It would help if you linked the specific helm chart and issue you filed. There are a lot of different charts out there maintained by different people.
But just a guess, you're talking about the prometheus-community/prometheus chart[0]. IIRC in some configurations the Prometheus server needs access to the proxy in order to scrape data from the kubelet. I think this may be a legacy mode of operation, but it used to be the default. [0]: https://github.com/prometheus-community/helm-charts/blob/0b928f341240c76d8513534035a825686ed28a4b/charts/prometheus/templates/clusterrole.yaml#L23 On Sat, Feb 25, 2023 at 9:36 AM Jesse Simpson <[email protected]> wrote: > Hey all, > > I'm investigating a security vulnerability reported by my company's > security scanning software. We were scanning a helm chart that we make use > out of that has a prometheus server pod in it. > > The threat is that a pod with node/proxy permission is vulnerable to > privilege escalation. > > https://blog.aquasec.com/privilege-escalation-kubernetes-rbac > > As part of my investigation, I tried removing this nodes/proxy permission, > and checked a number of prometheus metrics to see if they report different > data, or no data when there previously was data. But so far, I can't see > any negative side effect to removing the nodes/proxy permission. > > I've contacted the developers of the helm chart we scanned, and they > cannot justify their need for this permission and insist that we do not > remove it. > > Is there a reason you all can think of that this permission might be > required for prometheus to function? > > Thanks, > > Jesse > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-users/29001ead-8ac6-414a-9d0c-76631c253acen%40googlegroups.com > <https://groups.google.com/d/msgid/prometheus-users/29001ead-8ac6-414a-9d0c-76631c253acen%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CABbyFmrXna85%2Bafoe8PN6ai_GMSdVS-hOTZ%3DQWRAdEbgFtVfqA%40mail.gmail.com.
