Skip to content

OCPBUGS-59768: metrics endpoints security - add client cert auth to kube-rbac-proxy #1061

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OCPBUGS-59768: metrics endpoints security - add client cert auth to kube-rbac-proxy #1061

wants to merge 1 commit into from

Conversation

anik120
Copy link
Contributor

@anik120 anik120 commented Sep 3, 2025

Problem:
OLM metrics endpoints were exposed without proper authentication, allowing unauthorized access to sensitive operational data.

Root Cause:
kube-rbac-proxy configuration was missing critical authentication arguments:

  • --client-ca-file
  • --auth-mode=rbac

Solution:

  • Add missing authentication arguments to kube-rbac-proxy in package-server-manager
  • Mount client CA certificate from new metrics-client-ca ConfigMap
  • Update ServiceMonitor to use scrapeClass: tls-client-certificate-auth
  • Create ConfigMap with service CA injection for automatic CA bundle sync

Security Impact:

  • Before: Any HTTPS client could access metrics endpoints
  • After: Only authorized Prometheus service account (system:serviceaccount:openshift-monitoring:prometheus-k8s) can access metrics

@anik120
OCPBUGS-59768: metrics endpoints security - add client cert auth to k…
23298d8 
…ube-rbac-proxy

**Problem:**
OLM metrics endpoints were exposed without proper authentication, allowing unauthorized access to sensitive operational data.

**Root Cause:**
kube-rbac-proxy configuration was missing critical authentication arguments:
- `--client-ca-file`
- `--auth-mode=rbac`

**Solution:**
- Add missing authentication arguments to kube-rbac-proxy in package-server-manager
- Mount client CA certificate from new `metrics-client-ca` ConfigMap
- Update ServiceMonitor to use `scrapeClass: tls-client-certificate-auth`
- Create ConfigMap with service CA injection for automatic CA bundle sync

**Security Impact:**
- **Before:** Any HTTPS client could access metrics endpoints
- **After:** Only authorized Prometheus service account (`system:serviceaccount:openshift-monitoring:prometheus-k8s`) can access metrics
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Sep 3, 2025
@openshift-ci-robot
Copy link

@anik120: This pull request references Jira Issue OCPBUGS-59768, which is invalid:

  • expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Problem:
OLM metrics endpoints were exposed without proper authentication, allowing unauthorized access to sensitive operational data.

Root Cause:
kube-rbac-proxy configuration was missing critical authentication arguments:

  • --client-ca-file
  • --auth-mode=rbac

Solution:

  • Add missing authentication arguments to kube-rbac-proxy in package-server-manager
  • Mount client CA certificate from new metrics-client-ca ConfigMap
  • Update ServiceMonitor to use scrapeClass: tls-client-certificate-auth
  • Create ConfigMap with service CA injection for automatic CA bundle sync

Security Impact:

  • Before: Any HTTPS client could access metrics endpoints
  • After: Only authorized Prometheus service account (system:serviceaccount:openshift-monitoring:prometheus-k8s) can access metrics

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 3, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: anik120
Once this PR has been reviewed and has the lgtm label, please assign tmshort for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dtfranz
Copy link
Contributor

dtfranz commented Sep 4, 2025

/retest

@anik120
Copy link
Contributor Author

anik120 commented Sep 4, 2025
edited
Loading

Looks like the cluster failed to launch in the previous failure because of infra issues

/retest

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 4, 2025

@anik120: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-olm 23298d8 link true /test e2e-gcp-olm
ci/prow/okd-scos-e2e-aws-ovn 23298d8 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-upgrade 23298d8 link true /test e2e-upgrade
ci/prow/e2e-gcp-olm-flaky 23298d8 link false /test e2e-gcp-olm-flaky
ci/prow/e2e-gcp-console-olm 23298d8 link true /test e2e-gcp-console-olm
ci/prow/e2e-gcp-ovn 23298d8 link true /test e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rashmigottipati rashmigottipati Awaiting requested review from rashmigottipati

@thetechnick thetechnick Awaiting requested review from thetechnick

Assignees
No one assigned
Labels
jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anik120 @openshift-ci-robot @dtfranz