Prometheus-adapter is the only application of kube-prometheus that serves metrics and doesn't have authorization setup on its /metrics endpoint.
Why do we need it?
We need it in order to protect prometheus-adapter /metrics endpoint by reducing the number of services that are allowed to scrape the adapter metrics. Currently, any application authorized by the apiserver is able to scrape prometheus-adapter metrics whereas we would only want applications that are authorized to scrape metrics endpoints to be able to get prometheus-adapter metrics.
Anything else we need to know?:
This enhancement is blocked by https://github.com/kubernetes-sigs/prometheus-adapter/issues/425 since prometheus-adapter metrics are served on the same server as the metrics APIs. So scrapers would need to be authorized by the apiserver and allowed to scrape metrics endpoints in order to get the metrics. However, kube-rbac-proxy isn't designed to propagate bearer tokens, so the proxied requests will not be authorized by the apiserver.
What is missing?
Prometheus-adapter is the only application of kube-prometheus that serves metrics and doesn't have authorization setup on its /metrics endpoint.
Why do we need it?
We need it in order to protect prometheus-adapter /metrics endpoint by reducing the number of services that are allowed to scrape the adapter metrics. Currently, any application authorized by the apiserver is able to scrape prometheus-adapter metrics whereas we would only want applications that are authorized to scrape metrics endpoints to be able to get prometheus-adapter metrics.
Anything else we need to know?:
This enhancement is blocked by https://github.com/kubernetes-sigs/prometheus-adapter/issues/425 since prometheus-adapter metrics are served on the same server as the metrics APIs. So scrapers would need to be authorized by the apiserver and allowed to scrape metrics endpoints in order to get the metrics. However, kube-rbac-proxy isn't designed to propagate bearer tokens, so the proxied requests will not be authorized by the apiserver.