CRI-O metrics endpoint exposed on Master Nodes in RHOCP Cluster

Solution Verified - Updated -

Issue

  • CRI-O metrics endpoint exposed in clear on Master Nodes.
  • CRI-O metrics on port 9537.
(bastion-128):(root) 10:04:55 UTC BASTION-1.5.2
# curl http://master1.ocp4.vlan127.mcp:9537/metrics
# HELP container_runtime_crio_containers_oom_total Amount of containers killed because they ran out of memory (OOM)
# TYPE container_runtime_crio_containers_oom_total counter
container_runtime_crio_containers_oom_total 0
# HELP container_runtime_crio_image_layer_reuse Reused (not pulled) local image layer count by name
# TYPE container_runtime_crio_image_layer_reuse counter
container_runtime_crio_image_layer_reuse{name="container-registry.container-registry.svc/upgrade-operator/platform-upgrade:1.5.2-c599e503@sha256:ee138f32bdac4db3951258e981dab8b06d068b03955f2b5902aa81825294bd20"} 2
  • Requirement if these metrics are exposed in encrypted endpoints.
  • Are these metrics can be modified by (A MITM attack), if yes then are other components in the RHOCP cluster that could do something based on these metrics.

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content