Skip to content

collector: restrict appmetrics endpoint to container ip#3843

Open
1seal wants to merge 1 commit intogoogle:masterfrom
1seal:codex/appmetrics-endpoint-container-local
Open

collector: restrict appmetrics endpoint to container ip#3843
1seal wants to merge 1 commit intogoogle:masterfrom
1seal:codex/appmetrics-endpoint-container-local

Conversation

@1seal
Copy link

@1seal 1seal commented Feb 19, 2026

appmetrics: restrict endpoint url to container-local

this hardens application metrics scraping against workload-controlled config (for example, docker labels io.cadvisor.metric.*) turning cAdvisor into a cross-network fetcher.

change

  • validate endpoint scheme is HTTP/HTTPS
  • if endpoint host is localhost / 127.0.0.1 / ::1, rewrite it to the container ip from the container handler
  • allow explicit container ip destinations; reject any other host
  • add unit tests for allow/deny behavior
  • document the container-local behavior in docs/application_metrics.md

compatibility

this is a behavior change for configs that pointed endpoint at remote hosts. docs/application_metrics.md already describes the config as self-contained within the container; this change makes the implementation match that model.

testing

go test ./collector
go test $(go list ./... | grep -v '^github.com/google/cadvisor/integration')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Comments