-
Notifications
You must be signed in to change notification settings - Fork 989
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prometheus service discovery #920
Comments
You could accomplish this today with a script that could ssh to the nebula process on your lighthouse and issue a |
I'll try it. thanks. |
Using sshd will work but it seems to be the wrong tool for this task. Docs says "sshd enables nebula's built-in debugging console". It exposes functions I don't want to expose like change-remote and profiling and it requires managing a new set of ssh keys in addition to the nebula certificates. |
I agree the ssh interface exposes too much for you goals here. We have talked about adding an allow list config option to limit what a given user can accomplish via the ssh interface, would that suffice? |
The ssh interface is also a little more cumbersome to use because it requires additional ssh keys. Can't it use the existing nebula overlay? I don't think I'll use an ssh interface to get static metadata about the network so feel free to ignore my feature request. Thank you for taking the time to consider it. |
The main trouble is helping folks avoid accidental information disclosure. Exposing a hostmap list over http with the current capabilities of nebula would at best allow any user on the computer where its enabled to access the hostmap list. It could give a would-be attacker a treasure map for lateral movement within the environment. The ssh system bulks this up by requiring authentication prior to use, an attacker has to gain root access to the system or a private key for an already authorized ssh key. That's not to say there isn't value in the idea and we won't do it. We also have #913 to consider which brings about similar challenges and if we determine to merge it then I would imagine we would desire to add more capability to the http server. The trick will be striking the right balance between usability and security. |
Can't I already discover all IPs when lighthouse dns is enabled?
Another option is to expose this http interface just to a specific nebula group. |
Prometheus supports dynamic service discovery.
Is there a way Prometheus could automatically discover all registered nodes from a lighthouse? The certificate groups could be returned as labels to help filter and relabel config.
Something like consul_sd_config will be great.
The text was updated successfully, but these errors were encountered: