Description of problem:
see similar bug OCPBUGS-57585
checked in 4.20.0-0.nightly-2025-07-20-021531, openshift-operator-lifecycle-manager catalog-operator-metrics/olm-operator-metrics endpoints exposed all the information without any authorization
should implement proper authentication
$ oc -n openshift-operator-lifecycle-manager get po -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES catalog-operator-5df685f8d4-5cjjq 1/1 Running 0 11h 10.129.0.33 ip-10-0-77-233.us-east-2.compute.internal <none> <none> collect-profiles-29222625-j7zfn 0/1 Completed 0 31m 10.131.0.64 ip-10-0-79-84.us-east-2.compute.internal <none> <none> collect-profiles-29222640-sxz89 0/1 Completed 0 16m 10.131.0.65 ip-10-0-79-84.us-east-2.compute.internal <none> <none> collect-profiles-29222655-kjv4z 0/1 Completed 0 71s 10.131.0.66 ip-10-0-79-84.us-east-2.compute.internal <none> <none> olm-operator-f66d58f74-nkbh4 1/1 Running 0 11h 10.129.0.36 ip-10-0-77-233.us-east-2.compute.internal <none> <none> package-server-manager-6c44dd9954-mgph7 2/2 Running 0 11h 10.129.0.16 ip-10-0-77-233.us-east-2.compute.internal <none> <none> packageserver-db998f8d4-7m9fq 1/1 Running 0 11h 10.130.0.22 ip-10-0-43-21.us-east-2.compute.internal <none> <none> packageserver-db998f8d4-vdlw9 1/1 Running 0 11h 10.128.0.23 ip-10-0-25-174.us-east-2.compute.internal <none> <none> $ oc -n openshift-operator-lifecycle-manager get ep Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice NAME ENDPOINTS AGE catalog-operator-metrics 10.129.0.33:8443 11h olm-operator-metrics 10.129.0.36:8443 11h package-server-manager-metrics 10.129.0.16:8443 11h packageserver-service 10.128.0.23:5443,10.130.0.22:5443 11h $ oc -n openshift-operator-lifecycle-manager exec catalog-operator-5df685f8d4-5cjjq -- curl -k https://10.129.0.33:8443/metrics | head # HELP catalog_source_count Number of catalog sources # TYPE catalog_source_count gauge catalog_source_count 4 # HELP catalog_source_snapshots_total The number of times the catalog operator has requested a snapshot of data from a catalog source # TYPE catalog_source_snapshots_total counter catalog_source_snapshots_total{name="certified-operators",namespace="openshift-marketplace"} 0 catalog_source_snapshots_total{name="community-operators",namespace="openshift-marketplace"} 0 catalog_source_snapshots_total{name="redhat-marketplace",namespace="openshift-marketplace"} 0 catalog_source_snapshots_total{name="redhat-operators",namespace="openshift-marketplace"} 0 # HELP catalogsource_ready State of a CatalogSource. 1 indicates that the CatalogSource is in a READY state. 0 indicates CatalogSource is in a Non READY state. $ oc -n openshift-operator-lifecycle-manager exec olm-operator-f66d58f74-nkbh4 -- curl -k https://10.129.0.36:8443/metrics | head # HELP csv_count Number of CSVs successfully registered # TYPE csv_count gauge csv_count 1 # HELP csv_succeeded Successful CSV install # TYPE csv_succeeded gauge csv_succeeded{name="packageserver",namespace="openshift-operator-lifecycle-manager",version="0.0.1-snapshot"} 1 # HELP csv_upgrade_count Monotonic count of CSV upgrades # TYPE csv_upgrade_count counter csv_upgrade_count 0 # HELP go_gc_duration_seconds A summary of the wall-time pause (stop-the-world) duration in garbage collection cycles.
Version-Release number of selected component (if applicable):
$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.20.0-0.nightly-2025-07-20-021531 True False 11h Cluster version is 4.20.0-0.nightly-2025-07-20-021531
How reproducible:
always
Steps to Reproduce:
1. see descriptions
Actual results:
openshift-operator-lifecycle-manager catalog-operator-metrics/olm-operator-metrics endpoints exposed all the information without any authorization
Expected results:
should be with authorization
Additional info:
the issue also exist in 4.19 and previous versions
When the bug is fixed, please remove it from this code snippet to avoid regression.
- is related to
-
OCPBUGS-59763 openshift-marketplace marketplace-operator-metrics endpoint 8081 port exposed all the information without any authorization
-
- ASSIGNED
-
- links to