On 28 Nov 07:27, Bryan Boreham wrote: > I see that kube-rbac-proxy both authenticates the caller and performs an > authorization request to check whether that caller is allowed. > > Given divided opinions, how about a separate library which implements the > feature, and a hook in prometheus/exporter-toolkit so that any similar > library can be added at the choice of the exporter.
it looks like this could then be added to the kube-rbac-proxy, but in general if official exporters do not use it, it does not make sense to have it on the exporter toolkit. > > Bryan > > > On Monday, 28 November 2022 at 12:53:08 UTC Julien Pivotto wrote: > > > On 28 Nov 12:45, Ben Kochie wrote: > > > Yes, build it in. We don't want to require sidecars for every exporter. > > > > I disagree with this, as this sidecar is only required in kubernetes > > environments. Baking it into the exporter toolkit would be a huge > > maintenance challenge: > > - from users - which version of the exporter matches my kube version? > > (it includes k8s libraries) > > - from admins - every exporter is larger now > > - from maintainers - everyone would have to keep the toolkit up to date > > to match k8s versions and fix potentially critical bugs > > > > On the contrary, I find the sidecar pattern great here - first, this is > > designed exclusively for kube. Second, the same code only needs to be > > downloaded once per machine, even if you have 10 containers. Then, you > > manage the version and the config as you wish. You do not depend on your > > exporter to include the rbac proxy that you need or have a mix of those > > versions included. > > > > > > > > On Mon, Nov 28, 2022 at 12:43 PM Stuart Clark <stuart...@jahingo.com> > > > wrote: > > > > > > > On 2022-11-28 11:40, Ben Kochie wrote: > > > > > It depends on if the sidecar is with Prometheus or with the target. > > > > > > > > > > If it's with Prometheus, that's probably just a docs update. > > > > > > > > > > If it's with every exporter, that's probably something we would want > > > > > in the exporter-toolkit. > > > > > > > > > > But, my understanding was that the typical thing here was to use mTLS > > > > > for securing and authorizing Prometheus. > > > > > > > > > > If it's something we need to integrate into every exporter to do some > > > > > kind of token auth, we might want to consider this. > > > > > > > > > > > > > Do you mean building in the functionality directly into the exporter > > > > instead of using a sidecar? > > > > > > > > -- > > > > Stuart Clark > > > > > > > > > > -- > > > You received this message because you are subscribed to the Google > > Groups "Prometheus Developers" group. > > > To unsubscribe from this group and stop receiving emails from it, send > > an email to prometheus-devel...@googlegroups.com. > > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/prometheus-developers/CABbyFmrmeBX5fxbiPzDV%2BYpePy4UqYz%3DQsHJRwtPkob%2BGZ_w5Q%40mail.gmail.com > > . > > > > -- > > Julien Pivotto > > @roidelapluie > > > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to prometheus-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/acf53f10-9cd4-446c-a020-d12f4d12b0bfn%40googlegroups.com. -- Julien Pivotto @roidelapluie -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/Y4TTuNU6ipKcjBlb%40nixos.
