问题:Prometheus存在未授权访问,会导致/debug/pprof信息泄露漏洞
解决方法:给prometheus添加basic auth
由于operator部署的prometheus是通过crd控制的,不可以通过修改控制器的方式修改pod的配置,所以修改statefulset无法生效,需要通过修改prometheus对象添加basic auth权限。
相关博客参考:https://blog.csdn.net/zfw_666666/article/details/126351312
具体步骤
1、对密码通过 bcrypt 加密
# 这里密码设置为admin
[root@master01 ~]# htpasswd -nBC 10 "" | tr -d ':\n'
New password:
Re-type new password:
$2y$10$w5f0QZ5dM.NQ93mG95ZYv..BWlw5hqa1O0fRT.TXBJZbUngcJefRW
2、创建web-config.yaml
# 这里用户名也设置为admin
[root@master01 ~]# cat web.yaml
basic_auth_users:
admin: $2y$10$w5f0QZ5dM.NQ93mG95ZYv..BWlw5hqa1O0fRT.TXBJZbUngcJefRW
3、对web-config.yaml进行base64加密
[root@master01 ~]# cat web.yaml |base64 -w 0
YmFzaWNfYXV0aF91c2VyczoKICBhZG1pbjogJDJ5JDEwJHc1ZjBRWjVkTS5OUTkzbUc5NVpZdi4uQldsdzVocWExTzBmUlQuVFhCSlpiVW5nY0plZlJXCg==
4、创建secret
[root@master01 ~]# cat web-secret.yaml
apiVersion: v1
data:
web.yaml: "YmFzaWNfYXV0aF91c2VyczoKICBhZG1pbjogJDJ5JDEwJHc1ZjBRWjVkTS5OUTkzbUc5NVpZdi4uQldsdzVocWExTzBmUlQuVFhCSlpiVW5nY0plZlJXCg=="
kind: Secret
metadata:
name: prometheus-basic-auth
namespace: monitoring
type: Opaque
[root@master01 ~]# kubectl apply -f web-secret.yaml
secret/prometheus-basic-auth created
[root@master01 ~]# kubectl get secret -n monitoring|grep prometheus-basic-auth
prometheus-basic-auth Opaque 1 105m
5、修改prometheus对象
点击查看代码
[root@master01 ~]# kubectl get prometheus -A
NAMESPACE NAME VERSION DESIRED READY RECONCILED AVAILABLE AGE
monitoring k8s 2.48.1 2 2 True True 19h
[root@master01 ~]# kubectl edit prometheus -n monitoring k8s
apiVersion: monitoring.coreos.com/v1
kind: Prometheus
metadata:
creationTimestamp: "2024-06-28T16:08:40Z"
generation: 14
labels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/instance: k8s
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 2.48.1
name: k8s
namespace: monitoring
resourceVersion: "146719"
uid: cf2abfde-4d20-4543-a108-393343f1539e
spec:
alerting:
alertmanagers:
- apiVersion: v2
name: alertmanager-main
namespace: monitoring
port: web
# 下面开始一直到enableFeatures: []都需要添加,保活探针、就绪探针、启动探针都需要添加认证
# 且args中的参数以及探针中的具体port名要和原pod中的保持一致
containers:
- args:
- --web.console.templates=/etc/prometheus/consoles
- --web.console.libraries=/etc/prometheus/console_libraries
- --config.file=/etc/prometheus/config_out/prometheus.env.yaml
- --web.enable-lifecycle
- --web.route-prefix=/
- --storage.tsdb.retention.time=24h
- --storage.tsdb.path=/prometheus
# 需要修改的web.yaml会挂在容器内的这个位置
- --web.config.file=/etc/prometheus/secrets/prometheus-basic-auth/web.yaml
livenessProbe:
failureThreshold: 6
httpGet:
httpHeaders:
- name: Authorization
# Basic之后的值为admin:admin通过base64加密得到的
# echo -n "admin:admin" | base64
value: Basic YWRtaW46YWRtaW4=
path: /-/healthy
port: web
scheme: HTTP
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
name: prometheus
ports:
- containerPort: 9090
name: web
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
httpHeaders:
- name: Authorization
value: Basic YWRtaW46YWRtaW4=
path: /-/ready
port: web
scheme: HTTP
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
startupProbe:
failureThreshold: 60
httpGet:
httpHeaders:
- name: Authorization
value: Basic YWRtaW46YWRtaW4=
path: /-/ready
port: web
scheme: HTTP
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 3
enableFeatures: []
evaluationInterval: 30s
externalLabels: {}
image: quay.io/prometheus/prometheus:v2.48.1
nodeSelector:
kubernetes.io/os: linux
podMetadata:
labels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/instance: k8s
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 2.48.1
podMonitorNamespaceSelector: {}
podMonitorSelector: {}
portName: web
probeNamespaceSelector: {}
probeSelector: {}
replicas: 2
resources:
requests:
memory: 400Mi
ruleNamespaceSelector: {}
ruleSelector: {}
scrapeConfigNamespaceSelector: {}
scrapeConfigSelector: {}
scrapeInterval: 30s
# 此处添加之前apply的secret名
# 容器运行成功后会将web.yaml挂载进/etc/prometheus/secrets/prometheus-basic-auth/目录下
secrets:
- prometheus-basic-auth
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: prometheus-k8s
serviceMonitorNamespaceSelector: {}
serviceMonitorSelector: {}
version: 2.48.1
status:
availableReplicas: 2
conditions:
- lastTransitionTime: "2024-06-29T07:11:12Z"
message: ""
observedGeneration: 14
reason: ""
status: "True"
type: Available
- lastTransitionTime: "2024-06-29T07:11:12Z"
message: ""
observedGeneration: 14
reason: ""
status: "True"
type: Reconciled
paused: false
replicas: 2
shardStatuses:
- availableReplicas: 2
replicas: 2
shardID: "0"
unavailableReplicas: 0
updatedReplicas: 2
unavailableReplicas: 0
updatedReplicas: 2
6、查看pod并进入容器查看secret挂载情况
[root@master01 ~]# kubectl get po -A|grep prometheus
monitoring prometheus-adapter-d4fcc8bb9-4q6dv 1/1 Running 0 15h
monitoring prometheus-adapter-d4fcc8bb9-q7zns 1/1 Running 0 15h
monitoring prometheus-k8s-0 2/2 Running 0 126m
monitoring prometheus-k8s-1 2/2 Running 0 126m
monitoring prometheus-operator-94d855d67-n4lrh 2/2 Running 0 15h
[root@master01 ~]# kubectl exec -it -n monitoring prometheus-k8s-1 -- /bin/sh
/prometheus $ ls
chunks_head lock queries.active wal
/prometheus $ cd /etc/prometheus/secrets/prometheus-basic-auth/
/etc/prometheus/secrets/prometheus-basic-auth $ ls
web.yaml
/etc/prometheus/secrets/prometheus-basic-auth $ cat web.yaml
basic_auth_users:
admin: $2y$10$w5f0QZ5dM.NQ93mG95ZYv..BWlw5hqa1O0fRT.TXBJZbUngcJefRW
/etc/prometheus/secrets/prometheus-basic-auth $ exit
7、访问prometheus的web ui(前提:开启NodePort访问)
[root@master01 ~]# kubectl get svc -A|grep prometheus-k8s
monitoring prometheus-k8s NodePort 10.233.37.70 <none> 9090:32662/TCP,8080:30408/TCP 20h
浏览器输入ip:32662/debug/pprof,提示需要用户名和密码
输入用户名和密码后,登录成功!
