Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not expose additional ports #331
Do not expose additional ports #331
Changes from all commits
9a59b28
e19e62c
1964dc1
bc97d0d
4e50926
3e27bf0
ffa33aa
bd41585
48ae1b4
52acfcf
12299f7
e010fba
4320184
fdadd99
e816d9f
a43f7d6
e2ee212
33b03d4
0971638
57c8d64
43bb365
515aa62
d4ee23f
892116d
f15c5d5
f1b6894
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a note that
node-exporter
bind on host networking so its port is also exposed.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not add the prometheus stack to the proxy initially so it is not exposed to the internet. Only someone over VPN can access it because prometheus and alertmanager do not have any authentication. So I would rather this stays as-is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#222 explains the issue better but: we don't want to have to rely on firewall rules to be set properly in order to ensure the security of this endpoint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh you're adding permissions here, interesting, let's see how this would work.