Bug 1703501 - Enable auth for metrics endpoint on service-ca-operator
Summary: Enable auth for metrics endpoint on service-ca-operator
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Daniel Spangenberg
QA Contact: Chuan Yu
Depends On:
TreeView+ depends on / blocked
Reported: 2019-04-26 15:20 UTC by Neelesh Agrawal
Modified: 2019-06-04 10:48 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-04 10:48:05 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:48:13 UTC

Description Neelesh Agrawal 2019-04-26 15:20:21 UTC
Jira: https://jira.coreos.com/browse/AUTH-297

We should not emit metrics that are globally readable.  The operators should be easy to fix via the library-go code (re-enable delegated auth).

Service CA operator

Comment 1 Daniel Spangenberg 2019-04-30 16:14:50 UTC
PR -  https://github.com/openshift/service-ca-operator/pull/54

Comment 3 Chuan Yu 2019-05-05 14:45:22 UTC
Verified on 4.1.0-0.nightly-2019-05-04-210601

sh-4.2# curl -vk
* About to connect() to port 8443 (#0)
*   Trying
* Connected to ( port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* Server certificate:
*       subject: CN=localhost
*       start date: May 05 04:31:15 2019 GMT
*       expire date: Jun 04 04:31:16 2019 GMT
*       common name: localhost
*       issuer: CN=service-ca-operator-signer@1557030674
> GET /metrics HTTP/1.1
> User-Agent: curl/7.29.0
> Host:
> Accept: */*
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Sun, 05 May 2019 14:45:04 GMT
< Content-Length: 240
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/metrics\"",
  "reason": "Forbidden",
  "details": {
  "code": 403
* Connection #0 to host left intact

Comment 5 errata-xmlrpc 2019-06-04 10:48:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.