Add boolean flag to enable prometheus admin api

Documentation/api.md

@@ -280,6 +280,7 @@ PrometheusSpec is a specification of the desired behavior of the Prometheus clus
 | evaluationInterval | Interval between consecutive evaluations. | string | false |
 | rules | /--rules.*/ command-line arguments. | [Rules](#rules) | false |
 | externalLabels | The labels to add to any time series or alerts when communicating with external systems (federation, remote storage, Alertmanager). | map[string]string | false |
+| enableAdminApi | Enable access to prometheus web admin API. default is 'true'. For more information, refer to official prometheus documentation https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis | string | false |
 | externalUrl | The external URL the Prometheus instances will be available under. This is necessary to generate correct URLs. This is necessary if Prometheus is not served from root of a DNS name. | string | false |
 | routePrefix | The route prefix Prometheus registers HTTP handlers for. This is useful, if using ExternalURL and a proxy is rewriting HTTP routes of a request, and the actual ExternalURL is still true, but the server serves requests under a different route prefix. For example for use with `kubectl proxy`. | string | false |
 | query | QuerySpec defines the query command line flags when starting Prometheus. | *[QuerySpec](#queryspec) | false |

Documentation/user-guides/getting-started.md

@@ -327,6 +327,25 @@ Once this Service is created the Prometheus web UI is available under the node's
 
 > Exposing the Prometheus web UI may not be an applicable solution. Read more about the possibilities of exposing it in the [exposing Prometheus and Alertmanager guide][exposing-prom].
 
+## Expose the Prometheus Admin API
+
+Prometheus Admin API allows access to delete series for a certain time range, cleanup tombstones, capture snapshots, etc. Users should enable this with caution when exposing Prometheus servers to the public internet. More information about the admin API can be found in [Prometheus official documentation](https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis)
+This API access is enabled by default (as prometheus operator doesn't act as a gatekeeper) and can be toggled using this boolean flag. The following example exposes the admin API:
+
+[embedmd]:# (../../example/user-guides/getting-started/prometheus.yaml)
+```yaml
+apiVersion: monitoring.coreos.com/v1
+kind: Prometheus
+metadata:
+  name: prometheus
+spec:
+  serviceAccountName: prometheus
+  serviceMonitorSelector:
+    matchLabels:
+      team: frontend
+  enableAdminApi: true
+```
+
 Further reading:
 
 * [Alerting][alerting-guide] describes using the Prometheus Operator go manage Alertmanager clusters.

example/user-guides/getting-started/prometheus.yaml

@@ -10,3 +10,4 @@ spec:
   resources:
     requests:
       memory: 400Mi
+  enableAdminApi: true

pkg/apis/monitoring/v1/types.go

@@ -123,6 +123,9 @@ type PrometheusSpec struct {
 	// The labels to add to any time series or alerts when communicating with
 	// external systems (federation, remote storage, Alertmanager).
 	ExternalLabels map[string]string `json:"externalLabels,omitempty"`
+	// Enable access to prometheus web admin API. Defaults to the value of `true`.
+	// For more information see https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis
+	EnableAdminApi string `json:"enableAdminApi,omitempty"`
 	// The external URL the Prometheus instances will be available under. This is
 	// necessary to generate correct URLs. This is necessary if Prometheus is not
 	// served from root of a DNS name.

pkg/prometheus/statefulset.go

@@ -381,8 +381,9 @@ func makeStatefulSetSpec(p monitoringv1.Prometheus, c *Config, ruleConfigMapName
 		securityContext = p.Spec.SecurityContext
 	}
 
-	/* enable prometheus admin API to allow metric deletion */
-	promArgs = append(promArgs, "-web.enable-admin-api")
+  if p.Spec.EnableAdminApi != "false" {
+		promArgs = append(promArgs, "-web.enable-admin-api")
+	}
 
 	if p.Spec.ExternalURL != "" {
 		promArgs = append(promArgs, "-web.external-url="+p.Spec.ExternalURL)