Prometheus: Update command line flags

This updates the default command line flags for Prometheus. It
explicitly sets the HTTP administrative settings to false and
gives a brief explanation of the security concerns associated
with enabling them

This also removes the honor_labels setting where set to false, as
false is the default setting for honor_labels

Change-Id: I69acdbce604864882d642e44c09a5f0b9c454a61
This commit is contained in:
Steve Wilkerson 2018-07-26 13:28:45 -05:00
parent a72ef08c59
commit a861c27a34
2 changed files with 14 additions and 6 deletions

View File

@ -34,11 +34,11 @@ limitations under the License.
# 'prometheus --help-man' # 'prometheus --help-man'
{{- define "prometheus.utils.command_line_flags" -}} {{- define "prometheus.utils.command_line_flags" -}}
{{- range $flag, $value := . }} {{- range $flag, $value := . -}}
{{- $flag := $flag | replace "_" "-" -}} {{- $flag := $flag | replace "_" "-" }}
{{- if eq $flag "web.enable-admin-api" -}} {{- if eq $flag "web.enable-admin-api" "web.enable-lifecycle" -}}
{{- if $value -}} {{- if $value }}
{{- printf "--%s" $flag }} {{- printf " --%s" $flag -}}
{{- end -}} {{- end -}}
{{- else -}} {{- else -}}
{{- $value := $value | toString }} {{- $value := $value | toString }}

View File

@ -217,7 +217,16 @@ conf:
storage.tsdb.retention: 7d storage.tsdb.retention: 7d
storage.tsdb.min_block_duration: 2h storage.tsdb.min_block_duration: 2h
storage.tsdb.max_block_duration: 2h storage.tsdb.max_block_duration: 2h
# NOTE(srwilkers): These settings default to false, but they are
# exposed here to allow enabling if desired. Please note the security
# impacts of enabling these flags. More information regarding the impacts
# can be found here: https://prometheus.io/docs/operating/security/
#
# If set to true, all administrative functionality is exposed via the http
# /api/*/admin/ path
web.enable_admin_api: false web.enable_admin_api: false
# If set to true, allows for http reloads and shutdown of Prometheus
web.enable_lifecycle: false
scrape_configs: scrape_configs:
global: global:
scrape_interval: 60s scrape_interval: 60s
@ -485,7 +494,6 @@ conf:
action: replace action: replace
target_label: kubernetes_pod_name target_label: kubernetes_pod_name
- job_name: calico-etcd - job_name: calico-etcd
honor_labels: false
kubernetes_sd_configs: kubernetes_sd_configs:
- role: service - role: service
scrape_interval: 20s scrape_interval: 20s