Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-8052

cert-manager operator shows all the metrics details without authorization and this allows unauthenticated external access

XMLWordPrintable

    • None
    • Product / Portfolio Work
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      The ServiceMonitor "cert-manager" from the namespace "cert-manager"
      provided by Red Hat is showing all the metrics details without authorisation and without traffic encryption (plain http). No corresponding security measures are implemented on the ServiceMonitor, the service, or the metrics endpoint in the container.In a multi-tenant cluster, unauthenticated access to sensitive information of other tenants is possible.

       

      Steps to Reproduce the issue:
      1. Install a plain,Vanilla, OutOfTheBox Openshift (4.16) Cluster from Scratch
      2. Install the "cert-manager Operator for Red Hat OpenShift" Operator with default Values via Operator Hub
      3. Activate Monitoring for "cert-manager" as documented in "https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/security_and_compliance/cert-manager-operator-for-red-hat-openshift#cert-manager-monitoring"
       
      The following service monitors are installed:
       

      oc get servicemonitor -n cert-manager
       
      NAME AGE
      cert-manager 61m

      oc describe servicemonitor cert-manager -n cert-manager
       
      Name: cert-manager
      Namespace: cert-manager
      Labels: app=cert-manager
      app.kubernetes.io/instance=cert-manager
      app.kubernetes.io/name=cert-manager
      Annotations: <none>
      API Version: monitoring.coreos.com/v1
      Kind: ServiceMonitor
      Metadata:
      Creation Timestamp: 2025-07-18T07:29:00Z
      Generation: 1
      Resource Version: 2718686
      UID: bd3d05ef-911c-485a-8bed-74bfa576d5cb
      Spec:
      Endpoints:
      Honor Labels: false
      Interval: 60s
      Path: /metrics
      Scrape Timeout: 30s
      Target Port: 9402
      Selector:
      Match Expressions:
      Key: app.kubernetes.io/name
      Operator: In
      Values:
      cainjector
      cert-manager
      webhook
      Key: app.kubernetes.io/instance
      Operator: In
      Values:
      cert-manager
      Key: app.kubernetes.io/component
      Operator: In
      Values:
      cainjector
      controller
      webhook
      Events: <none>

       
      The following targets are then collected:
       
      http://<IP_of_POD_cert-manager-*>:9402/metrics --> "cert-manager" ServiceMonitor
      http://<IP_of_POD_cert-manager-cainjector-*>:9402/metrics --> "cert-manager" ServiceMonitor
      http://<IP_of_POD_cert-manager-webhook-*>:9402/metrics --> "cert-manager" ServiceMonitor
       
      4. Try the following from any pod (containing curl), from any namespace (e.g. Customer Workload):
       
      curl -v --insecurehttp://<IP_of_POD_cert-manager-*>:9402/metrics
      curl -v --insecure http://<IP_of_POD_cert-manager-cainjector-*>:9402/metrics
      curl -v --insecure http://<IP_of_POD_cert-manager-webhook-*>:9402/metrics
       
       The source (metrics Endpoint) targeted by the service monitors are without encryption and authorization and already allows unauthenticated external access
       
       


       

              rh-ee-npng Nick Png
              sasakshi@redhat.com Sakshi sakshi
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                None
                None