Merge pull request #340 from Fedosin/remove_kube_rbac_proxy

⚠️ Remove kube-rbac-proxy and expose metrics on localhost:8080
kubernetes-sigs · Nov 30, 2023 · d254cf7 · d254cf7
2 parents d0f318d + 50b7f2f
commit d254cf7
Show file tree

Hide file tree

Showing 11 changed files with 2 additions and 245 deletions.
diff --git a/cmd/main.go b/cmd/main.go
@@ -78,7 +78,7 @@ func init() {
 
 // InitFlags initializes the flags.
 func InitFlags(fs *pflag.FlagSet) {
-	fs.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8080",
+	fs.StringVar(&metricsBindAddr, "metrics-bind-addr", "localhost:8080",
 		"The address the metric endpoint binds to.")
 
 	fs.BoolVar(&enableLeaderElection, "leader-elect", false,

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -26,10 +26,6 @@ bases:
 - ../namespace
 
 patchesStrategicMerge:
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
   # Provide customizable hook for make targets.
 - manager_image_patch.yaml
 - manager_pull_policy.yaml

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml
diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -3,10 +3,3 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
diff --git a/hack/charts/cluster-api-operator/templates/deployment.yaml b/hack/charts/cluster-api-operator/templates/deployment.yaml
@@ -101,30 +101,6 @@ spec:
         volumeMounts:
         {{- toYaml . | nindent 12 }}
         {{- end }}
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        {{- if .Values.logLevel }}
-        - --v={{ .Values.logLevel }}
-        {{- end }}
-        {{- with .Values.image.kubeRBACProxy }}
-        image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-        {{- end }}
-        imagePullPolicy: {{ .Values.image.kubeRBACProxy.pullPolicy }}
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        {{- with .Values.resources.kubeRBACProxy }}
-        resources:
-        {{- toYaml . | nindent 12 }}
-        {{- end }}
-        {{- with .Values.containerSecurityContext.kubeRBACProxy }}
-        securityContext:
-        {{- toYaml . | nindent 12 }}
-        {{- end }}
       terminationGracePeriodSeconds: 10
       {{- with .Values.volumes }}
       volumes:

diff --git a/hack/charts/cluster-api-operator/values.yaml b/hack/charts/cluster-api-operator/values.yaml
@@ -26,10 +26,6 @@ image:
     repository: gcr.io/k8s-staging-capi-operator/cluster-api-operator
     tag: dev
     pullPolicy: IfNotPresent
-  kubeRBACProxy:
-    repository: gcr.io/kubebuilder/kube-rbac-proxy
-    tag: v0.14.1
-    pullPolicy: IfNotPresent
 healthAddr: ":8081"
 metricsBindAddr: "127.0.0.1:8080"
 imagePullSecrets: {}
@@ -41,19 +37,7 @@ resources:
     requests:
       cpu: 100m
       memory: 100Mi
-  kubeRBACProxy:
-    limits:
-      cpu: 500m
-      memory: 128Mi
-    requests:
-      cpu: 5m
-      memory: 64Mi
-containerSecurityContext:
-  kubeRBACProxy:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - ALL
+containerSecurityContext: {}
 affinity:
   nodeAffinity:
     requiredDuringSchedulingIgnoredDuringExecution:

diff --git a/test/e2e/resources/full-chart-install.yaml b/test/e2e/resources/full-chart-install.yaml
@@ -13961,40 +13961,6 @@ rules:
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-  name: capi-operator-metrics-reader
-rules:
-- nonResourceURLs:
-  - /metrics
-  verbs:
-  - get
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-  name: capi-operator-proxy-role
-rules:
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -14011,22 +13977,6 @@ subjects:
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-  name: capi-operator-proxy-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: capi-operator-proxy-role
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: 'default'
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
@@ -14093,24 +14043,6 @@ subjects:
 # Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: v1
 kind: Service
-metadata:
-  labels:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-    control-plane: controller-manager
-  name: capi-operator-controller-manager-metrics-service
-  namespace: 'default'
-spec:
-  ports:
-  - name: https
-    port: 8443
-    targetPort: https
-  selector:
-    clusterctl.cluster.x-k8s.io/core: capi-operator
-    control-plane: controller-manager
----
-# Source: cluster-api-operator/templates/operator-components.yaml
-apiVersion: v1
-kind: Service
 metadata:
   labels:
     clusterctl.cluster.x-k8s.io/core: capi-operator
@@ -14182,30 +14114,6 @@ spec:
             - mountPath: /tmp/k8s-webhook-server/serving-certs
               name: cert
               readOnly: true
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        - --v=2
-        image: "gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1"
-        imagePullPolicy: IfNotPresent
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-            limits:
-              cpu: 500m
-              memory: 128Mi
-            requests:
-              cpu: 5m
-              memory: 64Mi
-        securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
       terminationGracePeriodSeconds: 10
       volumes:
         - name: cert