Hey all, I'm investigating a security vulnerability reported by my company's security scanning software. We were scanning a helm chart that we make use out of that has a prometheus server pod in it.
The threat is that a pod with node/proxy permission is vulnerable to privilege escalation. https://blog.aquasec.com/privilege-escalation-kubernetes-rbac As part of my investigation, I tried removing this nodes/proxy permission, and checked a number of prometheus metrics to see if they report different data, or no data when there previously was data. But so far, I can't see any negative side effect to removing the nodes/proxy permission. I've contacted the developers of the helm chart we scanned, and they cannot justify their need for this permission and insist that we do not remove it. Is there a reason you all can think of that this permission might be required for prometheus to function? Thanks, Jesse -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/29001ead-8ac6-414a-9d0c-76631c253acen%40googlegroups.com.
