simonhir
commented
3 months ago @DanielOber @devtobi have you already implemented this in a project or do you have an idea for the info endpoint? The rest of the implementation should be no problem.
Open simonhir opened 3 months ago
simonhir
commented
3 months ago @DanielOber @devtobi have you already implemented this in a project or do you have an idea for the info endpoint? The rest of the implementation should be no problem.
DanielOber
commented
3 months ago access all these endpoints.
they can call the endpoints but they get a 401 back if they are not authorized. Can you explain the problem? Or do you mean sth like that
simonhir
commented
3 months ago they can call the endpoints but they get a 401 back if they are not authorized
No as the actuator endpoints need to be accessed by kubernetes they are accessible without authentication. Which means also that every one can access all prometheus metrics.
Or do you mean sth like that
Was the way i thought about but maybe there is some alternative.
simonhir
commented
3 months ago In my opinion usage of the management port ist the only suitable option as securing the actuator endpoints via roles would be very difficult. The availability of the info endpoint could then by achieved via a route or a custom info rest controller.
To be honest, I don't like either, but an open actuator endpoint is even worse.
Is your feature request related to a problem? Please describe.
At the moment the actuator and metrics endpoints are reachable via the default application port. This means everyone can access all these endpoints.
Describe the solution you'd like
Use a custom management port which is only used internally and can't be accessed externally. Since the
/actuator/infoendpoint is also affected by this, it must be considered how to deal with this in the future, e.g. for the appswitcher.