-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.20.0
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
see similar bug OCPBUGS-57585
Stole the testing result from https://github.com/openshift/origin/pull/30014#issuecomment-3153130188
8445 port is for openshift-cluster-csi-drivers vmware-vsphere-csi-driver-operator-metrics endpoint, did not see this port on other IAAS(example AWS,OSP)checked on vsphere, curl 8445 without auth returns 500(actually it's forbidden),
$ oc get infrastructure/cluster -o jsonpath={.spec.platformSpec.type} VSphere $ oc -n openshift-cluster-csi-drivers get ep Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice NAME ENDPOINTS AGE vmware-vsphere-csi-driver-controller-metrics 10.129.0.17:9203,10.130.0.21:9203,10.129.0.17:9202 + 9 more... 28m vmware-vsphere-csi-driver-operator-metrics 10.130.0.17:8445 28m vmware-vsphere-csi-driver-webhook-svc 10.128.0.45:8443,10.130.0.23:8443 28m $ oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -s -o /dev/null -w '%{http_code}' https://10.130.0.17:8445/metrics 500
return code is 500, expecting 401 forbidden instead of 500.
$ oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k https://10.130.0.17:8445/metrics Internal Server Error: "/metrics": subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-csi-drivers:vmware-vsphere-csi-driver-operator" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
curl with auth, no issue
$ token=`oc create token prometheus-k8s -n openshift-monitoring` $ oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer $token" 'https://10.130.0.17:8445/metrics' | head -n3 # HELP aggregator_discovery_aggregation_count_total [ALPHA] Counter of number of times discovery was aggregated # TYPE aggregator_discovery_aggregation_count_total counter aggregator_discovery_aggregation_count_total 0
https://github.com/openshift/origin/pull/30014#issuecomment-3154900379
When the bug is fixed, please remove it from this code snippet to avoid regression.
- clones
-
OCPBUGS-59763 openshift-marketplace marketplace-operator-metrics endpoint 8081 port exposed all the information without any authorization
-
- ASSIGNED
-
- is related to
-
MON-4304 check all the metrics ports expose all the information without any authorization
-
- Closed
-