首页 > 其他分享 >Prometheus-operator添加basic auth

Prometheus-operator添加basic auth

时间:2024-07-19 15:30:02浏览次数:16  
标签:web monitoring prometheus auth yaml Prometheus basic operator

问题:Prometheus存在未授权访问,会导致/debug/pprof信息泄露漏洞

image

解决方法:给prometheus添加basic auth

由于operator部署的prometheus是通过crd控制的,不可以通过修改控制器的方式修改pod的配置,所以修改statefulset无法生效,需要通过修改prometheus对象添加basic auth权限。
相关博客参考:https://blog.csdn.net/zfw_666666/article/details/126351312

具体步骤

1、对密码通过 bcrypt 加密

# 这里密码设置为admin
[root@master01 ~]# htpasswd -nBC 10 "" | tr -d ':\n'
New password: 
Re-type new password: 
$2y$10$w5f0QZ5dM.NQ93mG95ZYv..BWlw5hqa1O0fRT.TXBJZbUngcJefRW

2、创建web-config.yaml

# 这里用户名也设置为admin
[root@master01 ~]# cat web.yaml 
basic_auth_users:
  admin: $2y$10$w5f0QZ5dM.NQ93mG95ZYv..BWlw5hqa1O0fRT.TXBJZbUngcJefRW

3、对web-config.yaml进行base64加密

[root@master01 ~]# cat web.yaml |base64 -w 0
YmFzaWNfYXV0aF91c2VyczoKICBhZG1pbjogJDJ5JDEwJHc1ZjBRWjVkTS5OUTkzbUc5NVpZdi4uQldsdzVocWExTzBmUlQuVFhCSlpiVW5nY0plZlJXCg==

4、创建secret

[root@master01 ~]# cat web-secret.yaml
apiVersion: v1
data:
  web.yaml: "YmFzaWNfYXV0aF91c2VyczoKICBhZG1pbjogJDJ5JDEwJHc1ZjBRWjVkTS5OUTkzbUc5NVpZdi4uQldsdzVocWExTzBmUlQuVFhCSlpiVW5nY0plZlJXCg=="
kind: Secret
metadata:
  name: prometheus-basic-auth
  namespace: monitoring
type: Opaque
[root@master01 ~]# kubectl apply -f web-secret.yaml
secret/prometheus-basic-auth created
[root@master01 ~]# kubectl get secret -n monitoring|grep prometheus-basic-auth
prometheus-basic-auth            Opaque   1      105m

5、修改prometheus对象

点击查看代码
[root@master01 ~]# kubectl get prometheus -A
NAMESPACE    NAME   VERSION   DESIRED   READY   RECONCILED   AVAILABLE   AGE
monitoring   k8s    2.48.1    2         2       True         True        19h
[root@master01 ~]# kubectl edit prometheus -n monitoring  k8s
apiVersion: monitoring.coreos.com/v1
kind: Prometheus
metadata:
  creationTimestamp: "2024-06-28T16:08:40Z"
  generation: 14
  labels:
    app.kubernetes.io/component: prometheus
    app.kubernetes.io/instance: k8s
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/part-of: kube-prometheus
    app.kubernetes.io/version: 2.48.1
  name: k8s
  namespace: monitoring
  resourceVersion: "146719"
  uid: cf2abfde-4d20-4543-a108-393343f1539e
spec:
  alerting:
    alertmanagers:
    - apiVersion: v2
      name: alertmanager-main
      namespace: monitoring
      port: web
  # 下面开始一直到enableFeatures: []都需要添加,保活探针、就绪探针、启动探针都需要添加认证
  # 且args中的参数以及探针中的具体port名要和原pod中的保持一致
  containers:
  - args:
    - --web.console.templates=/etc/prometheus/consoles
    - --web.console.libraries=/etc/prometheus/console_libraries
    - --config.file=/etc/prometheus/config_out/prometheus.env.yaml
    - --web.enable-lifecycle
    - --web.route-prefix=/
    - --storage.tsdb.retention.time=24h
    - --storage.tsdb.path=/prometheus
    # 需要修改的web.yaml会挂在容器内的这个位置
    - --web.config.file=/etc/prometheus/secrets/prometheus-basic-auth/web.yaml
    livenessProbe:
      failureThreshold: 6
      httpGet:
        httpHeaders:
        - name: Authorization
          # Basic之后的值为admin:admin通过base64加密得到的
          # echo -n "admin:admin" | base64
          value: Basic YWRtaW46YWRtaW4=
        path: /-/healthy
        port: web
        scheme: HTTP
      periodSeconds: 5
      successThreshold: 1
      timeoutSeconds: 3
    name: prometheus
    ports:
    - containerPort: 9090
      name: web
      protocol: TCP
    readinessProbe:
      failureThreshold: 3
      httpGet:
        httpHeaders:
        - name: Authorization
          value: Basic YWRtaW46YWRtaW4=
        path: /-/ready
        port: web
        scheme: HTTP
      periodSeconds: 5
      successThreshold: 1
      timeoutSeconds: 3
    startupProbe:
      failureThreshold: 60
      httpGet:
        httpHeaders:
        - name: Authorization
          value: Basic YWRtaW46YWRtaW4=
        path: /-/ready
        port: web
        scheme: HTTP
      periodSeconds: 15
      successThreshold: 1
      timeoutSeconds: 3
  enableFeatures: []
  evaluationInterval: 30s
  externalLabels: {}
  image: quay.io/prometheus/prometheus:v2.48.1
  nodeSelector:
    kubernetes.io/os: linux
  podMetadata:
    labels:
      app.kubernetes.io/component: prometheus
      app.kubernetes.io/instance: k8s
      app.kubernetes.io/name: prometheus
      app.kubernetes.io/part-of: kube-prometheus
      app.kubernetes.io/version: 2.48.1
  podMonitorNamespaceSelector: {}
  podMonitorSelector: {}
  portName: web
  probeNamespaceSelector: {}
  probeSelector: {}
  replicas: 2
  resources:
    requests:
      memory: 400Mi
  ruleNamespaceSelector: {}
  ruleSelector: {}
  scrapeConfigNamespaceSelector: {}
  scrapeConfigSelector: {}
  scrapeInterval: 30s
  # 此处添加之前apply的secret名
  # 容器运行成功后会将web.yaml挂载进/etc/prometheus/secrets/prometheus-basic-auth/目录下
  secrets:
  - prometheus-basic-auth
  securityContext:
    fsGroup: 2000
    runAsNonRoot: true
    runAsUser: 1000
  serviceAccountName: prometheus-k8s
  serviceMonitorNamespaceSelector: {}
  serviceMonitorSelector: {}
  version: 2.48.1
status:
  availableReplicas: 2
  conditions:
  - lastTransitionTime: "2024-06-29T07:11:12Z"
    message: ""
    observedGeneration: 14
    reason: ""
    status: "True"
    type: Available
  - lastTransitionTime: "2024-06-29T07:11:12Z"
    message: ""
    observedGeneration: 14
    reason: ""
    status: "True"
    type: Reconciled
  paused: false
  replicas: 2
  shardStatuses:
    - availableReplicas: 2
    replicas: 2
    shardID: "0"
    unavailableReplicas: 0
    updatedReplicas: 2
  unavailableReplicas: 0
  updatedReplicas: 2

6、查看pod并进入容器查看secret挂载情况

[root@master01 ~]# kubectl get po -A|grep prometheus
monitoring    prometheus-adapter-d4fcc8bb9-4q6dv               1/1     Running            0                15h
monitoring    prometheus-adapter-d4fcc8bb9-q7zns               1/1     Running            0                15h
monitoring    prometheus-k8s-0                                 2/2     Running            0                126m
monitoring    prometheus-k8s-1                                 2/2     Running            0                126m
monitoring    prometheus-operator-94d855d67-n4lrh              2/2     Running            0                15h
[root@master01 ~]# kubectl exec -it -n monitoring    prometheus-k8s-1 -- /bin/sh
/prometheus $ ls
chunks_head     lock            queries.active  wal
/prometheus $ cd /etc/prometheus/secrets/prometheus-basic-auth/
/etc/prometheus/secrets/prometheus-basic-auth $ ls
web.yaml
/etc/prometheus/secrets/prometheus-basic-auth $ cat web.yaml 
basic_auth_users:
  admin: $2y$10$w5f0QZ5dM.NQ93mG95ZYv..BWlw5hqa1O0fRT.TXBJZbUngcJefRW
/etc/prometheus/secrets/prometheus-basic-auth $ exit

7、访问prometheus的web ui(前提:开启NodePort访问)

[root@master01 ~]# kubectl get svc -A|grep prometheus-k8s
monitoring    prometheus-k8s                  NodePort    10.233.37.70    <none>        9090:32662/TCP,8080:30408/TCP   20h

浏览器输入ip:32662/debug/pprof,提示需要用户名和密码
image

输入用户名和密码后,登录成功!

image

标签:web,monitoring,prometheus,auth,yaml,Prometheus,basic,operator
From: https://www.cnblogs.com/xfans520/p/18311572

相关文章

  • EMQX配置用户名和密码开启emqx_auth_mnesia认证方式连接
    1、找到MQtt的/etc/plugins/文件夹下的emqx_auth_mnesia.conf文件 vim打开编辑该文件,根据例子添加账号密码并保存 添加内容:auth.user.1.username=adminauth.user.1.password=123456 2、配置禁止匿名登录(安全认证)找到emqx.conf编辑##Allowanonymousau......
  • SpringBoot Security OAuth2实现单点登录SSO(附源码)
    文章目录基础概念1.用户认证2.单点登录(SSO)3.授权管理4.安全性和配置逻辑实现配置认证服务器配置SpringSecurity两个客户端页面展示本篇小结更多相关内容可查看附源码地址:https://gitee.com/its-a-little-bad/SSO.git基础概念SpringBootSecurity和OAut......
  • 一键搭建Prometheus+node_exporter+grafana监控脚本
    概要为了方便更好的安装prometheus监控体系,创建了一个一键搭建监控的脚本,但实际需要跟现场环境进行匹配,修改。脚本使用方法:1.修改你需要下载的版本号2.创建一个目录名为/prometheus的目录3.如需修改为其他目录,需修改脚本文件,以及*.service的目录路径代码如下:#!bin/bas......
  • 一分钟解决CLIENT_PLUGIN_AUTH is required. IDEA连接数据库时报错
    CLIENT_PLUGIN_AUTHisrequired.IDEA连接数据库时报错​ 今天楼主在导入java项目时在连接数据库时IDEA报的错误为CLIENT_PLUGIN_AUTHisrequired.​ 报错如下图:经过多方排查,发现是之前下载过其他数据库,导致系统服务里已经启动了一个MySql服务​ 已经安装过小蜜蜂数据库,我......
  • docker 版本prometheus
    缘由之前是jar安装到服务器,但是服务器重启后,没有自启动,而且很多都是docker维护,有平台方便重启,最后还是决定docker安装prometheus 安装dockerrun-itd--name=prometheus--restart=always-p9090:9090prom/prometheus容器创建成功后,即可通过浏览器访问h......
  • Prometheus之钉钉
    要实现Prometheus通过Alertmanager发送告警到钉钉,您可以按照以下步骤进行配置:创建钉钉机器人:首先,您需要在钉钉群中添加一个自定义机器人,并获取机器人的Webhook地址。创建机器人时,您可以设置安全验证方式,如加签。创建完成后,保存好Webhook地址和加签后的秘钥(如果设置了加签)。......
  • 使用Java实现OAuth2.0认证
    使用Java实现OAuth2.0认证大家好,我是微赚淘客系统3.0的小编,是个冬天不穿秋裤,天冷也要风度的程序猿!OAuth2.0认证简介OAuth2.0是一种开放标准的授权协议,允许用户授权第三方应用访问其资源,而无需将用户名和密码提供给第三方应用。在Web开发中,OAuth2.0已经成为一种常见的认证机制,用......
  • Mangoa-Auth/芒果自助多应用企业级网站授权系统源码
    Mangoa_Auth多应用授权系统是专门为个人或企业开发者打造的一款自助多应用授权程序,后端基于PHP原生,前端基于EasyWeb框架,拥有域名授权、秘钥授权、IP授权,您可以根据您喜欢的方式进行授权验证,其中您还可以关闭授权验证等您想开启的时候随时开启授权验证即可,并且我们集成了独立的......
  • Prometheus+BlackBox-Exporter实现端口监控
    Blackbox-Exporter添加Basicauth(非必要)FROMprom/blackbox-exporter:v0.25.0COPYpassword.yml/etc/blackbox_exporter/EXPOSE9115ENTRYPOINT["/bin/blackbox_exporter"]CMD["--config.file=/etc/blackbox_exporter/config.yml","......
  • 【项目实战】深入解析HTTP状态码:401 Unauthorized
    在网络通信过程中,HTTP状态码对于服务器和客户端之间的信息交流起着至关重要的作用。其中,401Unauthorized(未授权)是一个非常关键的状态码,它涉及到安全认证的方面。本文将详细介绍401状态码,分析其原因,并提供针对性的解决方案,以帮助开发者和用户更好地理解和处理这种情况。1.......