Bug 1703502 - Enable auth for metrics endpoint on cluster-authentication-operator
Summary: Enable auth for metrics endpoint on cluster-authentication-operator
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Abu Kashem
QA Contact: Chuan Yu
Depends On:
TreeView+ depends on / blocked
Reported: 2019-04-26 15:22 UTC by Neelesh Agrawal
Modified: 2019-06-04 10:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-04 10:48:05 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:48:13 UTC

Description Neelesh Agrawal 2019-04-26 15:22:40 UTC

We should not emit metrics that are globally readable.  The operators should be easy to fix via the library-go code (re-enable delegated auth).

Cluster Authentication Operator

Comment 1 Abu Kashem 2019-04-30 13:37:05 UTC
PR - https://github.com/openshift/cluster-authentication-operator/pull/123

I have done the following testing:

Make sure that /metrics endpoint is not accessible for an
unauthenticated user.
If I access the /metrics endpoint using curl as shown below I get the
following 403 error
curl -k https://$(kubectl get service metrics -o json | jq -r .spec.clusterIP)/metrics
"message": "forbidden: User "system:anonymous" cannot get path "/metrics"",
"reason": "Forbidden",

I checked 'prometheus-k8s-openshift-monitoring', looks like all
'AuthenticationOperator2_*' metrics are collected after delegated
auth is turned on.

Comment 4 Chuan Yu 2019-05-05 14:47:15 UTC
verified on 4.1.0-0.nightly-2019-05-04-210601

sh-4.4# curl -k
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/metrics\"",
  "reason": "Forbidden",
  "details": {
  "code": 403

Comment 6 errata-xmlrpc 2019-06-04 10:48:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.