On 28 Nov 07:27, Bryan Boreham wrote: > I see that kube-rbac-proxy both authenticates the caller and performs an > authorization request to check whether that caller is allowed. > > Given divided opinions, how about a separate library which implements the > feature, and a hook in prometheus/exporter-toolkit so that any similar > library can be added at the choice of the exporter.
it looks like this could then be added to the kube-rbac-proxy, but in general if official exporters do not use it, it does not make sense to have it on the exporter toolkit. > > Bryan > > > On Monday, 28 November 2022 at 12:53:08 UTC Julien Pivotto wrote: > > > On 28 Nov 12:45, Ben Kochie wrote: > > > Yes, build it in. We don't want to require sidecars for every exporter. > > > > I disagree with this, as this sidecar is only required in kubernetes > > environments. Baking it into the exporter toolkit would be a huge > > maintenance challenge: > > - from users - which version of the exporter matches my kube version? > > (it includes k8s libraries) > > - from admins - every exporter is larger now > > - from maintainers - everyone would have to keep the toolkit up to date > > to match k8s versions and fix potentially critical bugs > > > > On the contrary, I find the sidecar pattern great here - first, this is > > designed exclusively for kube. Second, the same code only needs to be > > downloaded once per machine, even if you have 10 containers. Then, you > > manage the version and the config as you wish. You do not depend on your > > exporter to include the rbac proxy that you need or have a mix of those > > versions included. > > > > > > > > On Mon, Nov 28, 2022 at 12:43 PM Stuart Clark <[email protected]> > > > wrote: > > > > > > > On 2022-11-28 11:40, Ben Kochie wrote: > > > > > It depends on if the sidecar is with Prometheus or with the target. > > > > > > > > > > If it's with Prometheus, that's probably just a docs update. > > > > > > > > > > If it's with every exporter, that's probably something we would want > > > > > in the exporter-toolkit. > > > > > > > > > > But, my understanding was that the typical thing here was to use mTLS > > > > > for securing and authorizing Prometheus. > > > > > > > > > > If it's something we need to integrate into every exporter to do some > > > > > kind of token auth, we might want to consider this. > > > > > > > > > > > > > Do you mean building in the functionality directly into the exporter > > > > instead of using a sidecar? > > > > > > > > -- > > > > Stuart Clark > > > > > > > > > > -- > > > You received this message because you are subscribed to the Google > > Groups "Prometheus Developers" group. > > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected]. > > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/prometheus-developers/CABbyFmrmeBX5fxbiPzDV%2BYpePy4UqYz%3DQsHJRwtPkob%2BGZ_w5Q%40mail.gmail.com > > . > > > > -- > > Julien Pivotto > > @roidelapluie > > > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/acf53f10-9cd4-446c-a020-d12f4d12b0bfn%40googlegroups.com. -- Julien Pivotto @roidelapluie -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/Y4TTuNU6ipKcjBlb%40nixos.
