New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decouple /metrics endpoint from generic apiserver #801
Comments
/help |
@dgrisonnet: Please ensure the request meets the requirements listed here. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
PTAL #829 (comment) |
Closing as this can be solved by adding |
What would you like to be added:
I would like metrics-server's /metrics endpoint to be decoupled from the generic apiserver to allow applications only authorized to scrape metrics to be able to scrape metrics-server's /metrics endpoint without requiring apiserver authorization.
Why is this needed:
Metrics-server /metrics endpoint exposes metrics about the server health and these metrics are currently on the same server as the one used to serve the resource metrics API to the apiserver.
This becomes problematic when we want to add authz/authn to metrics scraping since one would have to be authorized by the apiserver in order to access metrics-server's server as well as having the permission to get the /metrics endpoint. Whereas if we were to decouple the /metrics endpoint from the generic API server, the scraper would only have to be authorized to scrape metrics in order to get metrics-server's metrics.
If we were to add authz/authn today without decoupling, we would have to add a kube-rbac-proxy in front of the /metrics and point the scraper to the proxy. It works fine when the request goes from the scraper to the proxy, but from the proxy to the /metrics endpoint, the proxy needs to forward the bearer token used by the apiserver in order to be authorized and this is not in the scope of kube-rbac-proxy which is expected to forward requests to applications without kubernetes awareness.
/kind feature
The text was updated successfully, but these errors were encountered: