OTEL-060: `zpages` endpoint bound to `0.0.0.0`

Severity: warn (advisory)

Rule Details

zpages serves live debugging pages that show spans in flight, recent errors, and pipeline throughput. Binding it to 0.0.0.0 makes that information reachable from any host that can hit the Collector's network, including attackers looking for a quick recon surface. Bind it to localhost and tunnel to it (kubectl port-forward, SSH) when you actually need it.

This rule fires when a zpages extension has an endpoint containing 0.0.0.0.

Options

This rule has no options.

Examples

Avoid

extensions:
  zpages:
    endpoint: "0.0.0.0:55679"

Prefer

extensions:
  zpages:
    endpoint: "localhost:55679"

When Not To Use It

Never — there is no legitimate reason to expose zpages on every interface.

OTEL-010 — receivers should not bind to 0.0.0.0
OTEL-059 — pprof extension enabled in production
OTEL-070 — telemetry metrics address bound to 0.0.0.0

Version

Available since augur v0.1.0.

Resources

Rule source: policy/main/extension.rego

Rule Details​

Options​

Examples​

When Not To Use It​

Related Rules​

Version​

Further Reading​

Resources​

Rule Details

Options

Examples

When Not To Use It

Related Rules

Version

Further Reading

Resources