Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[META - Phases]: Discontinue Kube RBAC Proxy in Default Kubebuilder Scaffolding #3871

Closed
4 of 5 tasks
camilamacedo86 opened this issue Apr 23, 2024 · 5 comments · Fixed by #3853
Closed
4 of 5 tasks
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.

Comments

@camilamacedo86
Copy link
Member

camilamacedo86 commented Apr 23, 2024

What do you want to happen?

Address the phases and changes discussed in the proposal: https://github.com/kubernetes-sigs/kubebuilder/blob/master/designs/discontinue_usage_of_kube_rbac_proxy.md

Extra Labels

No response

@camilamacedo86 camilamacedo86 added help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed priority/backlog Higher priority than priority/awaiting-more-evidence. labels Apr 23, 2024
@fgiloux
Copy link
Contributor

fgiloux commented Apr 28, 2024

Hi Camilla. Nice to see progress on this. If I am understanding things right you are considering two different ways of doing RBAC:

You also have two orthogonal subjects:

  • TLS certificates for the metrics endpoint, where you propose to optionally scaffold resources for cert-manager
  • scaffolding an SA, and referencing it in the ServiceMonitors, that can be leveraged by Prometheus for scrapping the metrics

This sounds good to me.

@fgiloux
Copy link
Contributor

fgiloux commented Apr 28, 2024

For phase 3: Maybe you mean issue 2781 as blocker?

@camilamacedo86
Copy link
Member Author

Hi @fgiloux,

For phase 3: Maybe you mean kubernetes-sigs/controller-runtime#2781 as blocker?

Yes, it is a blocker for us since it is not following the good practices and we cannot properly pass the certs via cert-manager within as it is now. However, asap they be able to enhance the feature in controller-runtime we can move forward within.

@fgiloux
Copy link
Contributor

fgiloux commented May 5, 2024

I meant controller-runtime #2781 is now blocking phase 3 instead of #2407, as it is its follow-up and #2407 has been merged.

aleskandro added a commit to aleskandro/multiarch-manager-operator that referenced this issue Sep 6, 2024
Images provided under gcr.io/kubebuilder/ will be unavailable from March 18, 2025.
Projects initialized with Kubebuilder versions v3.14 or lower utilize gcr.io/kubebuilder/kube-rbac-proxy to protect the metrics endpoint.

Following the work in kubernetes-sigs/kubebuilder#4003, this commit removes the kube-rbac-proxy container and let the main container of the controller expose the metrics via HTTPS and by using the WithAuthenticatoinAndAuthorization filter.

This also includes a minor fix in BuildService escaped during the resolution of some conflicts during a rebase.

Related to kubernetes-sigs/kubebuilder#3871
aleskandro added a commit to aleskandro/multiarch-manager-operator that referenced this issue Sep 6, 2024
Images provided under gcr.io/kubebuilder/ will be unavailable from March 18, 2025.
Projects initialized with Kubebuilder versions v3.14 or lower utilize gcr.io/kubebuilder/kube-rbac-proxy to protect the metrics endpoint.

Following the work in kubernetes-sigs/kubebuilder#4003, this commit removes the kube-rbac-proxy container and let the main container of the controller expose the metrics via HTTPS and by using the WithAuthenticatoinAndAuthorization filter.

This also includes a minor fix in BuildService escaped during the resolution of some conflicts during a rebase.

Related to kubernetes-sigs/kubebuilder#3871
aleskandro added a commit to aleskandro/multiarch-manager-operator that referenced this issue Sep 6, 2024
Images provided under gcr.io/kubebuilder/ will be unavailable from March 18, 2025.
Projects initialized with Kubebuilder versions v3.14 or lower utilize gcr.io/kubebuilder/kube-rbac-proxy to protect the metrics endpoint.

Following the work in kubernetes-sigs/kubebuilder#4003, this commit removes the kube-rbac-proxy container and let the main container of the controller expose the metrics via HTTPS and by using the WithAuthenticatoinAndAuthorization filter.

This also includes a minor fix in BuildService escaped during the resolution of some conflicts during a rebase.

Related to kubernetes-sigs/kubebuilder#3871
@camilamacedo86
Copy link
Member Author

All that we could to do in Kubebuilder is done now.
So, because of it I am closing this one.

If kube-rbac-proxy maintainers desire to do an external plugin or any one decide to contribute with to allow kubebuilder users use their solution we are more than happy to help out. Just ping us and let's speak via the Slack Channel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants