Prometheus: Update command line flags

This updates the default command line flags for Prometheus. It explicitly sets the HTTP administrative settings to false and gives a brief explanation of the security concerns associated with enabling them This also removes the honor_labels setting where set to false, as false is the default setting for honor_labels Change-Id: I69acdbce604864882d642e44c09a5f0b9c454a61
2018-07-26 13:28:45 -05:00 · 2018-07-26 13:28:45 -05:00 · a861c27a34
commit a861c27a34
parent a72ef08c59
2 changed files with 14 additions and 6 deletions
--- a/prometheus/templates/utils/_command_line_flags.tpl
+++ b/prometheus/templates/utils/_command_line_flags.tpl
@ -34,11 +34,11 @@ limitations under the License.
 # 'prometheus --help-man'

 {{- define "prometheus.utils.command_line_flags" -}}
-{{- range $flag, $value := . }}
-{{- $flag := $flag | replace "_" "-" -}}
-{{- if eq $flag "web.enable-admin-api" -}}
-{{- if $value -}}
-{{- printf "--%s" $flag }}
+{{- range $flag, $value := . -}}
+{{- $flag := $flag | replace "_" "-" }}
+{{- if eq $flag "web.enable-admin-api" "web.enable-lifecycle" -}}
+{{- if $value }}
+{{- printf " --%s" $flag -}}
 {{- end -}}
 {{- else -}}
 {{- $value := $value | toString }}
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
@ -217,7 +217,16 @@ conf:
      storage.tsdb.retention: 7d
      storage.tsdb.min_block_duration: 2h
      storage.tsdb.max_block_duration: 2h
+      # NOTE(srwilkers): These settings default to false, but they are
+      # exposed here to allow enabling if desired. Please note the security
+      # impacts of enabling these flags. More information regarding the impacts
+      # can be found here: https://prometheus.io/docs/operating/security/
+      #
+      # If set to true, all administrative functionality is exposed via the http
+      # /api/*/admin/ path
      web.enable_admin_api: false
+      # If set to true, allows for http reloads and shutdown of Prometheus
+      web.enable_lifecycle: false
    scrape_configs:
      global:
        scrape_interval: 60s
@ -485,7 +494,6 @@ conf:
            action: replace
            target_label: kubernetes_pod_name
        - job_name: calico-etcd
-          honor_labels: false
          kubernetes_sd_configs:
          - role: service
          scrape_interval: 20s