Skip to content

Commit

Permalink
Implement secure metrics serving
Browse files Browse the repository at this point in the history 
Signed-off-by: Stefan Büringer [email protected]
  • Loading branch information
@sbueringer
sbueringer committed Aug 23, 2023
1 parent c074408 commit d74ee1f
Show file tree
Hide file tree
Showing 23 changed files with 233 additions and 47 deletions.
5 changes: 4 additions & 1 deletion bootstrap/kubeadm/config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ spec:
- /manager
args:
- "--leader-elect"
- "--metrics-bind-addr=localhost:8080"
- "--metrics-bind-addr=:8443"
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}"
- "--bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}"
image: controller:latest
Expand All @@ -29,6 +29,9 @@ spec:
- containerPort: 9440
name: healthz
protocol: TCP
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
Expand Down
12 changes: 12 additions & 0 deletions bootstrap/kubeadm/config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,18 @@ kind: ClusterRole
metadata:
name: manager-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
Expand Down
12 changes: 10 additions & 2 deletions bootstrap/kubeadm/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"context"
"flag"
"fmt"
"net/http"
"os"
goruntime "runtime"
"time"
Expand All @@ -31,6 +32,7 @@ import (
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/selection"
"k8s.io/apiserver/pkg/server/routes"
clientgoscheme "k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/tools/leaderelection/resourcelock"
cliflag "k8s.io/component-base/cli/flag"
Expand All @@ -42,6 +44,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller"
"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
"sigs.k8s.io/controller-runtime/pkg/webhook"

Expand Down Expand Up @@ -103,7 +106,7 @@ var (
func InitFlags(fs *pflag.FlagSet) {
logsv1.AddFlags(logOptions, fs)

fs.StringVar(&metricsBindAddr, "metrics-bind-addr", "localhost:8080",
fs.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8443",
"The address the metric endpoint binds to.")

fs.BoolVar(&enableLeaderElection, "leader-elect", false,
Expand Down Expand Up @@ -221,7 +224,12 @@ func main() {
HealthProbeBindAddress: healthAddr,
PprofBindAddress: profilerAddress,
Metrics: metricsserver.Options{
BindAddress: metricsBindAddr,
BindAddress: metricsBindAddr,
SecureServing: true,
FilterProvider: filters.WithAuthenticationAndAuthorization,
ExtraHandlers: map[string]http.Handler{
"/debug/flags/v": routes.StringFlagPutHandler(logs.GlogSetter),
},
},
Cache: cache.Options{
DefaultNamespaces: watchNamespaces,
Expand Down
5 changes: 4 additions & 1 deletion config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ spec:
- /manager
args:
- "--leader-elect"
- "--metrics-bind-addr=localhost:8080"
- "--metrics-bind-addr=:8443"
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false},MachineSetPreflightChecks=${EXP_MACHINE_SET_PREFLIGHT_CHECKS:=false}"
image: controller:latest
name: manager
Expand All @@ -42,6 +42,9 @@ spec:
- containerPort: 9440
name: healthz
protocol: TCP
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
Expand Down
12 changes: 12 additions & 0 deletions config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,18 @@ kind: ClusterRole
metadata:
name: manager-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
Expand Down
5 changes: 4 additions & 1 deletion controlplane/kubeadm/config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ spec:
- /manager
args:
- "--leader-elect"
- "--metrics-bind-addr=localhost:8080"
- "--metrics-bind-addr=:8443"
- "--feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}"
image: controller:latest
name: manager
Expand All @@ -41,6 +41,9 @@ spec:
- containerPort: 9440
name: healthz
protocol: TCP
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
Expand Down
12 changes: 12 additions & 0 deletions controlplane/kubeadm/config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,18 @@ kind: ClusterRole
metadata:
name: manager-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- apiextensions.k8s.io
resources:
Expand Down
12 changes: 10 additions & 2 deletions controlplane/kubeadm/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"context"
"flag"
"fmt"
"net/http"
"os"
goruntime "runtime"
"time"
Expand All @@ -33,6 +34,7 @@ import (
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/selection"
"k8s.io/apiserver/pkg/server/routes"
clientgoscheme "k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/tools/leaderelection/resourcelock"
cliflag "k8s.io/component-base/cli/flag"
Expand All @@ -44,6 +46,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller"
"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
"sigs.k8s.io/controller-runtime/pkg/webhook"

Expand Down Expand Up @@ -108,7 +111,7 @@ var (
func InitFlags(fs *pflag.FlagSet) {
logsv1.AddFlags(logOptions, fs)

fs.StringVar(&metricsBindAddr, "metrics-bind-addr", "localhost:8080",
fs.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8443",
"The address the metric endpoint binds to.")

fs.BoolVar(&enableLeaderElection, "leader-elect", false,
Expand Down Expand Up @@ -224,7 +227,12 @@ func main() {
HealthProbeBindAddress: healthAddr,
PprofBindAddress: profilerAddress,
Metrics: metricsserver.Options{
BindAddress: metricsBindAddr,
BindAddress: metricsBindAddr,
SecureServing: true,
FilterProvider: filters.WithAuthenticationAndAuthorization,
ExtraHandlers: map[string]http.Handler{
"/debug/flags/v": routes.StringFlagPutHandler(logs.GlogSetter),
},
},
Cache: cache.Options{
DefaultNamespaces: watchNamespaces,
Expand Down
1 change: 1 addition & 0 deletions docs/book/src/developer/providers/migrations/v1.5-to-v1.6.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,4 @@ maintainers of providers and consumers of our Go API.
### Suggested changes for providers

- In order to reduce dependencies for API package consumers, CAPI has diverged from the default kubebuilder scheme builder. This new pattern may also be useful for reducing dependencies in provider API packages. For more information [see the implementers guide.](../implementers-guide/create_api.md#registering-apis-in-the-scheme)
- FIXME(sbueringer): Add something about secure metrics
19 changes: 19 additions & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,12 +54,14 @@ require (
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.2.0 // indirect
github.com/NYTimes/gziphandler v1.1.1 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
github.com/ajeddeloh/go-json v0.0.0-20200220154158-5ae607161559 // indirect
github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/cloudflare/circl v1.3.3 // indirect
Expand All @@ -72,9 +74,11 @@ require (
github.com/evanphx/json-patch v5.6.0+incompatible // indirect
github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
github.com/fatih/camelcase v1.0.0 // indirect
github.com/felixge/httpsnoop v1.0.3 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/fvbommel/sortorder v1.1.0 // indirect
github.com/go-errors/errors v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-logr/zapr v1.2.4 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
Expand All @@ -91,6 +95,8 @@ require (
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/huandu/xstrings v1.3.3 // indirect
github.com/imdario/mergo v0.3.13 // indirect
Expand Down Expand Up @@ -134,6 +140,16 @@ require (
github.com/vincent-petithory/dataurl v1.0.0 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.5.9 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 // indirect
go.opentelemetry.io/otel v1.10.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0 // indirect
go.opentelemetry.io/otel/metric v0.31.0 // indirect
go.opentelemetry.io/otel/sdk v1.10.0 // indirect
go.opentelemetry.io/otel/trace v1.10.0 // indirect
go.opentelemetry.io/proto/otlp v0.19.0 // indirect
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.25.0 // indirect
Expand All @@ -153,11 +169,14 @@ require (
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/cli-runtime v0.28.0 // indirect
k8s.io/component-helpers v0.28.0 // indirect
k8s.io/kms v0.28.0 // indirect
k8s.io/metrics v0.28.0 // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/kustomize/kustomize/v5 v5.0.4-0.20230601165947-6ce0bf390ce3 // indirect
Expand Down
Loading

0 comments on commit d74ee1f

Please sign in to comment.