kubebuilder icon indicating copy to clipboard operation
kubebuilder copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Improve scaffolding of ServiceMonitor

Open fgiloux opened this issue 2 years ago • 5 comments
trafficstars

What do you want to happen?

Currently the scaffolding of ServiceMonitor makes use of Prometheus in-cluster credentials for collecting metrics. In some Prometheus installation it is not allowed, i.e. the setting is ignored for security reason: A problem with the approach is that Prometheus token is exposed to the user creating the ServiceMonitor. With this token the user would be able to query any metrics endpoint Prometheus has access to.

Another issue is that insecureSkipVerify is used, which deactivates an important mechanism to check that the server reached is what it pretends to be.

My use case is really about:

  • increasing the security level of what is offered by default by Kubebuilder
  • making the default configuration works with a larger estate

It is not related to a particular Kubernetes version. After a quick search I am not aware of another issue associated with this.

I am proposing to create an additional service account and token secret, used for scrapping the operator metrics. This can then get referenced in the ServiceMonitor resource. In a similar way the TLS certificates generated to secure the operator endpoint can be referenced in the ServiceMonitor to guarantee the authenticity of the server to Prometheus.

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    control-plane: controller-manager
    app.kubernetes.io/name: servicemonitor
    app.kubernetes.io/instance: controller-manager-metrics-monitor
    app.kubernetes.io/component: metrics
    app.kubernetes.io/created-by: project-v4
    app.kubernetes.io/part-of: project-v4
    app.kubernetes.io/managed-by: kustomize
  name: controller-manager-metrics-monitor
  namespace: system
spec:
  endpoints:
    - path: /metrics
      port: https
      scheme: https
      bearerTokenSecret:
        key: token
        name: prometheus-token
      tlsConfig:
        ca:
          secret:
            key: ca.crt
            name: serving-cert
            # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
        serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
  selector:
    matchLabels:
      control-plane: controller-manager

Extra Labels

No response

fgiloux avatar Oct 11 '23 15:10 fgiloux