results:

      should be with authorization

      Additional info:

      the issue also exist in 4.19 and previous versions

      When the bug is fixed, please remove it from this code snippet to avoid regression.

      https://github.com/openshift/origin/blob/4f183dd3427cffd8d97b44557caa782d65726416/test/extended/prometheus/prometheus.go#L64-L71

       

              ankithom Ankita Thomas
              juzhao@redhat.com Junqi Zhao
              None
              None
              Xia Zhao Xia Zhao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: