Description
Describe the bug
I believe I discovered a behavior that is in violation of the Linux Foundation & CNCF policy against opt-out telemetry: https://www.linuxfoundation.org/legal/telemetry-data-policy
I don't know much about emissary, but noticed in our security logs that diagd sends telemetry to metriton.datawire.io by default:
2025/03/24 13:55:40 INFO > 2025-03-24 17:55:30 diagd 3.9.2-0.20231120153116-6e2ca35c11d1-dirty.1742084875 [P256TMainThread] DEBUG: Starting new HTTPS connection (1): metriton.datawire.io:443
2025/03/24 13:55:40 INFO > 2025-03-24 17:55:30 diagd 3.9.2-0.20231120153116-6e2ca35c11d1-dirty.1742084875 [P256TMainThread] DEBUG: [https://metriton.datawire.io:443](https://metriton.datawire.io/) "POST /scout HTTP/1.1" 200 68
2025/03/24 13:55:40 INFO > 2025-03-24 17:55:30 diagd 3.9.2-0.20231120153116-6e2ca35c11d1-dirty.1742084875 [P256TMainThread] INFO: Ambassador 3.9.2-0.20231120153116-6e2ca35c11d1-dirty.1742084875 booted
This set off alarm bells because entrypoints don't normally contact the Internet.
I believe it is being triggered by
emissary/python/ambassador_diag/diagd.py
Line 2253 in 5d1dea8
and is configured using:
emissary/python/ambassador/scout.py
Line 21 in 5d1dea8
It seems like this can be turned off by setting SCOUT_DISABLE -
emissary/python/ambassador/scout.py
Line 189 in 5d1dea8
To Reproduce
Not sure, but this was the command-line I saw that triggered the event:
/usr/bin/python3.13 /usr/bin/diagd /ambassador/snapshots /ambassador/bootstrap-ads.json /ambassador/envoy/envoy.json --notices /ambassador/notices.json --port 8004 --kick kill -HUP 252
Versions (please complete the following information):
- Ambassador: 3.9.2
- Kubernetes environment KWOK