diff --git a/config/debug/kustomization-cluster.yaml b/config/debug/kustomization-cluster.yaml index 6c9d8e320..a19d662de 100644 --- a/config/debug/kustomization-cluster.yaml +++ b/config/debug/kustomization-cluster.yaml @@ -119,7 +119,7 @@ patches: name: controller-manager patch: |- - op: add - path: /spec/template/spec/containers/2/env + path: /spec/template/spec/containers/1/env value: - name: WATCH_NAMESPACE value: WATCH_NAMESPACE_VALUE diff --git a/config/debug/kustomization-namespace.yaml b/config/debug/kustomization-namespace.yaml index 588f4f019..82b2567df 100644 --- a/config/debug/kustomization-namespace.yaml +++ b/config/debug/kustomization-namespace.yaml @@ -119,7 +119,7 @@ patches: name: controller-manager patch: |- - op: add - path: /spec/template/spec/containers/2/env + path: /spec/template/spec/containers/1/env value: - name: WATCH_NAMESPACE valueFrom: diff --git a/config/debug/kustomization.yaml b/config/debug/kustomization.yaml index 5d04feb22..bd49f6b5a 100644 --- a/config/debug/kustomization.yaml +++ b/config/debug/kustomization.yaml @@ -25,12 +25,10 @@ bases: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [METRICS] Expose the controller manager metrics service. +- metrics_service.yaml patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml - debug-sidecar-patch.yaml @@ -121,7 +119,7 @@ patches: name: controller-manager patch: |- - op: add - path: /spec/template/spec/containers/2/env + path: /spec/template/spec/containers/1/env value: - name: WATCH_NAMESPACE value: WATCH_NAMESPACE_VALUE @@ -134,4 +132,9 @@ patches: - name: POD_NAME valueFrom: fieldRef: - fieldPath: metadata.name \ No newline at end of file + fieldPath: metadata.name +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics +- path: manager_metrics_patch.yaml + target: + kind: Deployment \ No newline at end of file diff --git a/config/debug/manager_auth_proxy_patch.yaml b/config/debug/manager_auth_proxy_patch.yaml deleted file mode 100644 index 2d31fa4ec..000000000 --- a/config/debug/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - metadata: - labels: - control-plane: controller-manager - name: splunk-operator - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - "ALL" - add: - - "NET_BIND_SERVICE" - seccompProfile: - type: "RuntimeDefault" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi diff --git a/config/debug/manager_config_patch.yaml b/config/debug/manager_config_patch.yaml deleted file mode 100644 index 6c400155c..000000000 --- a/config/debug/manager_config_patch.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - args: - - "--config=controller_manager_config.yaml" - volumeMounts: - - name: manager-config - mountPath: /controller_manager_config.yaml - subPath: controller_manager_config.yaml - volumes: - - name: manager-config - configMap: - name: manager-config diff --git a/config/debug/manager_metrics_patch.yaml b/config/debug/manager_metrics_patch.yaml new file mode 100644 index 000000000..2f8c37160 --- /dev/null +++ b/config/debug/manager_metrics_patch.yaml @@ -0,0 +1,4 @@ +# This patch adds the args to allow exposing the metrics endpoint using HTTPS +- op: add + path: /spec/template/spec/containers/1/args/0 + value: --metrics-bind-address=:8443 \ No newline at end of file diff --git a/config/debug/metrics_service.yaml b/config/debug/metrics_service.yaml new file mode 100644 index 000000000..cebb2683b --- /dev/null +++ b/config/debug/metrics_service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: controller-manager + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + control-plane: controller-manager \ No newline at end of file diff --git a/config/default/kustomization-cluster.yaml b/config/default/kustomization-cluster.yaml index 6c9d8e320..7c078d532 100644 --- a/config/default/kustomization-cluster.yaml +++ b/config/default/kustomization-cluster.yaml @@ -119,7 +119,7 @@ patches: name: controller-manager patch: |- - op: add - path: /spec/template/spec/containers/2/env + path: /spec/template/spec/containers/0/env value: - name: WATCH_NAMESPACE value: WATCH_NAMESPACE_VALUE diff --git a/config/default/kustomization-namespace.yaml b/config/default/kustomization-namespace.yaml index 588f4f019..71521809c 100644 --- a/config/default/kustomization-namespace.yaml +++ b/config/default/kustomization-namespace.yaml @@ -119,7 +119,7 @@ patches: name: controller-manager patch: |- - op: add - path: /spec/template/spec/containers/2/env + path: /spec/template/spec/containers/0/env value: - name: WATCH_NAMESPACE valueFrom: diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 6c9d8e320..1c0881f36 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -25,13 +25,11 @@ bases: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [METRICS] Expose the controller manager metrics service. +- metrics_service.yaml -patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml +patchesStrategicMerge: # Mount the controller config file for loading manager configurations # through a ComponentConfig type #- manager_config_patch.yaml @@ -119,7 +117,7 @@ patches: name: controller-manager patch: |- - op: add - path: /spec/template/spec/containers/2/env + path: /spec/template/spec/containers/0/env value: - name: WATCH_NAMESPACE value: WATCH_NAMESPACE_VALUE @@ -132,4 +130,9 @@ patches: - name: POD_NAME valueFrom: fieldRef: - fieldPath: metadata.name \ No newline at end of file + fieldPath: metadata.name +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics +- path: manager_metrics_patch.yaml + target: + kind: Deployment \ No newline at end of file diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 2d31fa4ec..000000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - metadata: - labels: - control-plane: controller-manager - name: splunk-operator - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - "ALL" - add: - - "NET_BIND_SERVICE" - seccompProfile: - type: "RuntimeDefault" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml deleted file mode 100644 index 6c400155c..000000000 --- a/config/default/manager_config_patch.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - args: - - "--config=controller_manager_config.yaml" - volumeMounts: - - name: manager-config - mountPath: /controller_manager_config.yaml - subPath: controller_manager_config.yaml - volumes: - - name: manager-config - configMap: - name: manager-config diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml new file mode 100644 index 000000000..488f13693 --- /dev/null +++ b/config/default/manager_metrics_patch.yaml @@ -0,0 +1,4 @@ +# This patch adds the args to allow exposing the metrics endpoint using HTTPS +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 \ No newline at end of file diff --git a/config/default/metrics_service.yaml b/config/default/metrics_service.yaml new file mode 100644 index 000000000..cebb2683b --- /dev/null +++ b/config/default/metrics_service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: controller-manager + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + control-plane: controller-manager \ No newline at end of file diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index be185b6a3..3974d02f0 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -42,6 +42,7 @@ spec: - /manager args: - --leader-elect + - --health-probe-bind-address=:8081 - --pprof image: controller:latest imagePullPolicy: Always diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index d19136ae7..4453ba141 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -10,10 +10,19 @@ metadata: spec: endpoints: - path: /metrics - port: https + port: https # Ensure this is the name of the port that exposes HTTPS metrics scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: + # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables + # certificate verification. This poses a significant security risk by making the system vulnerable to + # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between + # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, + # compromising the integrity and confidentiality of the information. + # Please use the following options for secure configurations: + # caFile: /etc/metrics-certs/ca.crt + # certFile: /etc/metrics-certs/tls.crt + # keyFile: /etc/metrics-certs/tls.key insecureSkipVerify: true selector: matchLabels: diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 80e1857c5..000000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 71f179727..000000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 731832a6a..3577dde2a 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -9,10 +9,12 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml \ No newline at end of file diff --git a/config/rbac/metrics_auth_role.yaml b/config/rbac/metrics_auth_role.yaml new file mode 100644 index 000000000..2ba875039 --- /dev/null +++ b/config/rbac/metrics_auth_role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-auth-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create \ No newline at end of file diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/metrics_auth_role_binding.yaml similarity index 53% rename from config/rbac/auth_proxy_role_binding.yaml rename to config/rbac/metrics_auth_role_binding.yaml index ec7acc0a1..c7063d7b3 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/metrics_auth_role_binding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: proxy-rolebinding + name: metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-auth-role subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system + - kind: ServiceAccount + name: controller-manager + namespace: system \ No newline at end of file diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/metrics_reader_role.yaml similarity index 94% rename from config/rbac/auth_proxy_client_clusterrole.yaml rename to config/rbac/metrics_reader_role.yaml index 51a75db47..50fbca545 100644 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/config/rbac/metrics_reader_role.yaml @@ -6,4 +6,4 @@ rules: - nonResourceURLs: - "/metrics" verbs: - - get + - get \ No newline at end of file