k8spin / prometheus-multi-tenant-proxy Goto Github PK
View Code? Open in Web Editor NEWPrometheus multi-tenant Proxy. Needed to deploy Prometheus in a multi-tenant way
License: GNU General Public License v3.0
Prometheus multi-tenant Proxy. Needed to deploy Prometheus in a multi-tenant way
License: GNU General Public License v3.0
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
build/package/Dockerfile
golang 1.20.5-bookworm
.github/workflows/branch.yml
actions/setup-go v4
docker/setup-qemu-action v2
docker/setup-buildx-action v2
docker/login-action v2
docker/build-push-action v4
stefanprodan/helm-gh-pages v1.7.0
ubuntu 22.04
.github/workflows/release.yml
actions/setup-go v4
docker/setup-qemu-action v2
docker/setup-buildx-action v2
docker/login-action v2
docker/build-push-action v4
actions/create-release v1
actions/upload-release-asset v1
actions/upload-release-asset v1
stefanprodan/helm-gh-pages v1.7.0
ubuntu 22.04
go.mod
go 1.20
github.com/MicahParks/keyfunc/v2 v2.1.0
github.com/aws/aws-sdk-go v1.51.2
github.com/golang-jwt/jwt/v5 v5.2.0
github.com/prometheus-community/prom-label-proxy v0.8.0
github.com/prometheus/prometheus v0.48.1
github.com/urfave/cli/v2 v2.27.1
gopkg.in/yaml.v3 v3.0.1
deployments/kubernetes/helm/prometheus-multi-tenant-proxy/values.yaml
This project doesn't provide a way to install it by helm, it worth trying to create a helm chart and host it on github pages.
Hello World!
I want to post this issue/feature-request to see if anyone out there can help us improve this proxy.
As you probably know, this is a reverse proxy that auto injects some query params to a set of URIs. It also checks basic auth in all the endpoints.
We need to avoid the auth
checks in the following endpoints:
GET /-/healthy
: https://prometheus.io/docs/prometheus/latest/management_api/#health-checkGET /-/ready
: https://prometheus.io/docs/prometheus/latest/management_api/#readiness-checkWith this change, we can add to the Kubernetes deployment some basic health check based on the upstream server response.
Thanks!
@derlin introduced a new configuration parameter (for aws signing) on the latest release. It can be configured either by an environment variable or by flag in the cli
.
It would be nice to have the other parameters to be configurable by environment variables.
It must have the same prefix @derlin used for the aws signing feature.
Thanks!
Currenty, the proxy only adds a filter for the namespace
label, which is well suited to filter by k8s namespaces. This issue is about adding support for additional/customizable filters on top/instead of namespaces.
We would like to restrict access to metrics at (for example) the application level instead of the namespace.
In this case, the configuration could look like this:
- username: Different labels
password: NamespacesWithoutAppName
labels:
namespace: default
app_name: poll-demo-app
Hi,
I use this to deploy on k8s but I think some of args like --reload-interval=5 are removed. I removed this arg but my pod not getting ready. With v1.4.0 everything work as expected.
Please help me
Thank you
As hinted in reverse_test.go
, prometheus exposes other endpoints than just the ones for querying: status
, alerts
, etc. With the current implementation, as long as you have a valid authentication, you should be able to query any of those without issues, which could leak very sensitive information.
I would propose to add a whitelist feature: the ability to restrict access to only specific API endpoints.
The whitelist could be set by default to /series
, /query
and /query_range
, as they are the ones we inject labels to.
The whitelist should however be configurable, as we do with the unprotected endpoints.
What do you think?
Label support was added in #58 with a warning in the README:
(It could lead to a security issue if the proxy is not configured to use namespaces or labels)
I am wondering if it wouldn't be better to actually check either labels or namespaces exist during the authentication ? Except if having users without proxying is a feature we want to support?
If we go with that, I hesitate on where this check should arise. My two propositions:
auth.go::AuthHandler
function: if !authorized || (len(namespaces) == 0 && len(labels) == 0
Currently, the proxy only supports basic auth with a fixed configuration for namespaces; this issue's goal is to add support for JWT-based authentication, including fetching the namespace(s) (and/or other filters, see #51 ) from the token itself.
The use case is to offload the decision of what namespaces a request has access to to a different service and let thus the proxy be fully dynamic and not need any configuration about the content of the Prometheus cluster.
Ideally, support for a quick asymmetric signature algorithm (e.g. EdDSA with Ed25519
and SHA-512
) that allows to avoid sharing the private key with the proxy would be provided.
Hi,
How can I have multi namespace for each user in config?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.