Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[nginx] Metrics of the defaultbackend #1733

Closed
amalucelli opened this issue Nov 20, 2017 · 11 comments · Fixed by #3125
Closed

[nginx] Metrics of the defaultbackend #1733

amalucelli opened this issue Nov 20, 2017 · 11 comments · Fixed by #3125
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.

Comments

@amalucelli
Copy link

I'm working with nginx controller and using for the default-backend-service the gcr.io/google_containers/defaultbackend:1.4 image, and I verified that when I make a request to defaultbackend/metrics by my external load balancer or directly into the container, I get a several metrics that I don't think that should be visible to the internet.

» kubectl port-forward -n ingress-nginx nginx-default-backend-702016294-63mrp 8080:8080
Forwarding from 127.0.0.1:8080 -> 8080
Handling connection for 8080

» curl localhost:8080/metrics
# HELP default_http_backend_http_request_count_total Counter of HTTP requests made.
# TYPE default_http_backend_http_request_count_total counter
default_http_backend_http_request_count_total{proto="1.1"} 5
# HELP default_http_backend_http_request_duration_milliseconds Histogram of the time (in milliseconds) each request took.
# TYPE default_http_backend_http_request_duration_milliseconds histogram
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="0.001"} 0
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="0.003"} 0
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="0.005"} 3
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="0.01"} 5
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="0.025"} 5
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="0.05"} 5
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="0.1"} 5
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="0.25"} 5
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="0.5"} 5
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="1"} 5
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="2.5"} 5
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="5"} 5
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="10"} 5
default_http_backend_http_request_duration_milliseconds_bucket{proto="1.1",le="+Inf"} 5
default_http_backend_http_request_duration_milliseconds_sum{proto="1.1"} 0.024166
default_http_backend_http_request_duration_milliseconds_count{proto="1.1"} 5
# HELP go_gc_duration_seconds A summary of the GC invocation durations.
# TYPE go_gc_duration_seconds summary

I found that this is hardcoded in the defaultbackend image, and can't be disabled by a configuration.

ingress-nginx/images/404-server/server.go

Line 62 in adfbc8c

http.Handle("/metrics", promhttp.Handler())

Is this the default and expected behavior?

It would be nice if in the defaultbackend image the /healthz and /metrics paths could be also be exposed in a different port, like the nginx-ingress-controller image.
@aledbf aledbf added enhancement help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Nov 20, 2017
@aledbf
Copy link
Member

aledbf commented Nov 20, 2017

@amalucelli thank you for the report. We will add two flags to enable this features.

@lblackstone
Copy link

As a workaround for now, you can mask the /metrics endpoint with an Ingress rule so that metrics aren't exposed publicly.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example
spec:
  rules:
  - http:
      paths:
      - path: /metrics
        backend:
          serviceName: default-http-backend
          servicePort: 80

@noqcks
Copy link
Contributor

noqcks commented Jan 20, 2018

@aledbf what was your plan for supporting this? I have some free time.

I think hiding it behind port 10254 is a nice solution.

@aledbf
Copy link
Member

aledbf commented Jan 20, 2018

I think hiding it behind port 10254 is a nice solution.

Exactly that :)
Please submit a PR if you have time to change this.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 20, 2018
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 20, 2018
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. and removed enhancement labels Jun 5, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@jonpulsifer
Copy link
Contributor

/reopen
/remove-lifecycle rotten

@k8s-ci-robot
Copy link
Contributor

@jonpulsifer: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen
/remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Sep 24, 2018
@aledbf aledbf reopened this Sep 24, 2018
@jonpulsifer jonpulsifer mentioned this issue Sep 25, 2018
Merged
@aledbf
Copy link
Member

aledbf commented Sep 25, 2018

Closing. For those interested in such metrics, the PR #3125 contains the required changes. This just requires a custom image.

@aledbf aledbf closed this as completed Sep 25, 2018
@m4xx101
Copy link

m4xx101 commented Dec 1, 2019

What could be the security impacte of this??

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[404-server] Conceal /metrics and /healthz behind port 10254
8 participants
@aledbf @noqcks @jonpulsifer @lblackstone @amalucelli @k8s-ci-robot @fejta-bot @m4xx101