prometheus-operator

coreos/prometheus-operator

Fork 0

mirror of https://github.com/coreos/prometheus-operator.git synced 2026-02-05 06:45:27 +01:00

Commit Graph

Author	SHA1	Message	Date
Simon Pasquier	07cfc8b26d	test: expose UTF-8 metric with instrumented app Signed-off-by: Simon Pasquier <spasquie@redhat.com>	2025-09-29 16:19:49 +02:00
Max Leonard Inden	fd92cbfe94	pkg/prometheus: Enable users to configure bearer token from secret To configure a bearer token users could only specify a file path in the service monitor, pointing to a bearer token file in the Prometheus container. This enables hostile users, being able to configure a service monitor and controlling the scrape target, to retrieve arbitrary files in the Prometheus container. In cases where users can not be trusted, this patch adds an option to disallow the above file path specification and replaces it by a secret reference. This secret has to be in the same namespace as the service monitor, shrinking the attack vector. pkg/prometheus: Add option to deny file system access through service monitors ArbitraryFSAccessThroughSMsConfig enables users to configure, whether a service monitor selected by the Prometheus instance is allowed to use arbitrary files on the file system of the Prometheus container. This is the case when e.g. a service monitor specifies a BearerTokenFile in an endpoint. A malicious user could create a service monitor selecting arbitrary secret files in the Prometheus container. Those secrets would then be send with a scrape request by Prometheus to a malicious target. Denying the above would prevent the attack, users can instead use the BearerTokenSecret field. test/basic-auth-test-app: Add mTLS endpoint pkg/prometheus: Enable users to configure tls from secret pkg/prometheus/operator: Validate TLS configs before retrieving assets Before retrieving TLS assets from Kubernetes secrets for a given service monitor, make sure the user did not specify both file and secret reference, e.g. both `CAFile` and `CASecret`. test: Rename basic-auth-test-app to instrumented-sample-app Given that the basic-auth-test-app not only supports basic auth, but also bearer token as well as tls authentication, this patch renames the app to a more generic name. test/e2e/prometheus_test: Test ArbitraryFSAccessThroughSM option for tls The Prometheus custom resource has the option to disable arbitrary filesystem access configured through service monitors. This commit adds an end-to-end test for this option in combination with the TLS configuration via files or secret references in service monitors. pkg/prometheus/operator: Move check for arbitrary fs access into func	2019-10-07 13:07:05 +02:00

Author

SHA1

Message

Date

Simon Pasquier

07cfc8b26d

test: expose UTF-8 metric with instrumented app

Signed-off-by: Simon Pasquier <spasquie@redhat.com>

2025-09-29 16:19:49 +02:00

Max Leonard Inden

fd92cbfe94

pkg/prometheus: Enable users to configure bearer token from secret

To configure a bearer token users could only specify a file path in the
service monitor, pointing to a bearer token file in the Prometheus
container. This enables hostile users, being able to configure a service
monitor and controlling the scrape target, to retrieve arbitrary files
in the Prometheus container.

In cases where users can not be trusted, this patch adds an option to
disallow the above file path specification and replaces it by a secret
reference. This secret has to be in the same namespace as the service
monitor, shrinking the attack vector.

pkg/prometheus: Add option to deny file system access through service monitors

ArbitraryFSAccessThroughSMsConfig enables users to configure, whether
a service monitor selected by the Prometheus instance is allowed to use
arbitrary files on the file system of the Prometheus container. This is
the case when e.g. a service monitor specifies a BearerTokenFile in an
endpoint. A malicious user could create a service monitor
selecting arbitrary secret files in the Prometheus container. Those
secrets would then be send with a scrape request by Prometheus to a
malicious target. Denying the above would prevent the attack, users can
instead use the BearerTokenSecret field.

test/basic-auth-test-app: Add mTLS endpoint

pkg/prometheus: Enable users to configure tls from secret

pkg/prometheus/operator: Validate TLS configs before retrieving assets

Before retrieving TLS assets from Kubernetes secrets for a given service
monitor, make sure the user did not specify both file and secret
reference, e.g. both `CAFile` and `CASecret`.

test: Rename basic-auth-test-app to instrumented-sample-app

Given that the basic-auth-test-app not only supports basic auth, but
also bearer token as well as tls authentication, this patch renames the
app to a more generic name.

test/e2e/prometheus_test: Test ArbitraryFSAccessThroughSM option for tls

The Prometheus custom resource has the option to disable arbitrary
filesystem access configured through service monitors. This commit adds
an end-to-end test for this option in combination with the TLS
configuration via files or secret references in service monitors.

pkg/prometheus/operator: Move check for arbitrary fs access into func

2019-10-07 13:07:05 +02:00

2 Commits