Hide Forgot
Jira: https://jira.coreos.com/browse/AUTH-297 We should not emit metrics that are globally readable. The operators should be easy to fix via the library-go code (re-enable delegated auth). Service CA operator
PR - https://github.com/openshift/service-ca-operator/pull/54
Verified on 4.1.0-0.nightly-2019-05-04-210601 sh-4.2# curl -vk https://127.0.0.1:8443/metrics * About to connect() to 127.0.0.1 port 8443 (#0) * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 * Server certificate: * subject: CN=localhost * start date: May 05 04:31:15 2019 GMT * expire date: Jun 04 04:31:16 2019 GMT * common name: localhost * issuer: CN=service-ca-operator-signer@1557030674 > GET /metrics HTTP/1.1 > User-Agent: curl/7.29.0 > Host: 127.0.0.1:8443 > Accept: */* > < HTTP/1.1 403 Forbidden < Content-Type: application/json < X-Content-Type-Options: nosniff < Date: Sun, 05 May 2019 14:45:04 GMT < Content-Length: 240 < { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "forbidden: User \"system:anonymous\" cannot get path \"/metrics\"", "reason": "Forbidden", "details": { }, "code": 403 * Connection #0 to host 127.0.0.1 left intact
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758