operator icon indicating copy to clipboard operation
operator copied to clipboard
verified publisher icon tektoncd

Security: Unauthenticated Access to Metrics Endpoints

Open infernus01 opened this issue 3 months ago • 1 comments

Expected Behavior

HTTP/1.1 401 Unauthorized
{"error": "Unauthorized"}

Actual Behavior

# HELP go_goroutines Number of goroutines that currently exist.
# TYPE go_goroutines gauge
go_goroutines 147
# HELP tekton_pipelines_controller_pipelinerun_count Number of pipelineruns
# TYPE tekton_pipelines_controller_pipelinerun_count gauge
tekton_pipelines_controller_pipelinerun_count{status="success"} 42
...
[MORE METRICS OUTPUT]

Steps to Reproduce the Problem

curl http://${POD_IP}:9090/metrics

Additional Info

Recommended Approach: kube-rbac-proxy Sidecar

Deploy kube-rbac-proxy as a sidecar container to enforce authentication:

┌─────────────────────────────────────────┐
│  Pod: tekton-pipelines-controller       │
│                                         │
│  ┌───────────────┐   ┌──────────────┐   │
│  │  Controller   │   │ kube-rbac-   │   │
│  │               │   │ proxy        │   │
│  │ :9090         │◄──┤ :8443        │◄──┼─── HTTPS + Bearer Token
│  │ (localhost)   │   │ (external)   │   │    (Authenticated)
│  └───────────────┘   └──────────────┘   │
└─────────────────────────────────────────┘

infernus01 avatar Oct 30 '25 08:10 infernus01

/assign

infernus01 avatar Oct 30 '25 08:10 infernus01