Add rbac to /metrics #4165
Merged
Merged
Conversation
Reject workspace-scoped /clusters/<ws>/metrics and cache-server /services/cache/shards/<sh>/clusters/<ws>/metrics with 501 Not Implemented. Metrics are shard-wide and have no per-workspace meaning; allowing them via a workspace ClusterRole + binding was a privilege escalation. Top-level <shard>:6443/metrics is now authorized via root-workspace RBAC: a new bootstrap ClusterRole system:kcp:metrics-reader grants GET on /metrics, and a kcp-admin binds it once in :root for an identity of their choice. The binding is replicated to every shard via the cache server, so a single root binding covers all shards. Cache server top-level /metrics is now reachable as well (previously WithShardScope returned 400 for any path without a /shards/ prefix). Fixes kcp-dev#4062 Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt> On-behalf-of: SAP <mangirdas.judeikis@sap.com>
The current /metrics handler exposes shard-wide data with no per-workspace or per-shard meaning, so workspace-scoped variants are rejected with 501. Note this is a placeholder: when per-workspace metrics are implemented in the future, the URL contract stays the same and the handler fills in. Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt> On-behalf-of: SAP <mangirdas.judeikis@sap.com>
Five subtests exercise the new behavior end-to-end: - workspace-scoped /clusters/<ws>/metrics is 501'd for an unprivileged user even when they hold a ClusterRole+Binding granting nonResourceURLs: [/metrics] inside that workspace - workspace-scoped /clusters/<ws>/metrics is 501'd for system:masters too (the filter runs before authz; no escape hatch) - top-level /metrics for a user with no root binding is 403'd - top-level /metrics for a user bound to system:kcp:metrics-reader in :root scrapes successfully and returns prometheus-format output - top-level /metrics for system:masters keeps working (regression guard) Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt> On-behalf-of: SAP <mangirdas.judeikis@sap.com>
kcp-ci-bot
added
release-note
Contributor
Author
|
/retest |
ntnn
reviewed
May 29, 2026
Comment on lines
+3
to
+4
| kcp exposes Prometheus metrics on the `/metrics` endpoint of every shard and of | ||
| the cache server. These are **shard-wide** resources: a single scrape returns |
Member
There was a problem hiding this comment.
Suggested change
| kcp exposes Prometheus metrics on the `/metrics` endpoint of every shard and of | |
| the cache server. These are **shard-wide** resources: a single scrape returns | |
| kcp exposes Prometheus metrics on the `/metrics` endpoint of every shard and on | |
| the cache server. These are **shard-wide** resources: a single scrape returns |
Comment on lines
+31
to
+36
| return `501 Not Implemented`. Today this is a placeholder: per-workspace and | ||
| per-shard metrics are not yet implemented, and the data the underlying | ||
| `/metrics` handler exposes is shard-wide with no per-workspace or per-shard | ||
| meaning. The kcp HTTP filter rejects these requests before authorization runs | ||
| so that a future implementation can fill in real workspace-scoped metrics | ||
| without changing the URL contract. |
Member
There was a problem hiding this comment.
This feels like it waves three things at once and makes it confusing to read for people who don't already know whats going on.
/metricson workspaces and VWs returns 501/metricson the shard/cache server is aggregated over all resources- Discussing future implementations for a per-workspace
I think these should be separate topics and not in one blob of text.
Comment on lines
+40
to
+43
| kcp ships a bootstrap `ClusterRole` named `system:kcp:metrics-reader` that grants | ||
| `GET` on `/metrics`. To allow an identity to scrape every shard, create a | ||
| `ClusterRoleBinding` in the `:root` workspace. The binding is replicated to all | ||
| shards via the cache server, so a single binding is enough. |
Member
There was a problem hiding this comment.
Arguably you can only do a single binding because there's only one root workspace on the root shard. Maybe reword the last sentence a bit?
| name: prometheus | ||
| ``` | ||
|
|
||
| Apply it against the root workspace: |
Member
There was a problem hiding this comment.
Suggested change
| Apply it against the root workspace: | |
| Apply it to the root workspace: |
Comment on lines
+78
to
+86
| ### Note: workspace-local `nonResourceURLs: /metrics` no longer works | ||
|
|
||
| Earlier kcp releases accidentally allowed a workspace administrator to grant | ||
| themselves access to shard metrics by creating a `ClusterRole` with | ||
| `nonResourceURLs: ["/metrics"]` and a binding inside their own workspace. This | ||
| was a privilege escalation: the data exposed is shard-wide, not workspace | ||
| content. The path is now rejected at the workspace scope and the only | ||
| authoritative binding is one created in `:root`. | ||
|
|
Member
There was a problem hiding this comment.
Should we put this into documentation for people setting up metrics now? If someone used this and it broke I'd guess they check at least the existing issues and then see that it was a security issue.
Contributor
Author
There was a problem hiding this comment.
Wdym? This is docs page.
- docs/metrics.md: split into separate sections for 501 rejection, what /metrics aggregates, and future per-workspace metrics; minor reword. - shardpaths: include /livez, /readyz, /healthz alongside /metrics. - WithShardLevelPaths: reject /clusters/root/<path> too; only the bare URL is valid since the data is shard-wide. - cache server: drop WithShardScope's hardcoded probe special-case now that shardpaths covers it. - tests: extend filter unit tests; add cache-server e2e check that scoped /metrics forms return 501.
Contributor
|
LGTM label has been added. DetailsGit tree hash: 2690099ce6ed04590c78c0ce2c4929fba8739604 |
kcp-ci-bot
added
approved
…heck
- Revert shardpaths expansion. Probes must stay reachable via
/clusters/<ws>/{livez,readyz,healthz}; TestAuthorizer asserts this.
Restore the hardcoded probe special-case in cache server's WithShardScope.
- e2e: use a raw HTTP client for the cache /metrics rejection check;
rest.Request.StatusCode() did not capture 501 from a plain-text body.
Contributor
|
LGTM label has been added. DetailsGit tree hash: 1ee003638cd141bcc13df02642358444e9f9495d |
mjudeikis
added
the
tide/merge-method-squash
Contributor
Author
|
/retest |
Contributor
Author
|
/retest quota bug |
Contributor
Author
|
/retest |
Contributor
Author
|
/retest |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ntnn The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reject workspace-scoped /clusters//metrics and cache-server /services/cache/shards//clusters//metrics with 501 Not Implemented. Metrics are shard-wide and have no per-workspace meaning; allowing them via a workspace ClusterRole + binding was a privilege escalation.
We might want to implement this down the line. For now - no.
Top-level :6443/metrics is now authorized via root-workspace RBAC: a new bootstrap ClusterRole
system:kcp:metrics-readergrants GET on/metrics, and a kcp-admin binds it once in:rootfor an identity of their choice. The binding is replicated to every shard via the cache server, so a single root binding covers all shards.Cache server top-level /metrics is now reachable as well (previously, WithShardScope returned 400 for any path without a /shards/ prefix).
Fixes #4062
What Type of PR Is This?
/kind feature
Related Issue(s)
Fixes #
Release Notes