Merge tag 'v0.18.1' into release-0.18.1-downstream

v0.18.1

.github/workflows/build.yml

@@ -1,12 +1,9 @@
 name: Go
-
 on: [push, pull_request]
-
 env:
   QUAY_PATH: quay.io/brancz/kube-rbac-proxy
-  go-version: '1.21.3'
-  kind-version: 'v0.20.0'
-
+  go-version: '1.23'
+  kind-version: 'v0.24.0'
 jobs:
   check-license:
     runs-on: ubuntu-latest
@@ -83,23 +80,23 @@ jobs:
     name: Publish container image to Quay
     if: github.event_name == 'push'
     needs:
-      - check-license
-      - generate
-      - build
-      - unit-tests
-      - e2e-tests
+    - check-license
+    - generate
+    - build
+    - unit-tests
+    - e2e-tests
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Setup golang for building
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ env.go-version }}
-      - name: Login to Quay.io
-        uses: docker/login-action@v1
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_PASSWORD }}
-      - name: Build images and push
-        run: ./scripts/publish.sh
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Setup golang for building
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ env.go-version }}
+    - name: Login to Quay.io
+      uses: docker/login-action@v1
+      with:
+        registry: quay.io
+        username: ${{ secrets.QUAY_USERNAME }}
+        password: ${{ secrets.QUAY_PASSWORD }}
+    - name: Build images and push
+      run: ./scripts/publish.sh

CHANGELOG.md

@@ -1,3 +1,26 @@
+## 0.18.1 / 2024-06-05
+
+- [ENHANCEMENT] Bump deps, in particular go-jose and golang (->CVE) and k8s (v1.31)
+
+## 0.18.0 / 2024-06-05
+
+- [ENHANCEMENT] Bump deps, in particular otel (>CVE) and k8s (v1.30)
+- [ENHANCEMENT] Add OIDC username prefix, which was missing
+
+## 0.17.1 / 2024-05-07
+
+- [BUGFIX] make deprecated (usptream removed) flags behave like before
+
+## 0.17.0 / 2024-02-08
+
+- [ENHANCEMENT] add command-line args --kube-api-qps/--kube-api-burst
+- [ENHANCEMENT] Bump deps
+
+## 0.16.0 / 2024-02-08
+
+- [ENHANCEMENT] Bump dependencies and in particular to kubernetes to v1.28
+- [CHANGE] Due to the bump to k8s v1.28 some logging flags are disabled
+
 ## 0.15.0 / 2023-10-20
 
 - [ENHANCEMENT] bump opentelemetry to fix CVE

Dockerfile

@@ -1,6 +1,7 @@
 ARG GOARCH=amd64
 ARG GOOS=linux
-FROM gcr.io/distroless/static:nonroot-$GOARCH
+ARG BASEIMAGE=gcr.io/distroless/static:nonroot-$GOARCH
+FROM $BASEIMAGE
 
 ARG BINARY=kube-rbac-proxy-$GOOS-$GOARCH
 COPY _output/$BINARY /usr/local/bin/kube-rbac-proxy

Makefile

@@ -7,6 +7,7 @@ PROGRAM_NAME?=kube-rbac-proxy
 GITHUB_URL=github.com/brancz/kube-rbac-proxy
 GOOS?=$(shell uname -s | tr A-Z a-z)
 GOARCH?=$(shell go env GOARCH)
+BASEIMAGE?=gcr.io/distroless/static:nonroot-$(GOARCH)
 OUT_DIR=_output
 VERSION?=$(shell cat VERSION)-$(shell git rev-parse --short HEAD)
 VERSION_SEMVER?=$(shell echo $(VERSION) | grep -o 'v[0-9]\+\.[0-9]\+\.[0-9]\+')
@@ -56,7 +57,7 @@ update-go-deps:
 	go mod tidy
 
 container: $(OUT_DIR)/$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) Dockerfile
-	docker build --build-arg BINARY=$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) --build-arg GOARCH=$(GOARCH) -t $(CONTAINER_NAME)-$(GOARCH) .
+	docker build --build-arg BINARY=$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) --build-arg GOARCH=$(GOARCH) --build-arg BASEIMAGE=$(BASEIMAGE) -t $(CONTAINER_NAME)-$(GOARCH) .
 ifeq ($(GOARCH), amd64)
 	docker tag $(DOCKER_REPO):$(VERSION)-$(GOARCH) $(CONTAINER_NAME)
 endif
@@ -87,6 +88,9 @@ run-curl-container:
 grpcc-container:
 	docker build -f ./examples/grpcc/Dockerfile -t mumoshu/grpcc:v0.0.1 .
 
+test-container: $(OUT_DIR)/$(PROGRAM_NAME)-linux-$(GOARCH) Dockerfile
+	docker build --build-arg BINARY=$(PROGRAM_NAME)-linux-$(GOARCH) --build-arg BASEIMAGE=$(BASEIMAGE) -t $(CONTAINER_NAME) .
+
 test: test-unit test-e2e
 
 test-unit:
@@ -97,7 +101,7 @@ test-e2e:
 
 test-local-setup: VERSION = local
 test-local-setup: VERSION_SEMVER = $(shell cat VERSION)
-test-local-setup: clean container kind-create-cluster
+test-local-setup: clean test-container kind-create-cluster
 test-local: test-local-setup test
 
 kind-delete-cluster:

README.md

@@ -67,6 +67,8 @@ Kube-rbac-proxy flags:
       --http2-max-size uint32                       The maximum number of bytes that the server will accept for frame size and buffer per stream in a HTTP/2 request. (default 262144)
       --ignore-paths strings                        Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths.
       --insecure-listen-address string              [DEPRECATED] The address the kube-rbac-proxy HTTP server should listen on.
+      --kube-api-burst int                          kube-api burst value; needed when kube-api-qps is set
+      --kube-api-qps float32                        queries per second to the api, kube-client starts client-side throttling, when breached
       --kubeconfig string                           Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used
       --oidc-ca-file string                         If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
       --oidc-clientID string                        The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
@@ -75,6 +77,7 @@ Kube-rbac-proxy flags:
       --oidc-issuer string                          The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).
       --oidc-sign-alg stringArray                   Supported signing algorithms, default RS256 (default [RS256])
       --oidc-username-claim string                  Identifier of the user in JWT claim, by default set to 'email' (default "email")
+      --oidc-username-prefix string                 If provided, the username will be prefixed with this value to prevent conflicts with other authentication strategies.
       --proxy-endpoints-port int                    The port to securely serve proxy-specific endpoints (such as '/healthz'). Uses the host from the '--secure-listen-address'.
       --secure-listen-address string                The address the kube-rbac-proxy HTTPs server should listen on.
       --tls-cert-file string                        File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert)
@@ -90,19 +93,8 @@ Kube-rbac-proxy flags:
 
 Global flags:
 
-      --add-dir-header                   If true, adds the file directory to the header of the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-      --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-  -h, --help                             help for kube-rbac-proxy
-      --log-backtrace-at traceLocation   when logging hits line file:N, emit a stack trace (default :0) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-      --log-dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-      --log-file string                  If non-empty, use this log file (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-      --log-file-max-size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-      --logtostderr                      log to standard error instead of files (default true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-      --one-output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-      --skip-headers                     If true, avoid header prefixes in the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-      --skip-log-headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-      --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-      --version version[=true]           Print version information and quit
+  -h, --help                     help for kube-rbac-proxy
+      --version version[=true]   --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version
 ```
 
 

RELEASE.md

@@ -7,7 +7,12 @@ Release shepherds are chosen on a voluntary basis.
 
 | release series | date of release (year-month-day) | release shepherd                            |
 |----------------|----------------------------------|---------------------------------------------|
-| v0.16.0        | TBD                              | Krzysztof Ostrowski (GitHub: @ibihim)       |
+| v0.19.0        | TBD                              | Krzysztof Ostrowski (GitHub: @ibihim)       |
+| v0.18.1        | 2024-08-30                       | Krzysztof Ostrowski (GitHub: @ibihim)       |
+| v0.18.0        | 2024-06-05                       | Krzysztof Ostrowski (GitHub: @ibihim)       |
+| v0.17.1        | 2024-05-07                       | Krzysztof Ostrowski (GitHub: @ibihim)       |
+| v0.17.0        | 2024-04-18                       | Krzysztof Ostrowski (GitHub: @ibihim)       |
+| v0.16.0        | 2024-02-08                       | Krzysztof Ostrowski (GitHub: @ibihim)       |
 | v0.15.0        | 2023-10-20                       | Krzysztof Ostrowski (GitHub: @ibihim)       |
 | v0.14.4        | 2023-10-16                       | Krzysztof Ostrowski (GitHub: @ibihim)       |
 | v0.14.3        | 2023-09-07                       | Krzysztof Ostrowski (GitHub: @ibihim)       |
@@ -139,4 +144,3 @@ to be pushed to Quay.io.
 
 If the release has happened in the latest release branch, merge the changes into
 main.
-

VERSION

@@ -1 +1 @@
-v0.15.0
+v0.18.1

cmd/kube-rbac-proxy/app/kube-rbac-proxy.go

@@ -40,7 +40,6 @@ import (
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
 
-	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authorization/union"
 	"k8s.io/client-go/kubernetes"
@@ -85,17 +84,16 @@ that can perform RBAC authorization against the Kubernetes API using SubjectAcce
 
 			k8sapiflag.PrintFlags(fs)
 
+			if err := o.Validate(); err != nil {
+				return err
+			}
+
 			// set default options
 			completedOptions, err := Complete(o)
 			if err != nil {
 				return err
 			}
 
-			// validate options
-			if errs := completedOptions.Validate(); len(errs) != 0 {
-				return utilerrors.NewAggregate(errs)
-			}
-
 			return Run(completedOptions)
 		},
 		Args: func(cmd *cobra.Command, args []string) error {
@@ -147,63 +145,6 @@ type completedProxyRunOptions struct {
 	ignorePaths []string
 }
 
-func (o *completedProxyRunOptions) Validate() []error {
-	var errs []error
-
-	hasCerts := !(o.tls.CertFile == "") && !(o.tls.KeyFile == "")
-	hasInsecureListenAddress := o.insecureListenAddress != ""
-	if !hasCerts || hasInsecureListenAddress {
-		klog.Warning(`
-==== Deprecation Warning ======================
-
-Insecure listen address will be removed.
-Using --insecure-listen-address won't be possible!
-
-The ability to run kube-rbac-proxy without TLS certificates will be removed.
-Not using --tls-cert-file and --tls-private-key-file won't be possible!
-
-For more information, please go to https://github.com/brancz/kube-rbac-proxy/issues/187
-
-===============================================
-
-		`)
-	}
-
-	if o.tls.ReloadInterval != time.Minute {
-		klog.Warning(`
-==== Deprecation Warning ======================
-
-tls-reload-interval will be removed.
-Using --tls-reload-interval won't be possible!
-
-For more information, please go to https://github.com/brancz/kube-rbac-proxy/issues/196
-
-===============================================
-		`)
-
-	}
-
-	if len(o.allowPaths) > 0 && len(o.ignorePaths) > 0 {
-		errs = append(errs, fmt.Errorf("cannot use --allow-paths and --ignore-paths together"))
-	}
-
-	for _, pathAllowed := range o.allowPaths {
-		_, err := path.Match(pathAllowed, "")
-		if err != nil {
-			errs = append(errs, fmt.Errorf("failed to verify allow path: %s", pathAllowed))
-		}
-	}
-
-	for _, pathIgnored := range o.ignorePaths {
-		_, err := path.Match(pathIgnored, "")
-		if err != nil {
-			errs = append(errs, fmt.Errorf("failed to verify ignored path: %s", pathIgnored))
-		}
-	}
-
-	return errs
-}
-
 func Complete(o *options.ProxyRunOptions) (*completedProxyRunOptions, error) {
 	var err error
 	completed := &completedProxyRunOptions{
@@ -249,6 +190,13 @@ func Complete(o *options.ProxyRunOptions) (*completedProxyRunOptions, error) {
 		return nil, fmt.Errorf("failed to load kubeconfig: %w", err)
 	}
 
+	if o.QPS > 0 {
+		kubeconfig.QPS = o.QPS
+	}
+	if o.Burst > 0 {
+		kubeconfig.Burst = o.Burst
+	}
+
 	completed.kubeClient, err = kubernetes.NewForConfig(kubeconfig)
 	if err != nil {
 		return nil, fmt.Errorf("failed to instantiate Kubernetes client: %w", err)
@@ -273,7 +221,7 @@ func Run(cfg *completedProxyRunOptions) error {
 
 	// If OIDC configuration provided, use oidc authenticator
 	if cfg.auth.Authentication.OIDC.IssuerURL != "" {
-		oidcAuthenticator, err := authn.NewOIDCAuthenticator(cfg.auth.Authentication.OIDC)
+		oidcAuthenticator, err := authn.NewOIDCAuthenticator(ctx, cfg.auth.Authentication.OIDC)
 		if err != nil {
 			return fmt.Errorf("failed to instantiate OIDC authenticator: %w", err)
 		}
@@ -456,7 +404,7 @@ func Run(cfg *completedProxyRunOptions) error {
 				return srv.Serve(tlsListener)
 			}, func(err error) {
 				if err := srv.Shutdown(context.Background()); err != nil {
-					klog.Errorf("failed to gracefully shutdown server: %w", err)
+					klog.Errorf("failed to gracefully shutdown server: %+v", err)
 				}
 			})
 
@@ -504,7 +452,7 @@ func Run(cfg *completedProxyRunOptions) error {
 					return proxyEndpointsSrv.Serve(tlsListener)
 				}, func(err error) {
 					if err := proxyEndpointsSrv.Shutdown(context.Background()); err != nil {
-						klog.Errorf("failed to gracefully shutdown proxy endpoints server: %w", err)
+						klog.Errorf("failed to gracefully shutdown proxy endpoints server: %+v", err)
 					}
 				})
 			}
@@ -529,10 +477,10 @@ func Run(cfg *completedProxyRunOptions) error {
 				return srv.Serve(l)
 			}, func(err error) {
 				if err := srv.Shutdown(context.Background()); err != nil {
-					klog.Errorf("failed to gracefully shutdown server: %w", err)
+					klog.Errorf("failed to gracefully shutdown server: %+v", err)
 				}
 				if err := l.Close(); err != nil {
-					klog.Errorf("failed to gracefully close listener: %w", err)
+					klog.Errorf("failed to gracefully close listener: %+v", err)
 				}
 			})
 		}
@@ -549,6 +497,10 @@ func Run(cfg *completedProxyRunOptions) error {
 		})
 	}
 
+	if len(cfg.secureListenAddress) == 0 && len(cfg.insecureListenAddress) == 0 {
+		return fmt.Errorf("no listen address provided")
+	}
+
 	if err := gr.Run(); err != nil {
 		return fmt.Errorf("failed to run groups: %w", err)
 	}