Skip to content

Security: Unauthenticated Access to Metrics Endpoints #2935

New issue
New issue
Open
Open
Security: Unauthenticated Access to Metrics Endpoints#2935
Assignees
infernus01
Labels
kind/bugCategorizes issue or PR as related to a bug.
@infernus01

Description

@infernus01
infernus01
opened on Oct 30, 2025

Expected Behavior

HTTP/1.1 401 Unauthorized
{"error": "Unauthorized"}

Actual Behavior

# HELP go_goroutines Number of goroutines that currently exist.
# TYPE go_goroutines gauge
go_goroutines 147
# HELP tekton_pipelines_controller_pipelinerun_count Number of pipelineruns
# TYPE tekton_pipelines_controller_pipelinerun_count gauge
tekton_pipelines_controller_pipelinerun_count{status="success"} 42
...
[MORE METRICS OUTPUT]

Steps to Reproduce the Problem

curl http://${POD_IP}:9090/metrics

Additional Info

Recommended Approach: kube-rbac-proxy Sidecar

Deploy kube-rbac-proxy as a sidecar container to enforce authentication:

┌─────────────────────────────────────────┐
│  Pod: tekton-pipelines-controller       │
│                                         │
│  ┌───────────────┐   ┌──────────────┐   │
│  │  Controller   │   │ kube-rbac-   │   │
│  │               │   │ proxy        │   │
│  │ :9090         │◄──┤ :8443        │◄──┼─── HTTPS + Bearer Token
│  │ (localhost)   │   │ (external)   │   │    (Authenticated)
│  └───────────────┘   └──────────────┘   │
└─────────────────────────────────────────┘

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions