It would help if you linked the specific helm chart and issue you filed. There are a lot of different charts out there maintained by different people.
But just a guess, you're talking about the prometheus-community/prometheus chart[0]. IIRC in some configurations the Prometheus server needs access to the proxy in order to scrape data from the kubelet. I think this may be a legacy mode of operation, but it used to be the default. [0]: https://github.com/prometheus-community/helm-charts/blob/0b928f341240c76d8513534035a825686ed28a4b/charts/prometheus/templates/clusterrole.yaml#L23 On Sat, Feb 25, 2023 at 9:36 AM Jesse Simpson <jesse.simp...@camunda.com> wrote: > Hey all, > > I'm investigating a security vulnerability reported by my company's > security scanning software. We were scanning a helm chart that we make use > out of that has a prometheus server pod in it. > > The threat is that a pod with node/proxy permission is vulnerable to > privilege escalation. > > https://blog.aquasec.com/privilege-escalation-kubernetes-rbac > > As part of my investigation, I tried removing this nodes/proxy permission, > and checked a number of prometheus metrics to see if they report different > data, or no data when there previously was data. But so far, I can't see > any negative side effect to removing the nodes/proxy permission. > > I've contacted the developers of the helm chart we scanned, and they > cannot justify their need for this permission and insist that we do not > remove it. > > Is there a reason you all can think of that this permission might be > required for prometheus to function? > > Thanks, > > Jesse > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to prometheus-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-users/29001ead-8ac6-414a-9d0c-76631c253acen%40googlegroups.com > <https://groups.google.com/d/msgid/prometheus-users/29001ead-8ac6-414a-9d0c-76631c253acen%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CABbyFmrXna85%2Bafoe8PN6ai_GMSdVS-hOTZ%3DQWRAdEbgFtVfqA%40mail.gmail.com.
