search

kubecost / features-bugs

A public repository for filing of Kubecost feature requests and bugs. Please read the issue guidelines before filing an issue here.
0 stars 0 forks source link

[Bug] - Kubecost calling out to AWS China STS endpoints #124

Open paulbraham-ds opened 1 month ago

paulbraham-ds commented 1 month ago

Kubecost Helm Chart Version

2.1.1

Kubernetes Version

1.29

Kubernetes Platform

EKS

Description

Kubecost is installed using the Helm chart with default values (Other than disabling prometheus and reporting).

Our AWS firewall shows activity from the EC2 node to sts.cn-northwest-1.amazonaws.com.cn and sts.cn-north-1.amazonaws.com.cn which is blocked. This traffic has been isolated to the kubecost-cost-analyzer pod.

The deployment is not using the cost/usage report data currently.

Is this expected behavior? Or is there a way of disabling the application calling out to STS endpoints in certain regions and explicitly defining it.

Steps to reproduce

  1. Install Kubecost using Helm in cluster behind a firewall with SNI whitelisting.
  2. Observe the traffic leaving the kubecost-cost-analyzer pod.

Expected behavior

Kubecost to only hit endpoints in the region it is deployed in. (Or at least not to traverse AWS partitions.)

Impact

It is triggering unnecessary alerts within our environment and raising questions from security teams.

Screenshots

image

Logs

No response

Slack discussion

No response

Troubleshooting

teevans commented 1 month ago

Hey there, this is indeed expected - We query several different resources across all regions to make sure we're thorough on our reports such as orphaned resources! We don't currently offer a way to configure the application to ignore certain regions. However, blocking the traffic through a firewall should not cause any issues!

skmartin-trv commented 1 month ago

Hello,

I'd like to second this issue - as it does have impacts to us. We are looking to be cost aware everywhere - which includes network traffic and log messages. Un-necessary calls being made to other regions that are not needed do add additional complexity in our network costs, logging costs, and observability solutions - as these show up in our environment as failed calls being blocked.

While it may not impact the product functionality - it is more than an annoyance. A way to minimize these only to necessary regions would be beneficial.

Thanks.

AjayTripathy commented 1 month ago

That's fair @skmartin-trv I imagine this is a quick fix. cc @cliffcolvin for triage.

paulbraham-ds commented 1 month ago

Hello,

I'd like to second this issue - as it does have impacts to us. We are looking to be cost aware everywhere - which includes network traffic and log messages. Un-necessary calls being made to other regions that are not needed do add additional complexity in our network costs, logging costs, and observability solutions - as these show up in our environment as failed calls being blocked.

While it may not impact the product functionality - it is more than an annoyance. A way to minimize these only to necessary regions would be beneficial.

Thanks.

Hello,

I'd like to second this issue - as it does have impacts to us. We are looking to be cost aware everywhere - which includes network traffic and log messages. Un-necessary calls being made to other regions that are not needed do add additional complexity in our network costs, logging costs, and observability solutions - as these show up in our environment as failed calls being blocked.

While it may not impact the product functionality - it is more than an annoyance. A way to minimize these only to necessary regions would be beneficial.

Thanks.

I'd settle for being able to scope it to an AWS partition. AWS China is not a standard AWS Commercial region and has it's own totally separate login page similar to GovCloud. Stopping it from reaching in to other partitions would be great.

chipzoller commented 1 day ago

Not a Helm chart issue, transferred.