kube-opex-analytics follows Calendar Versioning (YY.MM.MICRO).
| Version | Supported |
|---|---|
| 26.x (latest) | ✅ |
| 25.x | ✅ |
| < 25.x | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Send an email to: [email protected]
Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if any)
- Acknowledgment: within 48 hours
- Initial assessment: within 7 days
- Resolution target: within 30 days (depending on severity)
- We will acknowledge receipt of your report
- We will investigate and validate the issue
- We will work on a fix and coordinate disclosure
- We will credit you in the release notes (unless you prefer anonymity)
kube-opex-analytics requires read-only access to the following Kubernetes resources:
pods(all namespaces)nodesnamespaces- Metrics API (
metrics.k8s.io)
The provided manifests include a minimal RBAC configuration. Review and adjust according to your security policies.
The application requires:
- Inbound: HTTP on port 5483 (dashboard and Prometheus metrics)
- Outbound: Kubernetes API server, DCGM Exporter (if GPU metrics enabled)
Consider using NetworkPolicies to restrict traffic in production environments.
- Analytics data is stored locally in RRDtool databases
- No sensitive cluster data (secrets, configmaps content) is collected
- Only resource usage metrics (CPU, memory, GPU) are processed
# Use a dedicated namespace
kubectl create namespace kube-opex-analytics
# Apply Pod Security Standards (restricted)
kubectl label namespace kube-opex-analytics \
pod-security.kubernetes.io/enforce=restricted
# Use NetworkPolicy to limit ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kube-opex-analytics
namespace: kube-opex-analytics
spec:
podSelector:
matchLabels:
app: kube-opex-analytics
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- port: 5483- Run with a non-root user (default in our image)
- Use read-only filesystem where possible
- Limit container capabilities
- Restrict network access to kubectl proxy only
docker run -d \
--read-only \
--cap-drop=ALL \
--security-opt=no-new-privileges \
-v /var/lib/kube-opex-analytics:/data \
rchakode/kube-opex-analytics- Keep the Docker image updated to the latest version
- Enable TLS/HTTPS via ingress controller or reverse proxy
- Restrict dashboard access using authentication (OAuth2 Proxy, Ingress auth)
- Review RBAC permissions periodically
- Monitor access logs for suspicious activity
This project uses automated security scanning:
- Dependabot for Python dependency updates
- Trivy for Docker image vulnerability scanning
- GitHub Security Advisories monitoring
Security updates to dependencies are prioritized and released promptly.
The /metrics endpoint exposes analytics data for Prometheus scraping. This endpoint:
- Does not require authentication by default
- Exposes resource usage metrics (not sensitive data)
- Should be protected via NetworkPolicy or service mesh in production
Official images are published to Docker Hub (rchakode/kube-opex-analytics):
- Built from minimal base images
- Scanned for vulnerabilities before release
- Signed (when supported by registry)
- No secrets or credentials embedded