Kube-Prometheus-Stack Security Guides

A default kube-prometheus-stack install is optimized for getting monitoring running quickly, not for a locked-down security posture — Grafana ships with a default admin password, and by default there are no network policies restricting which pods can reach the Prometheus or Alertmanager APIs.

This category is reserved for hardening guidance: enforcing Kubernetes RBAC scoped to the monitoring namespace, adding network policies around scrape targets, wiring Grafana to OIDC/OAuth instead of local accounts, and managing Alertmanager webhook secrets safely.

These defaults exist for a reason — broad Prometheus RBAC enables cluster-wide service discovery, and open networking between monitoring components keeps a first install simple — but they are trade-offs, not oversights, and worth revisiting deliberately before a cluster handles anything regulated or customer-facing. This category covers that hardening pass specifically; it does not cover application-level security scanning or image vulnerability management, which fall outside what kube-prometheus-stack itself controls.

Frequently Asked Questions

Does kube-prometheus-stack support RBAC out of the box?

Yes — it creates the ClusterRoles and ClusterRoleBindings Prometheus and kube-state-metrics need automatically; the security work is mostly about scoping and hardening what's already there, not adding RBAC from scratch.

Is Grafana's default login safe to leave in production?

No — change grafana.adminPassword (or better, use grafana.admin.existingSecret) before any real traffic reaches the cluster.