Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Kubebuilder scaffolding moves away from kube-rbac-proxy #3369

Open
pavolloffay opened this issue Oct 18, 2024 · 2 comments
Open

Kubebuilder scaffolding moves away from kube-rbac-proxy #3369

pavolloffay opened this issue Oct 18, 2024 · 2 comments
Assignees
@pavolloffay

Comments

@pavolloffay
Copy link
Member

Component(s)

No response

Describe the issue you're reporting

https://github.com/kubernetes-sigs/kubebuilder/blob/master/designs/discontinue_usage_of_kube_rbac_proxy.md

The proxy is used to secure /metrics endpoint of the operator

opentelemetry-operator/bundle/openshift/manifests/opentelemetry-operator.clusterserviceversion.yaml

Line 516 in 97c8d51

- --upstream=http://127.0.0.1:8080/

On OpenShift the proxy is configured with OCP serving certs https://github.com/os-observability/konflux-opentelemetry/blob/main/bundle-patch/patch_csv.yaml#L177 and https://github.com/os-observability/konflux-opentelemetry/blob/main/bundle-patch/manifests/opentelemetry-operator-prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml#L18 cc) @iblancasa we talked about migrating this to this repo.

If we migrate away from the proxy we should ensure the metrics endpoint can be served via TLS (kubernetes-sigs/controller-runtime#2407), however there is no RBAC enforcement at the moment.
@swiatekm
Copy link
Contributor

swiatekm commented Dec 2, 2024
edited
Loading

If we migrate away from the proxy we should ensure the metrics endpoint can be served via TLS (kubernetes-sigs/controller-runtime#2407), however there is no RBAC enforcement at the moment.

Looks like RBAC enforcement does work as per kubernetes-sigs/kubebuilder#3907.

@swiatekm swiatekm mentioned this issue Dec 2, 2024
Open
@swiatekm swiatekm added the discuss-at-sig This issue or PR should be discussed at the next SIG meeting label Dec 2, 2024
@camilamacedo86
Copy link

Hi @pavolloffay

If you can upgrade the solution to the latest scaffold provided by Kubebuilder, you will have protection in place with the WithAuthenticationAndAuthorization feature provided by Controller-Runtime. However, you can also do the change manually. Check out the FAQ section: "How can I manually change my project to switch to Controller-Runtime's built-in auth protection?"

This feature provides integrated support for securing metrics endpoints by embedding authentication (authn) and authorization (authz) mechanisms directly into the controller manager's metrics server, replacing the need for (https://github.com/brancz/kube-rbac-proxy) to secure metrics endpoints.

🖐️ Also, see the feature available in the next release kubernetes-sigs/kubebuilder#4400 to know how to use certs within.

I hope that helps out.

@swiatekm swiatekm removed the discuss-at-sig This issue or PR should be discussed at the next SIG meeting label Dec 5, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@pavolloffay pavolloffay

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pavolloffay @camilamacedo86 @swiatekm