fix: move pprof endpoints to telemetry server and protect with auth filter

Author: bhope

pkg/app/server.go

@@ -466,6 +466,14 @@ func buildTelemetryServer(registry prometheus.Gatherer, authFilter bool, kubeCon
 	// Add metricsPath
 	metricsHandler := promhttp.HandlerFor(registry, promhttp.HandlerOpts{ErrorLog: sLogger})
 
+	pprofHandlers := map[string]http.Handler{
+		"/debug/pprof/":        http.HandlerFunc(pprof.Index),
+		"/debug/pprof/cmdline": http.HandlerFunc(pprof.Cmdline),
+		"/debug/pprof/profile": http.HandlerFunc(pprof.Profile),
+		"/debug/pprof/symbol":  http.HandlerFunc(pprof.Symbol),
+		"/debug/pprof/trace":   http.HandlerFunc(pprof.Trace),
+	}
+
 	// Add Authentication/Authorization via Kubernetes API
 	if authFilter {
 		client, err := rest.HTTPClientFor(kubeConfig)
@@ -482,9 +490,23 @@ func buildTelemetryServer(registry prometheus.Gatherer, authFilter bool, kubeCon
 		if err != nil {
 			klog.ErrorS(err, "failed to apply metrics filter")
 		}
+
+		for path, h := range pprofHandlers {
+			protected, err := metricsFilter(klog.Background(), h)
+			if err != nil {
+				klog.ErrorS(err, "failed to apply auth filter to pprof handler", "path", path)
+				delete(pprofHandlers, path)
+				continue
+			}
+			pprofHandlers[path] = protected
+		}
 	}
 	mux.Handle(metricsPath, metricsHandler)
 
+	for path, h := range pprofHandlers {
+		mux.Handle(path, h)
+	}
+
 	// Add readyzPath
 	mux.Handle(readyzPath, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		count, err := util.GatherAndCount(registry)
@@ -537,13 +559,6 @@ func handleClusterDelegationForProber(client kubernetes.Interface, probeType str
 func buildMetricsServer(m *metricshandler.MetricsHandler, durationObserver prometheus.ObserverVec, client kubernetes.Interface, authFilter bool, kubeConfig *rest.Config) *http.ServeMux {
 	mux := http.NewServeMux()
 
-	// TODO: This doesn't belong into serveMetrics
-	mux.Handle("/debug/pprof/", http.HandlerFunc(pprof.Index))
-	mux.Handle("/debug/pprof/cmdline", http.HandlerFunc(pprof.Cmdline))
-	mux.Handle("/debug/pprof/profile", http.HandlerFunc(pprof.Profile))
-	mux.Handle("/debug/pprof/symbol", http.HandlerFunc(pprof.Symbol))
-	mux.Handle("/debug/pprof/trace", http.HandlerFunc(pprof.Trace))
-
 	// Add metricsPath
 	metricsHandler := promhttp.InstrumentHandlerDuration(durationObserver, m)
 

pkg/app/server_test.go

@@ -22,6 +22,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"net/http"
 	"net/http/httptest"
 	"os"
 	"path/filepath"
@@ -444,6 +445,46 @@ kube_state_metrics_total_shards 1
 	}
 }
 
+func TestPprofRouting(t *testing.T) {
+	t.Parallel()
+
+	pprofPaths := []string{
+		"/debug/pprof/",
+		"/debug/pprof/cmdline",
+		"/debug/pprof/profile",
+		"/debug/pprof/symbol",
+		"/debug/pprof/trace",
+	}
+
+	reg := prometheus.NewRegistry()
+	telemetryMux := buildTelemetryServer(reg, false, nil)
+	for _, path := range pprofPaths {
+		req := httptest.NewRequest("GET", "http://localhost:8081"+path, nil)
+		w := httptest.NewRecorder()
+		telemetryMux.ServeHTTP(w, req)
+		if w.Result().StatusCode == http.StatusNotFound {
+			t.Errorf("expected pprof path %s to be registered on telemetry server, got 404", path)
+		}
+	}
+
+	opts := options.NewOptions()
+	metricsMux := buildMetricsServer(
+		metricshandler.New(opts, fake.NewSimpleClientset(), nil, false),
+		prometheus.NewHistogramVec(prometheus.HistogramOpts{Name: "test_duration_seconds"}, []string{"method"}),
+		fake.NewSimpleClientset(),
+		false,
+		nil,
+	)
+	for _, path := range pprofPaths {
+		req := httptest.NewRequest("GET", "http://localhost:8080"+path, nil)
+		w := httptest.NewRecorder()
+		metricsMux.ServeHTTP(w, req)
+		if w.Result().StatusCode != http.StatusNotFound {
+			t.Errorf("expected pprof path %s to return 404 on metrics server, got %d", path, w.Result().StatusCode)
+		}
+	}
+}
+
 // TestShardingEquivalenceScrapeCycle is a simple smoke test covering the entire cycle from
 // cache filling to scraping comparing a sharded with an unsharded setup.
 func TestShardingEquivalenceScrapeCycle(t *testing.T) {