-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove dependency for kube-rbac-proxy and add secure-metrics feature #3833
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3833 +/- ##
==========================================
- Coverage 53.42% 53.40% -0.03%
==========================================
Files 1521 1521
Lines 546189 546189
==========================================
- Hits 291781 291665 -116
- Misses 209457 209573 +116
Partials 44951 44951 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, but needs a couple minor tweaks. Approving so you can merge when they're done.
@@ -7,7 +7,7 @@ The metrics exposed fall into two groups: Azure based metrics, and reconciler me | |||
|
|||
## Toggling the metrics | |||
|
|||
By default, metrics for ASOv2 are turned on and can be toggled by the following options: | |||
By default, secure metrics for ASOv2 are turned on and can be toggled by the following options: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are they really turned on, given the option below says default: false
?
docs/hugo/content/guide/metrics.md
Outdated
|
||
- Use the settings below in your deployment: | ||
|
||
- #### ASOv2 Helm Chart |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this bullet point needs to be a heading - and if it were a heading, it would be 3rd level, not 4th.
Suggest changing to plain text.
scripts/v2/generate-helm-manifest.sh
Outdated
#grep -E $KUBE_RBAC_PROXY "$GEN_FILES_DIR"/*_deployment_* > /dev/null # Ensure that what we're about to try to replace actually exists (if it doesn't we want to fail) | ||
#sed -i "s@$KUBE_RBAC_PROXY.*@{{.Values.image.kubeRBACProxy}}@g" "$GEN_FILES_DIR"/*_deployment_* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Commented out - either restore or delete.
@@ -92,6 +92,9 @@ image: | |||
# 'address' field defines the metrics binding address on which metrics | |||
metrics: | |||
enable: true | |||
# secureMetrics controls whether metrics should be served via 'http' or 'https'. | |||
# Flagging secureMetrics as true would use https | |||
secureMetrics: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment in this yaml file reinforces my earlier question about whether secure metrics are turned on by default.
v2/cmd/controller/app/setup.go
Outdated
SecureServing: true, | ||
FilterProvider: filters.WithAuthenticationAndAuthorization, | ||
// Note that pprof endpoints are meant to be sensitive and shouldn't be exposed publicly. | ||
ExtraHandlers: map[string]http.Handler{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We probably should have a specific cmdline flag that enables this and it should default to off.
This is what apiserver does via the --profiling
argument, though it defaults it to true.
I'd argue we should have both metrics.secure
and metrics.profiling
flags in Helm, and two cmdline args in ASO to control these two bits.
Secure metrics shouldn't (IMO) require that you expose pprof.
v2/cmd/controller/app/setup.go
Outdated
func getMetricsOpts(flags Flags) server.Options { | ||
var metricsOptions server.Options | ||
|
||
if !flags.SecureMetrics { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code doesn't seem right, because it doesn't return here, it falls through and then overwrites the metricsOptions
below?
I think you want something like:
var metricsOptions
if secure {
// secure
} else {
// insecure
}
if profiling {
// profiling
}
return
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or if you want to only enable profiling if secure, put that bit into the secure bit, and/or (maybe better) add a check that secure is not off with profiling on and if so return an error and crash the pod.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah good catch. I missed return there. I'll update
# Flagging secure as 'true' would use https | ||
# Refer to https://azure.github.io/azure-service-operator/guide/metrics/ for more information | ||
secure: true | ||
# profiling endpoints are only enabled when serving metrics securely |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: Say what profiling is (it enables /pprof endpoints), in addition to its restrictions. Though, see below about this restriction because I am not sure it is needed?
v2/cmd/controller/app/flags.go
Outdated
@@ -54,6 +60,9 @@ func ParseFlags(args []string) (Flags, error) { | |||
|
|||
// default here for 'MetricsAddr' is set to "0", which sets metrics to be disabled if 'metrics-addr' flag is omitted. | |||
flagSet.StringVar(&metricsAddr, "metrics-addr", "0", "The address the metric endpoint binds to.") | |||
flagSet.BoolVar(&secureMetrics, "secure-metrics", true, "Enable secure metrics. This secures the pprof and metrics endpoints via Kubernetes RBAC and HTTPS") | |||
flagSet.BoolVar(&profilingMetrics, "profiling-metrics", true, "Enable pprof metrics, only enabled in conjunction with secure-metrics. This will enable serving pprof metrics endpoints") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Default should probably be false
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved with one minor style comment
docs/hugo/content/guide/metrics.md
Outdated
|
||
Follow the steps below to scrape metrics securely. | ||
|
||
### ASOv2 Helm Chart |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
very minor: Could use one of the table-selector thingies here, like we do for Windows versus Linux in the installation instructions?
Closes #3741
What this PR does / why we need it:
This PR removes dependency for
kube-rbac-proxy
for securely serving metrics.Instead, we have a
secure-metrics
feature flag in ASO using which users can toggle to enable metrics via HTTPs.Bonus: Have added
pprof
handlers as well.If applicable: