Option to disable security on Prometheus health endpoints, /-/healthy and /-/ready
289 views
Skip to first unread message
Robin Wittler
Sep 23, 2021, 10:57:21 AM9/23/21
to Prometheus Developers
Hello,
I want to start a discussion if Prometheus should have config options to disable security on the "/-/healthy" and "/-/ready" endpoints.
Thanks to Amrit Pal Singh to bring this to the github issue list at first: https://github.com/prometheus/prometheus/issues/9166
Running Prometheus with enabled basic Auth on K8S actually requires some workarounds to be able to use the liveness and/or readiness checks. One would be the mentioned "httpHeaders" option - which requires to put somewhat plain credentials in the K8S definitions (which I really do not want).
Currently I've disabled Basic Auth in Prometheus and use an nginx in Front that takes care about Auth on all endpoints, except for /-/ready and /-/healthy. But I do not like this either. :)
Julien Pivotto suggested to talk about this at the dev mailing list ... so please add your thoughts about this. Thx.
Julien Pivotto
Sep 23, 2021, 2:11:23 PM9/23/21
to Robin Wittler, Prometheus Developers
- Restricting prometheus admin endpoints to certain users.
- Restricting certain pushgateway users to certain path (to force them
to only post on their metrics).
I feel like we could either decide we do not want those usecases or find
a solution that would fit them all.
>
> --
> You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/fd2122fc-9aca-4b98-976a-6fa6e61c1eb3n%40googlegroups.com.
--
Julien Pivotto
@roidelapluie
Matthias Rampke
Oct 26, 2021, 7:43:58 AM10/26/21
to Robin Wittler, Prometheus Developers
It seems to me that these are two different directions – locking down the admin endpoints more vs. not locking down the health endpoints at all.
In what scenario would one want to have /-/healthy and /-/ready protected?
/MR
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20210923181118.GA86116%40hydrogen.
Julien Pivotto
Oct 26, 2021, 7:45:41 AM10/26/21
to Matthias Rampke, Robin Wittler, Prometheus Developers
On 26 Oct 11:43, Matthias Rampke wrote:
> It seems to me that these are two different directions – locking down the
> admin endpoints more vs. not locking down the health endpoints at all.
>
> In what scenario would one want to have /-/healthy and /-/ready protected?
>
> /MR
When do not use it and do not want to disclose the app behind it.
> It seems to me that these are two different directions – locking down the
> admin endpoints more vs. not locking down the health endpoints at all.
>
> In what scenario would one want to have /-/healthy and /-/ready protected?
>
> /MR
--
Julien Pivotto
@roidelapluie
Reply all
Reply to author
Forward
0 new messages