Area

• Scheduler
• Controller
• Helm Chart
• Documents

Other components

No response

What happened?

The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go

// UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable
// for use in a grpc.NewServer call.
func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
out of the box adds labels

net.peer.sock.addr
net.peer.sock.port
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent.

What did you expect to happen?

Upgrade go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from v0.42.0 to 0.46.0 to fix the vulnerability.

How can we reproduce it (as minimally and precisely as possible)?

In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc.

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
# paste output here

Scheduler Plugins version

/assign