Skip to content

feat: add flag to enable anonymous metrics access #3110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jindijamie wants to merge 3 commits into
base: main
Choose a base branch
from
+45 −26
Open

feat: add flag to enable anonymous metrics access #3110

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6f0acb9
feat: add flag to enable anonymous metrics access
jindijamie Mar 5, 2026
3edca39
Update the name to enable-insecure-metrics-access
jindijamie Apr 2, 2026
ea5631e
Fix lint issue
jindijamie Apr 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 41 additions & 26 deletions cmd/security-profiles-operator/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,22 +80,23 @@ import (
)

const (
spocCmd string = "spoc"
jsonFlag string = "json"
nodeStatusControllerFlag string = "with-nodestatus-controller"
spodControllerFlag string = "with-spod-controller"
workloadAnnotatorFlag string = "with-workload-annotator"
recordingMergerFlag string = "with-recording-merger"
recordingFlag string = "with-recording"
seccompFlag string = "with-seccomp"
selinuxFlag string = "with-selinux"
apparmorFlag string = "with-apparmor"
webhookFlag string = "webhook"
memOptimFlag string = "with-mem-optim"
defaultWebhookPort int = 9443
auditLogIntervalSecondsParam string = "audit-log-interval-seconds"
auditLogPathParam string = "audit-log-path"
auditLogMaxSizeParam string = "audit-log-maxsize"
spocCmd string = "spoc"
jsonFlag string = "json"
nodeStatusControllerFlag string = "with-nodestatus-controller"
spodControllerFlag string = "with-spod-controller"
workloadAnnotatorFlag string = "with-workload-annotator"
recordingMergerFlag string = "with-recording-merger"
recordingFlag string = "with-recording"
seccompFlag string = "with-seccomp"
selinuxFlag string = "with-selinux"
apparmorFlag string = "with-apparmor"
webhookFlag string = "webhook"
memOptimFlag string = "with-mem-optim"
enableInsecureMetricsAccessFlag string = "enable-insecure-metrics-access"
defaultWebhookPort int = 9443
auditLogIntervalSecondsParam string = "audit-log-interval-seconds"
auditLogPathParam string = "audit-log-path"
auditLogMaxSizeParam string = "audit-log-maxsize"
// The plural form is not used for audit-log-file-maxbackup to match the k8s api server audit log options.
auditLogMaxBackupParam string = "audit-log-maxbackup"
auditLogMaxAgeParam string = "audit-log-maxage"
Expand Down Expand Up @@ -384,6 +385,11 @@ func main() {
Value: config.DefaultProfilingPort,
EnvVars: []string{config.ProfilingPortEnvKey},
},
&cli.BoolFlag{
Name: enableInsecureMetricsAccessFlag,
Usage: "enable insecure metrics access (disables TLS and authentication)",
EnvVars: []string{config.EnableInsecureMetricsAccessEnvKey},
},
Comment on lines +388 to +392
Copy link
Copy Markdown
Member

@saschagrunert saschagrunert May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This flag is only consumed in runDaemon but is registered as a global flag. All other daemon-specific feature flags (seccompFlag, selinuxFlag, recordingFlag, memOptimFlag) are registered under the daemon subcommand's flags (lines 185-212). Move it there for consistency.

}

if err := app.Run(os.Args); err != nil {
Expand Down Expand Up @@ -665,20 +671,29 @@ func runDaemon(ctx *cli.Context, info *version.Info) error {
c.NextProtos = []string{"http/1.1"}
}

metricsOptions := metricsserver.Options{
BindAddress: fmt.Sprintf(":%d", bindata.ContainerPort),
ExtraHandlers: map[string]http.Handler{
metrics.HandlerPath: met.Handler(),
},
}

if ctx.Bool(enableInsecureMetricsAccessFlag) {
setupLog.Info("Insecure metrics access allowed (TLS and authentication disabled)")
Copy link
Copy Markdown
Member

@saschagrunert saschagrunert May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Follow-up from the previous round: since there's no warning level on setupLog, consider making the message stand out by prefixing it:

Suggested change
setupLog.Info("Insecure metrics access allowed (TLS and authentication disabled)")
setupLog.Info("WARNING: Insecure metrics access enabled, TLS and authentication disabled")


metricsOptions.SecureServing = false
Comment thread
saschagrunert marked this conversation as resolved.
Copy link
Copy Markdown
Member

@saschagrunert saschagrunert May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This flag is defined and consumed in runDaemon, but there's no mechanism to propagate it to the spod daemonset. The operator manages the daemonset; users can't set env vars on it directly without the operator overwriting them on the next reconciliation.

The established pattern (see EnableProfiling in api/spod/v1alpha1/spod_types.go:289 and spod_controller.go:773) is:

  1. Add a field to SPODSpec (e.g. EnableInsecureMetricsAccess bool)
  2. Read it in the spod controller and inject ENABLE_INSECURE_METRICS_ACCESS as an env var into the daemon container

Without this integration, the flag is unusable in a standard SPO deployment.

} else {
metricsOptions.SecureServing = true
metricsOptions.CertDir = bindata.MetricsCertPath
metricsOptions.FilterProvider = metricsfilters.WithAuthenticationAndAuthorization
metricsOptions.TLSOpts = []func(*tls.Config){disableHTTP2}
}

ctrlOpts := ctrl.Options{
Cache: cache.Options{SyncPeriod: &sync},
HealthProbeBindAddress: fmt.Sprintf(":%d", config.HealthProbePort),
NewCache: newMemoryOptimizedCache(ctx),
Metrics: metricsserver.Options{
BindAddress: fmt.Sprintf(":%d", bindata.ContainerPort),
CertDir: bindata.MetricsCertPath,
SecureServing: true,
FilterProvider: metricsfilters.WithAuthenticationAndAuthorization,
ExtraHandlers: map[string]http.Handler{
metrics.HandlerPath: met.Handler(),
},
TLSOpts: []func(*tls.Config){disableHTTP2},
},
Metrics: metricsOptions,
}

setControllerOptionsForNamespaces(&ctrlOpts)
Expand Down
4 changes: 4 additions & 0 deletions internal/pkg/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ const (
// EnableRecordingEnvKey is the environment variable key to enabling profile recording.
EnableRecordingEnvKey = "ENABLE_RECORDING"

// EnableInsecureMetricsAccessEnvKey is the environment variable key for enabling insecure
// metrics access(disables TLS and authentication).
Comment on lines +97 to +98
Copy link
Copy Markdown
Member

@saschagrunert saschagrunert May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing space before parenthesis.

Suggested change
// EnableInsecureMetricsAccessEnvKey is the environment variable key for enabling insecure
// metrics access(disables TLS and authentication).
// EnableInsecureMetricsAccessEnvKey is the environment variable key for enabling insecure
// metrics access (disables TLS and authentication).

EnableInsecureMetricsAccessEnvKey = "ENABLE_INSECURE_METRICS_ACCESS"

// VerboseLevel is the increased verbosity log level.
VerboseLevel = 1

Expand Down
Loading