From 8a4e64045483d2209702077487dcc205f55ba35d Mon Sep 17 00:00:00 2001 From: Greg Smith <65406958+gsmith-sas@users.noreply.github.com> Date: Tue, 8 Oct 2024 13:50:41 -0400 Subject: [PATCH] [SECURITY] Disable KSM Metrics related to K8s Secret resources (#684) Signed-off-by: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> --- CHANGELOG.md | 2 ++ monitoring/values-prom-operator.yaml | 36 ++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d72cebaa..5f00ad88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## Unreleased * **Metrics** + * [SECURITY] Metrics (collected by Kube State Metrics) related to Kubernetes Secret have been disabled +to eliminate the need to grant `list` permission (for Secret resources) to the KSM ClusterRole (see PR#684) * [CHANGE] The `create_logging_datasource.sh` script now uses the OpenSearch datasource plugin rather the Elasticsearch datasource plugin when creating the **ViyaLogs** datasource in Grafana. The plugin is downloaded and installed if it is not already in place. diff --git a/monitoring/values-prom-operator.yaml b/monitoring/values-prom-operator.yaml index c623a589..3ffaa9bf 100644 --- a/monitoring/values-prom-operator.yaml +++ b/monitoring/values-prom-operator.yaml @@ -83,6 +83,42 @@ kube-state-metrics: extraArgs: - --metric-labels-allowlist=nodes=[*],namespaces=[*],pods=[*],deployments=[*],statefulsets=[*],daemonsets=[*],jobs=[*] + # Available collectors for kube-state-metrics. + # By default, all available resources are enabled, comment out to disable. + collectors: + - certificatesigningrequests + - configmaps + - cronjobs + - daemonsets + - deployments + - endpoints + - horizontalpodautoscalers + - ingresses + - jobs + - leases + - limitranges + - mutatingwebhookconfigurations + - namespaces + - networkpolicies + - nodes + - persistentvolumeclaims + - persistentvolumes + - poddisruptionbudgets + - pods + - replicasets + - replicationcontrollers + - resourcequotas + ## Metrics on Secrets disabled to + ## eliminate need for granting + ## 'list' permission to ClusterRole + #- secrets + - services + - statefulsets + - storageclasses + - validatingwebhookconfigurations + - volumeattachments + + # ========== # Prometheus # ==========