kubermatic
`/metrics` endpoint is available on KKP installation URL
What happened
Dashboard metrics are available without authentication on the /metrics path of a KKP hostname, e.g. https://dev.kubermatic.io/metrics. Metrics include information about which URLs are accessible.
Expected behavior
Metrics are not publicly accessible and ideally hosted on a dedicated metrics port.
How to reproduce
Environment
- UI Version: main
- API Version: main
- Domain: dev.kubermatic.io
- Others:
Current workaround
Patch Ingress resources to block /metrics, perhaps?
Affected user persona
Business goal to be improved
Metric to be improved
Issues go stale after 90d of inactivity.
After a furter 30 days, they will turn rotten.
Mark the issue as fresh with /remove-lifecycle stale.
If this issue is safe to close now please do so with /close.
/lifecycle stale
@ahmedwaleedmalik why was the bug label removed from this?
The endpoint being open was a design decision and not a bug. Asking for authentication or some guardrails/security around it is a good feature request though; not a bug report.
From our internal sync, documenting this here for whoever works on this ticket:
Action Items/Conclusion
Adding authentication is too complicated and not worth the effort.
Proposed Enhancements
- Use a dedicated port for metrics. Since this is a breaking change for customers who might already be using them. This needs a proper release note and documentation in our docs. We also need to document(keep it simple) how to create an
Ingressif those metrics are required to be exposed externally/internally(based on ingress settings). - Adjust KKP and expose the new container port in the UI deployment.
- A further small enhancement for this would be to ensure that our monitoring solution is scraping these metrics. API deployment can be used as a reference(small change).