prometheus-operator / kube-prometheus

Use Prometheus to monitor Kubernetes and applications running on Kubernetes
https://prometheus-operator.dev/
Apache License 2.0
6.73k stars 1.93k forks source link

Add authorization to prometheus-adapter /metrics endpoint #1247

Open dgrisonnet opened 3 years ago

dgrisonnet commented 3 years ago

What is missing?

Prometheus-adapter is the only application of kube-prometheus that serves metrics and doesn't have authorization setup on its /metrics endpoint.

Why do we need it?

We need it in order to protect prometheus-adapter /metrics endpoint by reducing the number of services that are allowed to scrape the adapter metrics. Currently, any application authorized by the apiserver is able to scrape prometheus-adapter metrics whereas we would only want applications that are authorized to scrape metrics endpoints to be able to get prometheus-adapter metrics.

Anything else we need to know?:

This enhancement is blocked by https://github.com/kubernetes-sigs/prometheus-adapter/issues/425 since prometheus-adapter metrics are served on the same server as the metrics APIs. So scrapers would need to be authorized by the apiserver and allowed to scrape metrics endpoints in order to get the metrics. However, kube-rbac-proxy isn't designed to propagate bearer tokens, so the proxied requests will not be authorized by the apiserver.

rootxrishabh commented 8 months ago

Hey folks, I would like to work on this if this is still available 😄