On 23.05.22 15:24, Rudford Hamon wrote: > > So, I am part an open source project called OpenZiti, where you can embed > zero trust networking into anything (apps-to-apps, server-to-apps, > server-to-server, etc) and be completely invisible while using basic > community internet. VPNs, Bastions, or jump servers, including old school > firewalls are NOT required. > > At OpenZiti, we use Prometheus and love the project just as much as > everyone else. Since we love embedded zero trust security and scrapping > data via Prometheus, we did a "zitification" test to see what the world > would look like if Prometheus was able to do its magic with embedded zero > trust and be completely invisible and scrape anything/anywhere without > inherently risky vulnerabilities.
I'm not an expert in network security, so please pardon my possibly imprecise use of jargon, but it sounds to me OpenZiti is a VPN where you link the VPN parts directly into the software using the VPN. The Prometheus project traditionally hasn't even tried to address network security. We decided to delegate it to other components, partially because Prometheus is already complex enough, partially because we, as an OSS project, lack capacity and qualification to deal with the network security aspects. We went as far as even refusing TLS to be part of Prometheus components. Since TLS is so ubiquitious by now and essentially seen as part of the network stack, we eventually decided to support TLS directly rather than asking our users to set up revers proxies, sidecars, etc. to add TLS support. The latter gives you an idea what the threshold is where we would consider linking network security related code directly into the upstream projects. Our users have very different approaches how to secure their networks and how to organize metrics scraping, and I believe that will be the case for the foreseeable future. (I should mention here that cross-cluster scraping is considered a rare exception in the general Prometheus deployment model.) Many might prefer a modular solution that doesn't require changing all involved binaries with an SDK. A "zitification" of the upstream Prometheus server (and presumably all the other components of the Prometheus stack) seems to serve a fairly niche une case at this moment. You are of course free to offer "zitified" components, but as long as OpenZiti isn't even remotely as ubiquitious as TLS, I cannot really imagine 1st class support in the upstream Prometheus repositories. That's just my initial thoughts based on a possibly incomplete understanding of OpenZiti. Happy to hear the thoughts of other Prometheus developers and of course more explanations from your side. -- Björn Rabenstein [PGP-ID] 0x851C3DA17D748D03 [email] [email protected] -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/YpYDzdEsG8su1qPY%40mail.rabenste.in.
