Prometheus: Update command line flags
This updates the default command line flags for Prometheus. It explicitly sets the HTTP administrative settings to false and gives a brief explanation of the security concerns associated with enabling them This also removes the honor_labels setting where set to false, as false is the default setting for honor_labels Change-Id: I69acdbce604864882d642e44c09a5f0b9c454a61
This commit is contained in:
parent
a72ef08c59
commit
a861c27a34
@ -34,11 +34,11 @@ limitations under the License.
|
|||||||
# 'prometheus --help-man'
|
# 'prometheus --help-man'
|
||||||
|
|
||||||
{{- define "prometheus.utils.command_line_flags" -}}
|
{{- define "prometheus.utils.command_line_flags" -}}
|
||||||
{{- range $flag, $value := . }}
|
{{- range $flag, $value := . -}}
|
||||||
{{- $flag := $flag | replace "_" "-" -}}
|
{{- $flag := $flag | replace "_" "-" }}
|
||||||
{{- if eq $flag "web.enable-admin-api" -}}
|
{{- if eq $flag "web.enable-admin-api" "web.enable-lifecycle" -}}
|
||||||
{{- if $value -}}
|
{{- if $value }}
|
||||||
{{- printf "--%s" $flag }}
|
{{- printf " --%s" $flag -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $value := $value | toString }}
|
{{- $value := $value | toString }}
|
||||||
|
@ -217,7 +217,16 @@ conf:
|
|||||||
storage.tsdb.retention: 7d
|
storage.tsdb.retention: 7d
|
||||||
storage.tsdb.min_block_duration: 2h
|
storage.tsdb.min_block_duration: 2h
|
||||||
storage.tsdb.max_block_duration: 2h
|
storage.tsdb.max_block_duration: 2h
|
||||||
|
# NOTE(srwilkers): These settings default to false, but they are
|
||||||
|
# exposed here to allow enabling if desired. Please note the security
|
||||||
|
# impacts of enabling these flags. More information regarding the impacts
|
||||||
|
# can be found here: https://prometheus.io/docs/operating/security/
|
||||||
|
#
|
||||||
|
# If set to true, all administrative functionality is exposed via the http
|
||||||
|
# /api/*/admin/ path
|
||||||
web.enable_admin_api: false
|
web.enable_admin_api: false
|
||||||
|
# If set to true, allows for http reloads and shutdown of Prometheus
|
||||||
|
web.enable_lifecycle: false
|
||||||
scrape_configs:
|
scrape_configs:
|
||||||
global:
|
global:
|
||||||
scrape_interval: 60s
|
scrape_interval: 60s
|
||||||
@ -485,7 +494,6 @@ conf:
|
|||||||
action: replace
|
action: replace
|
||||||
target_label: kubernetes_pod_name
|
target_label: kubernetes_pod_name
|
||||||
- job_name: calico-etcd
|
- job_name: calico-etcd
|
||||||
honor_labels: false
|
|
||||||
kubernetes_sd_configs:
|
kubernetes_sd_configs:
|
||||||
- role: service
|
- role: service
|
||||||
scrape_interval: 20s
|
scrape_interval: 20s
|
||||||
|
Loading…
Reference in New Issue
Block a user