|
2 | 2 |
|
3 | 3 | The prom-label-proxy enforces a given label in a given PromQL proxy. |
4 | 4 |
|
5 | | -This proxy does not perform authentication or authorization, this has to happen |
6 | | -before the request reaches this proxy. The |
7 | | -[kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) is an example for |
8 | | -such an additional building block. |
9 | | - |
| 5 | +This proxy does not perform authentication or authorization, this has to happen before the request reaches this proxy. The [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) is an example for such an additional building block. |
10 | 6 |
|
11 | 7 | Risks outside the scope of this project: |
12 | 8 |
|
13 | | -- If a tenant controls its scrape target configuration the tenant can set |
14 | | - arbitrary labels via its relabelling configuration, thereby being able to |
15 | | - pollute other tenant's metrics. |
| 9 | +- If a tenant controls its scrape target configuration the tenant can set arbitrary labels via its relabelling configuration, thereby being able to pollute other tenant's metrics. |
| 10 | + |
| 11 | +- If the ingestion configuration [honor_labels](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) is set for a tenant's target, that target can pollute other tenant's metrics as Prometheus respects any labels exposed by the target. |
| 12 | + |
| 13 | +## How does this project work? |
| 14 | + |
| 15 | +What this proxy does is it proxies the `/federate`, `/api/v1/query`, `/api/v1/query_range` prometheus endpoints and ensures that a particular label is enforced in the particular query. |
| 16 | + |
| 17 | +In the case of the federate endpoint, it ensures that all selectors passed as matchers to the federate endpoint _must_ contain that exact match of the particular label (and throws away all other matchers for the label). For the two query endpoints, it parses the PromQL expression and modifies all selectors in the same way. The label-key is configured as a flag on the binary and label-value is passed as a query parameter. |
| 18 | + |
| 19 | +For example, if requesting the PromQL query |
| 20 | + |
| 21 | +``` |
| 22 | +http_requests_total{namespace=~"a.*"} |
| 23 | +``` |
| 24 | + |
| 25 | +and specifying the namespace label must be enforced to `b`, then the query will be re-written to |
| 26 | + |
| 27 | + |
| 28 | +``` |
| 29 | +http_requests_total{namespace="b"} |
| 30 | +``` |
| 31 | + |
| 32 | +This is enforced for any case, whether a label matcher is specified in the original query or not. |
| 33 | + |
| 34 | +Once again for clarity: this project only enforces a particular label in the respective calls to Prometheus, it in itself does not authenticate or authorize the requesting entity in any way, this has to be built around this project. |
| 35 | + |
| 36 | +## Example use |
16 | 37 |
|
17 | | -- If the ingestion configuration |
18 | | - [honor_labels](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) |
19 | | - is set for a tenant's target, that target can pollute other tenant's metrics |
20 | | - as Prometheus respects any labels exposed by the target. |
| 38 | +The concrete setup being shipped in OpenShift starting with 4.0: the proxy is configured to work with the label-key: namespace. In order to ensure that this is secure is it paired with the [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) and its URL rewrite functionality, meaning first ServiceAccount token authentication is performed, and then the kube-rbac-proxy authorization to see whether the requesting entity is allowed to retrieve the metrics for the requested namespace. The RBAC role we chose to authorize against is the same as the Kubernetes Resource Metrics API, the reasoning being, if an entity can `kubectl top pod` in a namespace, it can see cAdvisor metrics (container_memory_rss, container_cpu_usage_seconds_total, etc.). |
0 commit comments