Hi The idea is to integrate kube-rbac-proxy to add an extra (and optional) security feature in a new exporter, so the final user can rely on RBAC to assure that only Prometheus can scrape its metrics. This is something you get when you install Prometheus in K8s using the official helm chart - only Prometheus can scrape the Prometheus metrics exposed by the K8s internals. The idea is to have something similar but for any exporter.
Any developer can integrate it in its exporter (as shown here https://www.brancz.com/2018/02/27/using-kube-rbac-proxy-to-secure-kubernetes-workloads), but someone pointed out on Mastodon that we could also integrate in in the exporter toolkit so it's even easier. Thanks! [image: image.png] (https://mastodon.social/@mrueg/109315967734903276) On Mon, Nov 28, 2022 at 11:39 AM Bryan Boreham <bjbore...@gmail.com> wrote: > What is meant by "add rbac support to the exporter-toolkit > <https://github.com/prometheus/exporter-toolkit>" ? > > I have been using Kubernetes and Prometheus for many years; I know what > RBAC is but cannot immediately see how an exporter would want to write code > that references it. > > Bryan > > On Friday, 25 November 2022 at 12:01:32 UTC Julien Pivotto wrote: > >> I am surprised by this, it looks a huge maintenance burden and >> potentially would add a lot of disk space to all the exporters that is >> shared between all if you use a sidecar. >> >> We also, as you point out, have many users just not deploying to kube. >> >> On 10 Nov 05:44, Jesús Samitier wrote: >> > Hi, >> > >> > It was great to see all of you in Munich! >> > >> > After our talk about securing Prometheus in K8s, we received a message >> in >> > Mastodon suggesting us that it'd be a good idea to add rbac support to >> the >> > exporter-toolkit <https://github.com/prometheus/exporter-toolkit>. I'm >> not >> > sure because you don't always deploy your exporters in Kubernetes, so >> > wanted to ask to the community. >> > >> > If someone thinks that this could be useful for the project, we'd be >> glad >> > to contribute. >> > >> > Thanks! >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Prometheus Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to prometheus-devel...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/prometheus-developers/edc5b581-edc7-49ea-8906-1e81281e4209n%40googlegroups.com. >> >> >> >> -- >> Julien Pivotto >> @roidelapluie >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Prometheus Developers" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/prometheus-developers/q7M_dDLU0nY/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > prometheus-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/c4d87f55-d74f-4d48-bd59-2c42eadec169n%40googlegroups.com > <https://groups.google.com/d/msgid/prometheus-developers/c4d87f55-d74f-4d48-bd59-2c42eadec169n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAAAOEo1u51J1Oit2PtbfsC0SpAh2YRni9-uqUJakLu2bu9V-7g%40mail.gmail.com.
