Why is cAdvisor listening unconditionally on the public IP?

[luxas]

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

FEATURE REQUEST

Kubernetes version (use kubectl version): All

It seems like cAdvisor always is listening on :::4194 (the port is configurable with --cadvisor-port but...) I know it's used in kubelet for various features like OOM detection, detecting disk space and other necessary information. That's totally ok.

However, the fact that it also listens on 0.0.0.0 makes me worried when I'm spinning up clusters. For folks that are using a cloud machine like a droplet with a public IP, it's a huge exposure. (Now DO just introduced firewalls, but it's a viable example anyway). Anyone with the IP of any node can go and check out low-level details about how the node is doing, check out cgroups, what the node runs, etc.

And the fact that I can't block this with Kubernetes is not great. Of course I could start mocking with iptables, firewalld and/or other firewalls, but that seems sub-optimal.

So my question is, what's using <node-ip>:4194 other than Heapster? Could we make it possible to shut off listening to the public IP (some features might not work)?

And will the new monitoring vision make the built-in cAdvisor HTTP server unnecessary?

cc @kubernetes/sig-node-feature-requests @kubernetes/sig-cluster-lifecycle-feature-requests @DirectXMan12 @vishh @fgrzadkowski @mwielgus

[liggitt]

dupe of https://github.com/kubernetes/kubernetes/issues/11710 ?

[dims]

/assign

[dims]

/close

Dup of #11710