[kube-prometheus-stack] Security: reloaderWebPort 8080 hardcoded in service.yaml creates unwanted SG exposure

[sreechok]

Issue

The prometheus/templates/service.yaml always renders reloader-web:8080 port regardless of ports or additionalPorts overrides:

• name: reloader-web
  port: {{ .Values.prometheus.service.reloaderWebPort }} # Defaults 8080
  targetPort: reloader-web

Impact: EKS LoadBalancer → AWS NLB SG opens ports 8080+9090 publicly → Rapid7 "Resource Access List Exposes Critical Ports to the Public"

Expected behavior

• Allow disabling/removing reloader-web port entirely via values.yaml
• OR make reloaderWebPort conditional (skip if set to null/0)
• OR add reloader.enabled: false flag

Workarounds required (hacky):

1. reloaderWebPort: 9090 → duplicate port definitions + nodePort conflicts
2. Disable config-reloader sidecar entirely
3. Manual Service edits (reverted by Helm)

Affected versions

• kube-prometheus-stack 0.77.5 (and likely all versions)
• Any type: LoadBalancer deployment on cloud providers

Security context

• Unnecessary 8080 exposure for Prometheus HTTP metrics endpoint only
• No functional impact from removing reloader-web port
• Affects compliance scans (Rapid7 InsightVM)

What's your helm version?

version.BuildInfo{Version:"v3.17.2", GitCommit:"cc0bbbd6d6276b83880042c1ecb34087e84d41eb", GitTreeState:"clean", GoVersion:"go1.24.1"}

What's your kubectl version?

v1.32.3

Which chart?

kube-prometheus-stack

What's the chart version?

77.5.0

What happened?

Tried workarounds but get this error:

│
│ Upgrade failed: failed to create resource: Service "kube-prometheus-stack-prometheus" is invalid: [spec.ports[1].nodePort: Duplicate value: 32137, spec.ports[1]: Duplicate value: core.ServicePort{Name:"",
│ Protocol:"TCP", AppProtocol:(*string)(nil), Port:9090, TargetPort:intstr.IntOrString{Type:0, IntVal:0, StrVal:""}, NodePort:0}]

What you expected to happen?

Please provide a way to either override from the values.yaml file, or use a different port.

How to reproduce it?

you can deploy the kube-prometheus-stack chart version 77.5.0 with prometheus.service.type: LoadBalancer on EKS cluster, then it will create a Security Group that has ingress ports 8080 and 9090.

Enter the changed values of values.yaml?

prometheus:
  prometheusSpec:
    hostNetwork: true
    nodeSelector: # to place prometheus pods on with these labels set on the nodes.
      monitoring: timeseries-data
    tolerations: # you don't want other pods to land on this monitoring node group
      - key: "dedicated"
        operator: "Equal"
        value: "monitoring"
        effect: "NoSchedule"
    storageSpec:
     volumeClaimTemplate:
       spec:
         storageClassName: gp3-csi
         accessModes: ["ReadWriteOnce"]
         resources:
           requests:
             storage: 100Gi
  service:
    type: LoadBalancer
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"

# tried these as workaround but get duplicate nodePort error
    portName: "http-web"           # .Values.prometheus.service.portName
    port: 9090                          # .Values.prometheus.service.port  
    targetPort: 9090               # .Values.prometheus.service.targetPort
    nodePort: 32051                # .Values.prometheus.service.nodePort
    reloaderWebPort: 9090          # .Values.prometheus.service.reloaderWebPort

Enter the command that you execute and failing/misfunctioning.

This deployed using terraform helm_release,
terraform version: v1.12.2

Anything else we need to know?

No response

[DrFaust92]

ill open a PR for this but i think a better approach would be to expose it via ingress and not via svc LB but i dont want to make assumptions on your setup