/metrics protection

[Michael Anstis]

Hi,

I'm struggling.

I have written an Operator that creates a deployment with Pod for an underlying service.

The service itself exposes a /metrics endpoint that we use Prometheus to scrape etc.

I saw in the Operator SDK generated scaffolding of my Operator the various resources for RBAC protection of a /metrics endpoint using kube-rbac-proxy. The accompanying comments imply the endpoint is protected by default and I should create a ClusterRoleBinding to enable it.

My underlying service /metrics endpoint remains public no matter what I have tried.

My question is:

Is the Operator SDK related /metrics configuration to protect the Operator/Operator Manager metrics from being exposed? Do I need to do something completely different to protect my service's /metrics endpoint (the root URL is exposed with a Route).

Probably a silly question.. this is all quite new to me.

Thanks,

Michael

[Jose Gonzalez]

Hey Michael,

That's correct - the scaffolded kube-rbac-proxy hook protects the controller-manager's metrics endpoint. When enabled (through the default/kustomization.yaml file's patches), operator-sdk will patch in a kube-rbac-proxy as a side car to the deployment spec for the controller itself. This doesn't touch your application's deployment(s) created through your controller.

You effectively want to repeat this, but for the application your operator is deploying. That is, update your reconciliation code such that - when your operator reconciles Deployments of your application, it contains an appropriate kube-rbac-proxy sidecar (and associated configuration, any rbac, etc) is applied to protect the application itself.

Hope this helps!

Jose