Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add firewall support to http based alertmanager receiver integrations #4085

Merged
merged 6 commits into from
Apr 23, 2021
Merged

Add firewall support to http based alertmanager receiver integrations #4085

merged 6 commits into from
Apr 23, 2021

Conversation

pracucci
Copy link
Contributor

@pracucci pracucci commented Apr 16, 2021
edited
Loading

What this PR does:
In this PR I'm proposing a solution to introduce a sort a firewall for HTTP-based alertmanager receiver integrations to block private/local addresses and a set of configurable CIDRs.

This PR doesn't address the email receiver (would be a follow up work).

Which issue(s) this PR fixes:
Fixes #2036

Checklist

  • Tests updated
  • Documentation added
  • CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

@pracucci pracucci marked this pull request as draft April 16, 2021 08:25
@pstibrany
Copy link
Contributor

pstibrany commented Apr 16, 2021
edited
Loading

LGTM.

I think we should also provide a way to configure global HTTP proxy with authentication, that would be injected into all user-configured receivers, as mentioned in #2036, but that is for a separate PR.

@bboreham bboreham changed the title Add firewal support to http based alertmanager receiver integrations Add firewall support to http based alertmanager receiver integrations Apr 16, 2021
simonswine
simonswine reviewed Apr 16, 2021
View reviewed changes
Copy link
Contributor

@simonswine simonswine left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. A few comments inline

@pracucci pracucci mentioned this pull request Apr 19, 2021
Closed
@pracucci pracucci force-pushed the add-firewal-support-to-http-based-alertmanager-receiver-integrations branch from 1de0471 to e6c74da Compare April 19, 2021 14:04
simonswine
simonswine reviewed Apr 21, 2021
View reviewed changes
pkg/alertmanager/firewall.go Outdated
}

type FirewallHostsSpec struct {
CIDRs flagext.CIDRSliceCSV `yaml:"cidrs"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CIDRNetworks / CIDRRanges might be a better name

simonswine
simonswine reviewed Apr 21, 2021
View reviewed changes
pkg/alertmanager/firewall.go Outdated

type FirewallHostsSpec struct {
CIDRs flagext.CIDRSliceCSV `yaml:"cidrs"`
Private bool `yaml:"private_addresses"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason why we don't use PrivateAddresses in the golang struct?

@pracucci pracucci mentioned this pull request Apr 22, 2021
Merged
3 tasks
@pracucci pracucci force-pushed the add-firewal-support-to-http-based-alertmanager-receiver-integrations branch from a5f2d3a to d1f64ac Compare April 23, 2021 13:09
pracucci added 3 commits April 23, 2021 15:18
@pracucci
Updated doc
cf5623b 
Signed-off-by: Marco Pracucci <[email protected]>
@pracucci
Fixed doc
bd30f07 
Signed-off-by: Marco Pracucci <[email protected]>
@pracucci
Improved doc
a87181b 
Signed-off-by: Marco Pracucci <[email protected]>
@pracucci pracucci marked this pull request as ready for review April 23, 2021 13:26
@pracucci pracucci requested a review from pstibrany April 23, 2021 13:26
pstibrany
pstibrany approved these changes Apr 23, 2021
View reviewed changes
Copy link
Contributor

@pstibrany pstibrany left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall. I think it would be useful to explicitly enumerate IP networks that are blocked by -alertmanager.receivers-firewall.block.private-addresses, because it may not be obvious from the description and without reading the code. User needs this information to know whether to add extra IP ranges or not.

@pracucci
Improved config description
2d6d51a 
Signed-off-by: Marco Pracucci <[email protected]>
@pracucci
Copy link
Contributor Author

LGTM overall. I think it would be useful to explicitly enumerate IP networks that are blocked by -alertmanager.receivers-firewall.block.private-addresses, because it may not be obvious from the description and without reading the code. User needs this information to know whether to add extra IP ranges or not.

Makes sense to me. I think enumerating all address ranges would be quite difficult (there's IPv6 too), so I've picked the path to mention the RFCs and which classes are blocked.

@pstibrany
Copy link
Contributor

Thanks for updating the description.

@pracucci pracucci merged commit f0d126c into cortexproject:master Apr 23, 2021
@pracucci pracucci mentioned this pull request Apr 29, 2021
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simonswine simonswine simonswine left review comments

@pstibrany pstibrany pstibrany approved these changes

Assignees
No one assigned
Labels
size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Configs Alertmanager webhooks urls can be abused
3 participants
@pracucci @pstibrany @simonswine