Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

chore(controller): deprecate kube-rbac-proxy with controller built-in auth protection #1913

Merged
merged 1 commit into from
Dec 24, 2024
Merged

chore(controller): deprecate kube-rbac-proxy with controller built-in auth protection #1913

merged 1 commit into from
Dec 24, 2024

Conversation

rksharma95
Copy link
Collaborator

@rksharma95 rksharma95 commented Dec 13, 2024
edited
Loading

Purpose of PR?:

Fixes #1905

Does this PR introduce a breaking change?
No
If the changes in this PR are manually verified, list down the scenarios covered::

Additional information for reviewer? :
with this PR kube-rbac-proxy would be deprecated therefore controller deployment will have a single container for kubearmor-controller manager only. operator should not deploy kube-rbac-proxy in any case. metric protection also disabled with this PR in effect as controller is not producing any metric at this point.

Checklist:

@rksharma95 rksharma95 force-pushed the feat-deprecate-rbac-proxy branch 4 times, most recently from f89b36a to 7a7954d Compare December 13, 2024 09:56
daemon1024
daemon1024 previously approved these changes Dec 16, 2024
View reviewed changes
Aryan-sharma11
Aryan-sharma11 reviewed Dec 19, 2024
View reviewed changes
Copy link
Member

@Aryan-sharma11 Aryan-sharma11 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rksharma95, why are we adding binary files kubearmor-v1.x.x.tgz , kubearmor-operator-1.3.2.tgz ?

@rksharma95 rksharma95 force-pushed the feat-deprecate-rbac-proxy branch from 7a7954d to 83c2ae9 Compare December 19, 2024 09:58
@rootxrishabh
Copy link
Member

@rksharma95 Please resolve conflicts

@rksharma95 rksharma95 force-pushed the feat-deprecate-rbac-proxy branch from 83c2ae9 to 4653681 Compare December 19, 2024 10:09
@rksharma95
Copy link
Collaborator Author

@rksharma95, why are we adding binary files kubearmor-v1.x.x.tgz , kubearmor-operator-1.3.2.tgz ?

my bad! i added these by mistake, removed

rootxrishabh
rootxrishabh previously approved these changes Dec 20, 2024
View reviewed changes
Copy link
Member

@rootxrishabh rootxrishabh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Environment

OS - Google Container - Optimized OS
Kernel - 6.1.112+
Container Runtime - containerd://1.7.23
K8s env - v1.30.6-gke.1125000

Kube-rbac not deployed (expected) && Enforcement confirmed on AppArmor

rootxrishabh@Rishabhs-MacBook-Air KubeArmorOperator % k describe po kubearmor-controller-77bb969564-wkmjz -n kubearmor
Name:             kubearmor-controller-77bb969564-wkmjz
Namespace:        kubearmor
Priority:         0
Service Account:  kubearmor-controller
Node:             gke-rishab-cluster-ng-ae649047-dn25/10.128.0.25
Start Time:       Fri, 20 Dec 2024 11:46:54 +0530
Labels:           kubearmor-app=kubearmor-controller
                  pod-template-hash=77bb969564
Annotations:      container.apparmor.security.beta.kubernetes.io/manager: unconfined
                  kubearmor-policy: audited
Status:           Running
IP:               10.84.2.26
IPs:
  IP:           10.84.2.26
Controlled By:  ReplicaSet/kubearmor-controller-77bb969564
Containers:
  manager:
    Container ID:  containerd://bd9d3a035edaad07249a0782144b52c92c231d9fbdcc3d60155427f44a88fb71
    Image:         ttl.sh/kubearmor-controller-rbac:24h
    Image ID:      ttl.sh/kubearmor-controller-rbac@sha256:0bed0d14fd98d3f5040611f694605f34d153b18f32ae79645988e9677a3439fb
    Port:          9443/TCP
    Host Port:     0/TCP
    Command:
      /manager
    Args:
      --leader-elect
      --health-probe-bind-address=:8081
    State:          Running
      Started:      Fri, 20 Dec 2024 11:46:58 +0530
    Ready:          True
    Restart Count:  0
    Requests:
      cpu:        10m
      memory:     64Mi
    Liveness:     http-get http://:8081/healthz delay=15s timeout=1s period=20s #success=1 #failure=3
    Readiness:    http-get http://:8081/readyz delay=5s timeout=1s period=10s #success=1 #failure=3
    Environment:  <none>
    Mounts:
      /tmp/k8s-webhook-server/serving-certs from cert (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-gvn7w (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       True 
  ContainersReady             True 
  PodScheduled                True 
Volumes:
  cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  kubearmor-controller-webhook-server-cert
    Optional:    false
  kube-api-access-gvn7w:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   Burstable
Node-Selectors:              kubearmor.io/securityfs=yes
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
                             
rootxrishabh@Rishabhs-MacBook-Air templates % k exec -it nginx-bf5d5cf98-2tptx -- bash
root@nginx-bf5d5cf98-2tptx:/# apt
bash: /usr/bin/apt: Permission denied
root@nginx-bf5d5cf98-2tptx:/# exit
exit
command terminated with exit code 126
rootxrishabh@Rishabhs-MacBook-Air templates % k describe po nginx-bf5d5cf98-2tptx
Name:             nginx-bf5d5cf98-2tptx
Namespace:        default
Priority:         0
Service Account:  default
Node:             gke-rishab-cluster-ng-ae649047-dn25/10.128.0.25
Start Time:       Fri, 20 Dec 2024 11:47:49 +0530
Labels:           app=nginx
                  pod-template-hash=bf5d5cf98
Annotations:      container.apparmor.security.beta.kubernetes.io/nginx: localhost/kubearmor-default-nginx-nginx
                  kubearmor-policy: enabled
                  kubearmor-visibility: process,file,network,capabilities

@rksharma95
deprecate kube-rbac-proxy with controller built-in auth protection
4ee7d28 
Signed-off-by: rksharma95 <ramakant@accuknox.com>
@rksharma95 rksharma95 force-pushed the feat-deprecate-rbac-proxy branch from 4653681 to 4ee7d28 Compare December 23, 2024 04:39
@daemon1024 daemon1024 merged commit 4887324 into kubearmor:main Dec 24, 2024
20 checks passed
@asharma0703 asharma0703 mentioned this pull request Feb 19, 2025
Open
7 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@daemon1024 daemon1024 daemon1024 approved these changes

@Aryan-sharma11 Aryan-sharma11 Aryan-sharma11 approved these changes

@rootxrishabh rootxrishabh rootxrishabh left review comments

@DelusionalOptimist DelusionalOptimist Awaiting requested review from DelusionalOptimist

Assignees

@Aryan-sharma11 Aryan-sharma11

@Prateeknandle Prateeknandle

Labels
None yet
Projects
Release v1.5
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

⚠️ Action Required: Replace Deprecated gcr.io/kubebuilder/kube-rbac-proxy
5 participants
@rksharma95 @rootxrishabh @daemon1024 @Aryan-sharma11 @Prateeknandle