Bug 1703502

Summary: Enable auth for metrics endpoint on cluster-authentication-operator
Product: OpenShift Container Platform Reporter: Neelesh Agrawal <nagrawal>
Component: apiserver-authAssignee: Abu Kashem <akashem>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, mkhan
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:48:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Neelesh Agrawal 2019-04-26 15:22:40 UTC 
https://jira.coreos.com/browse/AUTH-298

We should not emit metrics that are globally readable.  The operators should be easy to fix via the library-go code (re-enable delegated auth).

Cluster Authentication Operator
Comment 1 Abu Kashem 2019-04-30 13:37:05 UTC 
PR - https://github.com/openshift/cluster-authentication-operator/pull/123

I have done the following testing:

Make sure that /metrics endpoint is not accessible for an
unauthenticated user.
If I access the /metrics endpoint using curl as shown below I get the
following 403 error
curl -k https://$(kubectl get service metrics -o json | jq -r .spec.clusterIP)/metrics
"message": "forbidden: User "system:anonymous" cannot get path "/metrics"",
"reason": "Forbidden",

I checked 'prometheus-k8s-openshift-monitoring', looks like all
'AuthenticationOperator2_*' metrics are collected after delegated
auth is turned on.
Comment 2 Mo 2019-04-30 14:59:22 UTC 
https://github.com/openshift/cluster-authentication-operator/pull/123
Comment 4 Chuan Yu 2019-05-05 14:47:15 UTC 
verified on 4.1.0-0.nightly-2019-05-04-210601

sh-4.4# curl -k https://172.30.89.103/metrics
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/metrics\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}
Comment 6 errata-xmlrpc 2019-06-04 10:48:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758