diff --git a/cmd/main.go b/cmd/main.go index 381df1ab5..969ae27ab 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -78,7 +78,7 @@ func init() { // InitFlags initializes the flags. func InitFlags(fs *pflag.FlagSet) { - fs.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8080", + fs.StringVar(&metricsBindAddr, "metrics-bind-addr", "localhost:8080", "The address the metric endpoint binds to.") fs.BoolVar(&enableLeaderElection, "leader-elect", false, diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 691d82e65..bef5f80c1 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -26,10 +26,6 @@ bases: - ../namespace patchesStrategicMerge: - # Protect the /metrics endpoint by putting it behind auth. - # If you want your controller-manager to expose the /metrics - # endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml # Provide customizable hook for make targets. - manager_image_patch.yaml - manager_pull_policy.yaml diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index a7952c1e8..000000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-addr=:8081" - - "--metrics-bind-addr=127.0.0.1:8080" - - "--leader-elect" diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index bd4af137a..000000000 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: metrics-reader -rules: -- nonResourceURLs: ["/metrics"] - verbs: ["get"] diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 618f5e417..000000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 48ed1e4b8..000000000 --- a/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: default - namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 6cf656be1..000000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 66c28338f..c887f9f6f 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -3,10 +3,3 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml diff --git a/hack/charts/cluster-api-operator/templates/deployment.yaml b/hack/charts/cluster-api-operator/templates/deployment.yaml index 3bae103cd..4d5f8d6b5 100644 --- a/hack/charts/cluster-api-operator/templates/deployment.yaml +++ b/hack/charts/cluster-api-operator/templates/deployment.yaml @@ -101,30 +101,6 @@ spec: volumeMounts: {{- toYaml . | nindent 12 }} {{- end }} - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - {{- if .Values.logLevel }} - - --v={{ .Values.logLevel }} - {{- end }} - {{- with .Values.image.kubeRBACProxy }} - image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" - {{- end }} - imagePullPolicy: {{ .Values.image.kubeRBACProxy.pullPolicy }} - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - {{- with .Values.resources.kubeRBACProxy }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.containerSecurityContext.kubeRBACProxy }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} terminationGracePeriodSeconds: 10 {{- with .Values.volumes }} volumes: diff --git a/hack/charts/cluster-api-operator/values.yaml b/hack/charts/cluster-api-operator/values.yaml index d3aaf1400..e1ca8dc9b 100644 --- a/hack/charts/cluster-api-operator/values.yaml +++ b/hack/charts/cluster-api-operator/values.yaml @@ -26,10 +26,6 @@ image: repository: gcr.io/k8s-staging-capi-operator/cluster-api-operator tag: dev pullPolicy: IfNotPresent - kubeRBACProxy: - repository: gcr.io/kubebuilder/kube-rbac-proxy - tag: v0.14.1 - pullPolicy: IfNotPresent healthAddr: ":8081" metricsBindAddr: "127.0.0.1:8080" imagePullSecrets: {} @@ -41,19 +37,7 @@ resources: requests: cpu: 100m memory: 100Mi - kubeRBACProxy: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi -containerSecurityContext: - kubeRBACProxy: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL +containerSecurityContext: {} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/test/e2e/resources/full-chart-install.yaml b/test/e2e/resources/full-chart-install.yaml index 23383af8f..8f1334765 100644 --- a/test/e2e/resources/full-chart-install.yaml +++ b/test/e2e/resources/full-chart-install.yaml @@ -13961,40 +13961,6 @@ rules: --- # Source: cluster-api-operator/templates/operator-components.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - clusterctl.cluster.x-k8s.io/core: capi-operator - name: capi-operator-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -# Source: cluster-api-operator/templates/operator-components.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - clusterctl.cluster.x-k8s.io/core: capi-operator - name: capi-operator-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -# Source: cluster-api-operator/templates/operator-components.yaml -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: @@ -14011,22 +13977,6 @@ subjects: --- # Source: cluster-api-operator/templates/operator-components.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - clusterctl.cluster.x-k8s.io/core: capi-operator - name: capi-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: capi-operator-proxy-role -subjects: -- kind: ServiceAccount - name: default - namespace: 'default' ---- -# Source: cluster-api-operator/templates/operator-components.yaml -apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: @@ -14093,24 +14043,6 @@ subjects: # Source: cluster-api-operator/templates/operator-components.yaml apiVersion: v1 kind: Service -metadata: - labels: - clusterctl.cluster.x-k8s.io/core: capi-operator - control-plane: controller-manager - name: capi-operator-controller-manager-metrics-service - namespace: 'default' -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - clusterctl.cluster.x-k8s.io/core: capi-operator - control-plane: controller-manager ---- -# Source: cluster-api-operator/templates/operator-components.yaml -apiVersion: v1 -kind: Service metadata: labels: clusterctl.cluster.x-k8s.io/core: capi-operator @@ -14182,30 +14114,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=2 - image: "gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1" - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL terminationGracePeriodSeconds: 10 volumes: - name: cert