Skip to content

feat: Explicitly disable profiling for CP components #1109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 1, 2025
Merged

feat: Explicitly disable profiling for CP components #1109

merged 1 commit into from
May 1, 2025

Conversation

jimmidyson
Copy link
Member

@jimmidyson jimmidyson commented Apr 24, 2025
edited
Loading

As per CIS benchmarks 1.2.15, 1.3.2 and 1.4.1.

Requires #1111.

Copilot
Copilot AI reviewed Apr 24, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR explicitly disables profiling for control plane components to comply with CIS benchmarks.

  • Added a YAML patch file for KubeadmControlPlaneTemplate to disable profiling.
  • Updated Cluster Class YAML files for Nutanix, Docker, and AWS to include profiling disabled in apiServer, controllerManager, and scheduler configurations.

Reviewed Changes

Copilot reviewed 5 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
hack/examples/patches/disable-kubeadmcontrolplane-profiling.yaml Introduces a patch with disabled profiling settings for CP components.
charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml Adds profiling configuration for CP components in the Nutanix cluster class.
charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class-old.yaml (No changes related to profiling were introduced, but exists for legacy purposes.)
charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml Adds profiling disabling for Docker provisioned CP components.
charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml Adds profiling disabling for AWS provisioned CP components.
Files not reviewed (3)
  • hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl: Language not supported
  • hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl: Language not supported
  • hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl: Language not supported
Comments suppressed due to low confidence (1)

hack/examples/patches/disable-kubeadmcontrolplane-profiling.yaml:7

  • [nitpick] The metadata name 'not-used' is ambiguous and may lead to confusion. Consider renaming it to a more descriptive value, such as 'disable-profiling-template'.
  name: not-used

@jimmidyson jimmidyson mentioned this pull request Apr 24, 2025
Open
@github-actions github-actions bot added feature and removed feature labels Apr 24, 2025
@jimmidyson jimmidyson force-pushed the jimmi/cis-benchmarks-disable-profiling branch from c636912 to 389fd17 Compare April 24, 2025 15:25
@jimmidyson jimmidyson force-pushed the jimmi/cis-benchmarks-disable-profiling branch from 389fd17 to 584d563 Compare April 24, 2025 17:18
@dlipovetsky
Copy link
Contributor

dlipovetsky commented Apr 25, 2025
edited
Loading

I'm not convinced by this change. The CIS 1.2.15 benchmark says "Disable profiling, if not needed." So, is this really required, or just recommended?

I also question the benchmark, for two reasons:

First, the profiling endpoints are "non resource URLs," and access is protected by RBAC. Only the cluster-admin ClusterRole has access to this endpoint by default.

Second, by the time you need profiling, it's too late to enable it (shout out to https://eng.d2iq.com/blog/profiling-kubernetes-controllers-with-pprof/).

A https://raesene.github.io/blog/2024/06/18/Taking-A-Look-At-Kubernetes-Profiling/ on this very topic. My reading of it is that there might be a risk, but there is no evidence of one. Oddly, the blog concludes, without justification, that "in production clusters [profiling] shouldn’t be enabled."

@jimmidyson
Copy link
Member Author

The wording from CIS benchmark is actually Ensure that the --profiling argument is set to false (Scored) which means it is required.

@dlipovetsky
Copy link
Contributor

The wording from CIS benchmark is actually Ensure that the --profiling argument is set to false (Scored) which means it is required.

Ok. I think it's misguided, but I'll take that up with CIS 😎

@jimmidyson jimmidyson enabled auto-merge (squash) May 1, 2025 15:40
@jimmidyson jimmidyson merged commit 733f3a6 into main May 1, 2025
24 checks passed
@jimmidyson jimmidyson deleted the jimmi/cis-benchmarks-disable-profiling branch May 1, 2025 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@dlipovetsky dlipovetsky dlipovetsky approved these changes

@thunderboltsid thunderboltsid thunderboltsid approved these changes

@dkoshkin dkoshkin Awaiting requested review from dkoshkin

@supershal supershal Awaiting requested review from supershal

@yannickstruyf3 yannickstruyf3 Awaiting requested review from yannickstruyf3

Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jimmidyson @dlipovetsky @thunderboltsid