DOS warning about binding to 0.0.0.0 does not apply to serverless environments #9753
Labels
Comments
mx-psi
added
area:documentation
area:receiver
and removed
bug
|
/cc |
|
@mx-psi It doesn't look like setting the feature gate currently removes the warning when using 0.0.0.0. Do you know when you plan to implement that? |
richard-bain
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Same issue as #7488 and #6938 but for serverless environments. We heavily utilise Google Cloud Run for our Collectors and the google docs explicitly require you to listen on 0.0.0.0.
Previously it was asked if a flag can be set to disable this warning and there were reasonable objections due to the ability to set a specific port on bare-metal and k8s environments, however this is not possible in Cloud Run.
Steps to reproduce
When the collector binds ports to 0.0.0.0, it displays warnings that inform the user that 0.0.0.0 is open to any network interface and may be a problem for DoS attacks.
What did you expect to see?
No warning for use cases where this is required and unavoidable.
What did you see instead?
{ "kind": "receiver", "msg": "Using the 0.0.0.0 address exposes this server to every network interface, which may facilitate Denial of Service attacks", "level": "warn", "ts": 1710310970.3374474, "collector": "some-collector", "caller": "internal@v0.93.0/warning.go:40", "name": "otlp", "data_type": "metrics", "documentation": "https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks" }What version did you use?
v0.93.0
What config did you use?
N/A
Environment
Google Cloud Run
Additional context
The text was updated successfully, but these errors were encountered: