Bug 1897630 - The metrics endpoint for openshift-monitoring / prometheus is not protected by RBAC
Summary: The metrics endpoint for openshift-monitoring / prometheus is not protected b...
Keywords:
Status: CLOSED DUPLICATE of bug 1964334
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: Pawel Krupa
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-13 16:54 UTC by Dave Baker
Modified: 2021-05-25 15:42 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-25 15:42:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1889488 0 high CLOSED The metrics endpoint for the Scheduler is not protected by RBAC 2022-03-10 16:02:50 UTC

Description Dave Baker 2020-11-13 16:54:18 UTC 
Description of problem:

- The prometheus metrics endpoint is not protected by RBAC, leading to anonymous external users being able to scrape metrics information about the cluster.

- See also BZ: 1889488 ("The metrics endpoint for the Scheduler is not protected by RBAC")



Version-Release number of selected component (if applicable):

- Tested on 4.4.27, 4.5.18


How reproducible:

- Always


Steps to Reproduce:

1. Install OCP
2. curl -k https://prometheus-k8s-openshift-monitoring.apps.CLUSTERID.example.com/metrics



Actual results:

- metrics are shown


Expected results:

- No data should be shown as an unauthenticated user


Additional info:
Comment 6 Simon Pasquier 2021-05-25 15:42:26 UTC 

*** This bug has been marked as a duplicate of bug 1964334 ***
Note You need to log in before you can comment on or make changes to this bug.