Skip to content

Commit

Permalink
[SECURITY] Disable KSM Metrics related to K8s Secret resources (#684)
Browse files Browse the repository at this point in the history
Signed-off-by: gsmith-sas <[email protected]>
  • Loading branch information
gsmith-sas authored Oct 8, 2024
1 parent 83d05de commit 8a4e640
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

## Unreleased
* **Metrics**
* [SECURITY] Metrics (collected by Kube State Metrics) related to Kubernetes Secret have been disabled
to eliminate the need to grant `list` permission (for Secret resources) to the KSM ClusterRole (see PR#684)
* [CHANGE] The `create_logging_datasource.sh` script now uses the OpenSearch datasource plugin
rather the Elasticsearch datasource plugin when creating the **ViyaLogs** datasource in Grafana.
The plugin is downloaded and installed if it is not already in place.
Expand Down
36 changes: 36 additions & 0 deletions monitoring/values-prom-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,42 @@ kube-state-metrics:
extraArgs:
- --metric-labels-allowlist=nodes=[*],namespaces=[*],pods=[*],deployments=[*],statefulsets=[*],daemonsets=[*],jobs=[*]

# Available collectors for kube-state-metrics.
# By default, all available resources are enabled, comment out to disable.
collectors:
- certificatesigningrequests
- configmaps
- cronjobs
- daemonsets
- deployments
- endpoints
- horizontalpodautoscalers
- ingresses
- jobs
- leases
- limitranges
- mutatingwebhookconfigurations
- namespaces
- networkpolicies
- nodes
- persistentvolumeclaims
- persistentvolumes
- poddisruptionbudgets
- pods
- replicasets
- replicationcontrollers
- resourcequotas
## Metrics on Secrets disabled to
## eliminate need for granting
## 'list' permission to ClusterRole
#- secrets
- services
- statefulsets
- storageclasses
- validatingwebhookconfigurations
- volumeattachments


# ==========
# Prometheus
# ==========
Expand Down

0 comments on commit 8a4e640

Please sign in to comment.