You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
refactor: [#246] organize manual testing documentation
- Move manual-grafana-testing-results.md to docs/e2e-testing/manual/ directory
- Rename to grafana-testing-results.md for consistency
- Organize manual E2E testing documentation in dedicated directory
Copy file name to clipboardExpand all lines: docs/e2e-testing/manual/grafana-testing-results.md
+27Lines changed: 27 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -189,6 +189,33 @@ The complete deployment workflow works correctly:
189
189
3. ✅ **Step-level conditionals** - Grafana firewall step only runs when Grafana is enabled
190
190
4. ✅ **Enabled-by-default pattern** - Grafana included in default templates (can be removed)
191
191
192
+
### Security Issue Discovered & Fixed
193
+
194
+
**Issue**: During manual testing, Prometheus was discovered to be accessible at `http://10.140.190.35:9090` despite UFW firewall being configured with default deny incoming policy.
195
+
196
+
**Root Cause**: Docker bypasses UFW firewall rules when publishing ports with `0.0.0.0:9090:9090` binding. Docker manipulates iptables directly, taking precedence over UFW rules.
197
+
198
+
**Fix Applied** (commit 8323def):
199
+
200
+
-**Removed** Prometheus port mapping (`ports: - "9090:9090"`) from docker-compose template
201
+
- Prometheus is now truly internal-only (not accessible from external network)
202
+
- Grafana continues to access Prometheus via Docker internal network (`http://prometheus:9090`)
203
+
- Updated tests to verify port is NOT exposed (security expectation)
0 commit comments