-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[404-server] Conceal /metrics and /healthz behind port 10254 #3125
[404-server] Conceal /metrics and /healthz behind port 10254 #3125
Conversation
/assign @aledbf |
I guess the real question is, does anyone use these metrics? This is supposed to just return I don't know why but I just feel wrong feature creeping this thing |
I am not sure this adds real value for two reasons, just a counter for 404 is not very helpful and if you add the host being requested could produce an explosion of metrics. |
IMO ingress-nginx should not be concerned about default backend service at all. By default we should not require |
We cannot break this rule. |
@aledbf can you elaborate? Are you worried that it will introduce snowflake in controller.go logic? |
I'm totally comfortable with that, I kinda just want to 🔥 the metrics endpoint altogether? I'm okay with |
I sketched something quickly for the idea I suggest at #3125 (comment), it is simpler than I guessed: https://github.com/kubernetes/ingress-nginx/pull/3126/files |
Not sure about that because someone could be using what's being exposed right now. |
Closing |
@aledbf what's the problem with this PR? It is making things better without breaking anything, no? After #3126 gets merged https://github.com/kubernetes/ingress-nginx/tree/master/images/404-server will serve just as an example, and I don't see any issue with making that example custom 404 page more secure and configurable. |
@ElvinEfendi this introduce the same issue than here #3116 (comment) but for all 404 handled by the default backend |
Also, the 404-server image is not used only by ingress-nginx |
the 404-server aka |
/reopen |
@jonpulsifer: Reopening this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@jonpulsifer: failed to re-open PR: state cannot be changed. The change-default-backend-metrics-port branch has been deleted. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen |
@jonpulsifer: Reopening this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
/hold |
@bowei @nicksardo ping |
This commit conceals the /metrics endpoint behind port 10254. Thanks to @aledbf for all the help getting this through! Signed-off-by: Jonathan Pulsifer <jonathan.pulsifer@shopify.com>
commits have been squashed, ready to go I think 😄 also super thanks for the incorporated adjustments to the code (retaining functionality on |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf, bowei, jonpulsifer The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@bowei can you help with the publication of the image to gcr? |
ahhhh ok, doing it |
It appears that CVE-2018-1002104 was assigned to this issue. |
What this PR does / why we need it:
/metrics
and/healthz
endpoints and exposes a command line flag to change the port (default10254
)5s
) for the graceful shutdownWhich issue this PR fixes:
Fixes #1733
Special notes for your reviewer:
This PR is getting pretty big.. I don't know if we should cut a release yet, or wait until we bump the manifests?code has been updated to maintain existing functionality, so i don't think i'm that worried anymoreThe 404-server is supposed to be small, but it's getting bigger, I don't know what we want to do here