Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to disable security on Prometheus health endpoints, /-/healthy and /-/ready #9166

Open
amrit-35 opened this issue Aug 6, 2021 · 8 comments · May be fixed by prometheus/exporter-toolkit#70, prometheus/exporter-toolkit#106 or prometheus/exporter-toolkit#151
Open

Option to disable security on Prometheus health endpoints, /-/healthy and /-/ready #9166

amrit-35 opened this issue Aug 6, 2021 · 8 comments · May be fixed by prometheus/exporter-toolkit#70, prometheus/exporter-toolkit#106 or prometheus/exporter-toolkit#151
Labels
priority/Pmaybe

Comments

@amrit-35
Copy link

amrit-35 commented Aug 6, 2021
edited
Loading

Proposal

I am using Prometheus in kubernates, and recently enabled basic Auth with version 2.28. But it turn out Prometheus also enables security on health endpoints. Their is no way to safely provide credentials for liveness and readiness probe. Following works but not really the safest option. I think we should have a option to disable security on these endpoints.

livenessProbe:
      httpGet:
        path: /-/healthy
        port: 9090
        httpHeaders:
        - name: Authorization
          value: Basic dXNlcjpwYXNz
@git-kundan
Copy link

git-kundan commented Aug 7, 2021
edited
Loading

This could be a generic functionality to disable authentication on certain endpoints. Will need an additional option in web-config.yml and corresponding check in users.go.

Should this issue be moved to exporter toolkit repo?

@roidelapluie
Copy link
Member

Thank you, I think we could maybe have an excludeEndpoint configuration option in the web.yml, but I feel like we should discuss this more broadly on the developers mailing list, because e.g. the pushgateway might want to go one step further and even have per-path authentication.

@robin-wittler
Copy link

Would be very helpful if I can disable security for certain endpoints like "/-/ready" or "/-/healthy" - specially when running under K8S. Is there already an ongoing discussion on the dev mail list? I was not able to find it ...

@roidelapluie
Copy link
Member

Not yet.

@darshanime darshanime linked a pull request Oct 31, 2021 that will close this issue
Open
@PangQingcheng
Copy link

yes, I think it's necessary

@heylongdacoder heylongdacoder linked a pull request Aug 13, 2022 that will close this issue
Open
@JoaoBraveCoding JoaoBraveCoding mentioned this issue Mar 17, 2023
Open
@rzetelskik
Copy link

Is there an ETA yet?

@tnozicka tnozicka mentioned this issue Apr 21, 2023
Open
@rzetelskik rzetelskik mentioned this issue May 4, 2023
Closed
@rzetelskik rzetelskik linked a pull request May 11, 2023 that will close this issue
Open
@rzetelskik
Copy link

Sent prometheus/exporter-toolkit#151.

@krajorama
Copy link
Member

Hello from the bug scrub: this is still waiting for the dev summit discussion.

@Xu-Wentao Xu-Wentao mentioned this issue Oct 15, 2024
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority/Pmaybe
Projects
None yet
Milestone
No milestone
7 participants
@roidelapluie @robin-wittler @krajorama @PangQingcheng @rzetelskik @git-kundan @amrit-35