I see that kube-rbac-proxy both authenticates the caller and performs an authorization request to check whether that caller is allowed.
Given divided opinions, how about a separate library which implements the feature, and a hook in prometheus/exporter-toolkit so that any similar library can be added at the choice of the exporter. Bryan On Monday, 28 November 2022 at 12:53:08 UTC Julien Pivotto wrote: > On 28 Nov 12:45, Ben Kochie wrote: > > Yes, build it in. We don't want to require sidecars for every exporter. > > I disagree with this, as this sidecar is only required in kubernetes > environments. Baking it into the exporter toolkit would be a huge > maintenance challenge: > - from users - which version of the exporter matches my kube version? > (it includes k8s libraries) > - from admins - every exporter is larger now > - from maintainers - everyone would have to keep the toolkit up to date > to match k8s versions and fix potentially critical bugs > > On the contrary, I find the sidecar pattern great here - first, this is > designed exclusively for kube. Second, the same code only needs to be > downloaded once per machine, even if you have 10 containers. Then, you > manage the version and the config as you wish. You do not depend on your > exporter to include the rbac proxy that you need or have a mix of those > versions included. > > > > > On Mon, Nov 28, 2022 at 12:43 PM Stuart Clark <[email protected]> > > wrote: > > > > > On 2022-11-28 11:40, Ben Kochie wrote: > > > > It depends on if the sidecar is with Prometheus or with the target. > > > > > > > > If it's with Prometheus, that's probably just a docs update. > > > > > > > > If it's with every exporter, that's probably something we would want > > > > in the exporter-toolkit. > > > > > > > > But, my understanding was that the typical thing here was to use mTLS > > > > for securing and authorizing Prometheus. > > > > > > > > If it's something we need to integrate into every exporter to do some > > > > kind of token auth, we might want to consider this. > > > > > > > > > > Do you mean building in the functionality directly into the exporter > > > instead of using a sidecar? > > > > > > -- > > > Stuart Clark > > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Prometheus Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/CABbyFmrmeBX5fxbiPzDV%2BYpePy4UqYz%3DQsHJRwtPkob%2BGZ_w5Q%40mail.gmail.com > . > > -- > Julien Pivotto > @roidelapluie > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/acf53f10-9cd4-446c-a020-d12f4d12b0bfn%40googlegroups.com.
