Using admin endpoint for metrics is insecure #36729
Labels
area/admin
beginner
Good starter issues!
enhancement
Feature requests. Not bugs or questions.
help wanted
Needs help!
IIUC, it is common practice to expose
/ready
and/stats/prometheus
using the admin endpoint.But this also exposes admin privileges, like stopping the server.
Any compromised Prometheus scraper could stop Envoy services and cause a severe outage (across all scraped Envoy services).
Proposal:
Implement configuration for enabling a minimal service that serves only
/ready
and/stats/*
endpoints.Current workaround:
See also: https://github.com/envoyproxy/gateway/blob/7ad22df2817b126c95eb1d36a732da872519468e/internal/xds/bootstrap/bootstrap.yaml.tpl#L65
Kubernetes can poll
/ready
using localhost, so that's less of a problem, but if/ready
needs to be consumed by a downstream service, it would be equally insecure.The text was updated successfully, but these errors were encountered: