Hi Harsch, In short: Only monitoring metrics, no business data. Your approach is reasonable IF you maintain network-level isolation.
In a little bit more detailed version: There is no explicit statement in the doc that only metadata and numeric metrics are exposed, never actual records. MetricQueryService [1] implementation however is a good starting point which can give more information what it exposes: 1. Counters - Numeric counters (e.g., numRecordsIn, numRecordsOut, numBytesIn) 2. Gauges - Point-in-time measurements (e.g., JVM memory, heap usage, uptime, watermarks) 3. Histograms - Statistical distributions (e.g., latency percentiles) 4. Meters - Rate measurements (e.g., records per second) Please be aware that this port does not have authentication enabled by default. Anyone who can reach it can query metrics. So it's advised either put it into Istio's exclude ports list or enable Mutual TLS via security.ssl.internal.* configs. Hope this helps! BR, G [1] https://github.com/apache/flink/blob/master/flink-runtime/src/main/java/org/apache/flink/runtime/metrics/dump/MetricQueryService.java On Wed, Feb 4, 2026 at 10:05 AM Harsh Koshta <[email protected]> wrote: > Hi Flink Community, > We are deploying Flink on Kubernetes (standalone) with Istio service mesh > and encountered an issue where the *Flink UI shows "Loading..." > indefinitely* instead of displaying metrics data. > *Root Cause:* After investigation, we found that Istio was blocking > connections because Flink allocates the > metrics.internal.query-service.port dynamically by default. > *Our Solution:* We resolved this by: > > 1. Setting a static port: metrics.internal.query-service.port: 50009 # > to make it static > 2. Configuring Istio to exclude/bypass this port from the service mesh > # on port 50009 > > This fixed the issue, and the Flink UI now displays metrics correctly. > *Security Question:* From our understanding, > metrics.internal.query-service.port is used to expose metrics internally > from TaskManagers to the JobManager (via the REST API that powers the Flink > UI). > *Before we deploy this to production, we need confirmation from a security > perspective:* > *Does this port expose ONLY metrics (JVM stats, checkpoint info, counters, > etc.), or could it potentially expose actual processing data (the > records/events being processed by tasks) either directly or indirectly?* > *We want to ensure that excluding this port from Istio doesn't create a > security risk by inadvertently exposing business data flowing through Flink > tasks.* > *Other Information:* > > - Flink version: 1.19.1 > - Deployment: standalone > - Our understanding is that this port serves the internal metrics > query service for monitoring purposes only > > Any clarification or documentation references would be greatly appreciated! > Thank you! > Harsh >
