✨ Enable pprof to allow memory profiling #1855
Conversation
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| args: | ||
| - --leader-elect | ||
| - --metrics-bind-address=:7443 | ||
| - --pprof-bind-address=:6060 |
There was a problem hiding this comment.
This feature is handy for testing and debugging, but I’m wondering if it should be enabled by default. I have concerns about performance impact and security risks. That’s why we added a warning in Kubebuilder’s docs.
I think it's fine to enable pprof in production when needed, do the profiling, and then disable it. My concern is leaving it enabled indefinitely. That seems to be the general approach others take as well (enable/disable), see: Google Groups discussion.
- Amazon CodeGuru warns about exposed
pprofendpoints: https://docs.aws.amazon.com/codeguru/detector-library/go/pprof-endpoint/ - Potential data leaks: https://beaglesecurity.com/blog/vulnerability/jira-exposed-pprof.html and https://www.aquasec.com/blog/300000-prometheus-servers-and-exporters-exposed-to-dos-attacks/
Also, I found this issue: golang/go#65208
There was a problem hiding this comment.
But let's also see what the other thinks @tmshort @joelanford, what are your thoughts?
Are you OK with?
There was a problem hiding this comment.
That's super helpful information @camilamacedo86. We'd already discussed this on slack and I decided to close the PR, but this detailed information is really helpful, so thank you!
|
TIL it's not best practice to have pprof enabled indefinitely. |
2 participants
Description
Reviewer Checklist