Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Julien Pivotto
On 28 Nov 07:27, Bryan Boreham wrote: > I see that kube-rbac-proxy both authenticates the caller and performs an > authorization request to check whether that caller is allowed. > > Given divided opinions, how about a separate library which implements the > feature, and a hook in

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Bryan Boreham
I see that kube-rbac-proxy both authenticates the caller and performs an authorization request to check whether that caller is allowed. Given divided opinions, how about a separate library which implements the feature, and a hook in prometheus/exporter-toolkit so that any similar library can

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Julien Pivotto
On 28 Nov 12:45, Ben Kochie wrote: > Yes, build it in. We don't want to require sidecars for every exporter. I disagree with this, as this sidecar is only required in kubernetes environments. Baking it into the exporter toolkit would be a huge maintenance challenge: - from users - which version

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Jesús Samitier
instead of adding kube-rbac-proxy as a sidecar, integrating with Kubernetes ServiceAccount + RBAC could be done directly using the Kube api. On Mon, Nov 28, 2022 at 12:45 PM Ben Kochie wrote: > Yes, build it in. We don't want to require sidecars for every exporter. > > On Mon, Nov 28, 2022 at

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Ben Kochie
Yes, build it in. We don't want to require sidecars for every exporter. On Mon, Nov 28, 2022 at 12:43 PM Stuart Clark wrote: > On 2022-11-28 11:40, Ben Kochie wrote: > > It depends on if the sidecar is with Prometheus or with the target. > > > > If it's with Prometheus, that's probably just a

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Stuart Clark
On 2022-11-28 11:40, Ben Kochie wrote: It depends on if the sidecar is with Prometheus or with the target. If it's with Prometheus, that's probably just a docs update. If it's with every exporter, that's probably something we would want in the exporter-toolkit. But, my understanding was that

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Ben Kochie
It depends on if the sidecar is with Prometheus or with the target. If it's with Prometheus, that's probably just a docs update. If it's with every exporter, that's probably something we would want in the exporter-toolkit. But, my understanding was that the typical thing here was to use mTLS

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Stuart Clark
On 2022-11-28 11:01, Jesús Samitier wrote: Yeah, maybe add some documentation with example configurations. If it just some docs I don't see any issue? -- Stuart Clark -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Jesús Samitier
Yeah, maybe add some documentation with example configurations. On Mon, Nov 28, 2022 at 11:59 AM Stuart Clark wrote: > On 2022-11-28 10:56, Jesús Samitier wrote: > > Hi > > > > The idea is to integrate kube-rbac-proxy to add an extra (and > > optional) security feature in a new exporter, so the

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Stuart Clark
On 2022-11-28 10:56, Jesús Samitier wrote: Hi The idea is to integrate kube-rbac-proxy to add an extra (and optional) security feature in a new exporter, so the final user can rely on RBAC to assure that only Prometheus can scrape its metrics. This is something you get when you install

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Jesús Samitier
Hi The idea is to integrate kube-rbac-proxy to add an extra (and optional) security feature in a new exporter, so the final user can rely on RBAC to assure that only Prometheus can scrape its metrics. This is something you get when you install Prometheus in K8s using the official helm chart -

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-28 Thread Bryan Boreham
What is meant by "add rbac support to the exporter-toolkit " ? I have been using Kubernetes and Prometheus for many years; I know what RBAC is but cannot immediately see how an exporter would want to write code that references it. Bryan On

Re: [prometheus-developers] rbac support for exporter-toolkit

2022-11-25 Thread Julien Pivotto
I am surprised by this, it looks a huge maintenance burden and potentially would add a lot of disk space to all the exporters that is shared between all if you use a sidecar. We also, as you point out, have many users just not deploying to kube. On 10 Nov 05:44, Jesús Samitier wrote: > Hi, > >

[prometheus-developers] rbac support for exporter-toolkit

2022-11-22 Thread Jesús Samitier
Hi, It was great to see all of you in Munich! After our talk about securing Prometheus in K8s, we received a message in Mastodon suggesting us that it'd be a good idea to add rbac support to the exporter-toolkit . I'm not sure because you don't