Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using admin endpoint for metrics is insecure #36729

Open
erikschul opened this issue Oct 21, 2024 · 1 comment
Open

Using admin endpoint for metrics is insecure #36729

erikschul opened this issue Oct 21, 2024 · 1 comment
Labels
area/admin beginner Good starter issues! enhancement Feature requests. Not bugs or questions. help wanted Needs help!

Comments

@erikschul
Copy link

erikschul commented Oct 21, 2024
edited
Loading

IIUC, it is common practice to expose /ready and /stats/prometheus using the admin endpoint.
But this also exposes admin privileges, like stopping the server.
Any compromised Prometheus scraper could stop Envoy services and cause a severe outage (across all scraped Envoy services).

Proposal:
Implement configuration for enabling a minimal service that serves only /ready and /stats/* endpoints.

Current workaround:

  • Configure localhost cluster.
  • Configure listener with limited routes:
routes:
  - match: { prefix: "/stats/prometheus"}
    route: { cluster: admin_cluster }
  - match: { prefix: "/ready"}
    route: { cluster: admin_cluster }
  - match: { prefix: "/"}
    direct_response:
      status: 404

See also: https://github.com/envoyproxy/gateway/blob/7ad22df2817b126c95eb1d36a732da872519468e/internal/xds/bootstrap/bootstrap.yaml.tpl#L65

Kubernetes can poll /ready using localhost, so that's less of a problem, but if /ready needs to be consumed by a downstream service, it would be equally insecure.
@erikschul erikschul added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels Oct 21, 2024
@erikschul erikschul changed the title Using admin endpoint for metrics and ready is insecure Using admin endpoint for metrics is insecure Oct 21, 2024
@phlax phlax added area/stats area/health_checking and removed triage Issue requires triage labels Oct 21, 2024
@phlax
Copy link
Member

phlax commented Oct 21, 2024

cc @jmarantz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/admin beginner Good starter issues! enhancement Feature requests. Not bugs or questions. help wanted Needs help!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@phlax @jmarantz @erikschul