fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Clarification on Required Public Endpoints for Fleet Agent and Fleet Desktop

Open pacokleitz opened this issue 1 year ago • 9 comments

Problem

I want to expose only the minimal set of Fleet endpoints necessary for my devices to communicate with the Fleet server. My Fleet deployment is managed using Helm and exposed via a Kubernetes Ingress. The monitored devices are located outside the network.

What I’ve Tried

I followed the guidance on this FleetDM page and exposed only the listed endpoints. However, after doing so, the Fleet agent can no longer share data with the server, causing devices to appear offline.

For Fleet Desktop, I also noticed that the /device/ endpoint is not recommended for public exposure. Given this, how should users access the Fleet Desktop page while maintaining security best practices?

Potential Solutions

Update the documentation to include all required endpoints/URLs necessary for Fleet to function correctly.

Provide clearer guidance on how to securely expose Fleet Desktop for external devices.

pacokleitz avatar Mar 25 '25 10:03 pacokleitz

It looks like our documentation doesn't fully reflect that /device would need to be exposed for the "My Device" page to work and also /assets for the CSS/Images on that device page.

rfairburn avatar Apr 02 '25 16:04 rfairburn

@pacokleitz thanks for reporting this bug in the docs!

@rfairburn does this work? https://github.com/fleetdm/fleet/pull/27798

noahtalerman avatar Apr 02 '25 18:04 noahtalerman

@pacokleitz we updated the guide! https://github.com/fleetdm/fleet/pull/27798

Thanks for the feedback. Please feel free to re-open this issue if we're missing something.

noahtalerman avatar Apr 02 '25 20:04 noahtalerman

Endpoints obscured, Yet devices need to speak. Clear paths aid their voice.

Minimal exposure, Security's silent song, In cloud cities danced.

Fleet's whispers guided, In Helm and Kubernetes held, Glass city secured.

fleet-release avatar Apr 02 '25 20:04 fleet-release

Here's a list of endpoints:

/api/osquery
/api/v1/osquery
/api/*/fleet/device/*/desktop
/device/*
/assets/*
/api/fleet/orbit/*
/api/fleet/device/ping
/api/setup
/api/*/setup
/api/*/fleet/*
/mdm/apple/scep
/mdm/apple/mdm
/api/mdm/apple/enroll
/api/*/fleet/device/*
/api/*/fleet/mdm/sso
/api/*/fleet/mdm/sso/callback
/api/*/fleet/mdm/setup/eula/*
/api/*/fleet/mdm/bootstrap
/api/mdm/microsoft/management
/api/mdm/microsoft/discovery
/api/mdm/microsoft/policy
/api/mdm/microsoft/enroll
/api/mdm/microsoft/tos
/api/mdm/microsoft/auth
/mdm/scep/proxy/*
/api/*/fleet/*
/mdm/apple/scep
/api/mdm/microsoft/discovery
/api/mdm/microsoft/auth
/api/mdm/microsoft/policy
/api/mdm/microsoft/enroll
/api/mdm/microsoft/management
/api/mdm/microsoft/tos
/api/*/assets/*

Nevertheless, my devices remain in an "offline" status. As soon as I remove these rules and leave only this one: /api/*, all devices immediately switch to an "online" status.

Which additional endpoint needs to be opened to ensure the devices are online?

Image

mrtaxi avatar Apr 03 '25 08:04 mrtaxi

I found an API endpoint that is not listed in the official documentation for the online status in the fleetdm web interface. Just /api/v1/osquery is not enough. It also requires /api/v1/osquery/*

mrtaxi avatar Apr 03 '25 10:04 mrtaxi

@pacokleitz we updated the guide! #27798

Thanks for the feedback. Please feel free to re-open this issue if we're missing something.

Thank you for your effort in finding a solution.

Despite exposing the paths mentioned in the article, the fleet client remains stuck at "Connecting..." without success. Here are the paths I have configured:

  paths:
    - path: /api/.*/fleet/device/.*/desktop
      pathType: ImplementationSpecific
    - path: /api/osquery
      pathType: Prefix
    - path: /api/v1/osquery
      pathType: Prefix
    - path: /device
      pathType: Prefix
    - path: /assets
      pathType: Prefix

The paths suggested by mrtaxi seem closer to what I would expect the complete list to be.

pacokleitz avatar Apr 04 '25 08:04 pacokleitz

This works, I can see my hosts as online, but I get a "This URL is invalid or expired. To access your device information, please click “My Device” from the Fleet Desktop menu icon." error when trying to open fleet desktop from the trail icon.

        - path: /api/.*/fleet/device/.*/desktop
          pathType: ImplementationSpecific
        - path: /api/fleet/orbit
          pathType: Prefix
        - path: /api/osquery
          pathType: Prefix
        - path: /api/v1/osquery
          pathType: Prefix
        - path: /device
          pathType: Prefix
        - path: /assets
          pathType: Prefix

I had to add /api/fleet/orbit/* for the hosts to be able to connect to fleet.

pacokleitz avatar Apr 10 '25 13:04 pacokleitz

If I add this path, I can access the full fleet desktop page (no invalid/expired error anymore), but it is probably insecure to expose all of this ?

- path: /api/latest/fleet/device
          pathType: Prefix

(equivalent to /api/latest/fleet/device/*)

Before adding it, I was getting this error in the logs: INF periodic check of token failed, initiating rotation error="HEAD /api/latest/fleet/device/xxxxx/ping, but exposing only the ping endpoint was not enough.

pacokleitz avatar Apr 10 '25 13:04 pacokleitz

In cloud city's glow, Endpoints whispering, secure. Fleet and users flow.

fleet-release avatar Apr 10 '25 21:04 fleet-release

Endpoints clear as day, Secure Fleet's path to speak, In cloud city's sway.

fleet-release avatar Apr 10 '25 21:04 fleet-release