🚨 Action Required: Ensure that you no longer use gcr.io/kubebuilder images #3907
camilamacedo86
announced in
Announcements
Replies: 1 comment
-
If you want to know more about metrics, please check the documentation: https://book.kubebuilder.io/reference/metrics |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Images provided under
gcr.io/kubebuilder/
will be unavailable from March 18, 2025.Projects initialized with Kubebuilder versions
v3.14
or lower utilize kube-rbac-proxy to protect the metrics endpoint. Therefore, you might want to continue using kube-rbac-proxy by simply replacing the image or changing how the metrics endpoint is protected in your project.However, projects initialized with Kubebuilder versions
v4.1.0
or higher have a similar protection usingauthn/authz
enabled by default via Controller-Runtime's feature WithAuthenticationAndAuthorization. In this case, you might want to upgrade your project or simply ensure that you have applied the same code changes to it.If you are using OR wish to continue using kube-rbac-proxy:
In this case, you must replace the image
gcr.io/kubebuilder/kube-rbac-proxy
for the image provided by the kube-rbac-proxy maintainers (quay.io/brancz/kube-rbac-proxy), which is not support or promoted by Kubebuilder, or from any other registry/source that please you.Check the usage in the file
config/default/manager_auth_proxy_patch.yaml
where the kube-rbac-proxy container is patched:kubebuilder/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml
Lines 11 to 23 in 94a5ab8
/config/default/kustomization.yaml
where the kube-rbac-proxy was patched by default:kubebuilder/testdata/project-v4/config/default/kustomization.yaml
Lines 29 to 33 in 94a5ab8
❓ Why is this happening?
Kubebuilder has been rebuilding and re-tagging these images for several years. However, due to recent infrastructure changes for projects under the Kubernetes umbrella, we now require the use of shared infrastructure. But as kube-rbac-proxy is in a process to be a part of it, but not yet, sadly we cannot build and promote these images using the new k8s infrastructure. To follow up the ongoing process and changes required for the project be accepted by, see: brancz/kube-rbac-proxy#238
Moreover, Google Cloud Platform has deprecated the Container Registry, which has been used to promote these images.
Additionally, ongoing changes and the phase-out of the previous GCP infrastructure mean that Kubebuilder maintainers are no longer able to support, build, or ensure the promotion of these images. For further information, please check the proposal for this change and its motivations here.
Why the metrics endpoint need to be protected ?
Unprotected metrics endpoints can expose valuable data to unauthorized users, such as system performance, application behavior, and potentially confidential operational metrics. This exposure can lead to security vulnerabilities where an attacker could gain insights into the system's operation and exploit weaknesses.
Why doesn't Network Policy provide the same kube-rbac-proxy's level of protection ?
NetworkPolicy acts as a basic firewall for pods within a Kubernetes cluster, controlling traffic flow at the IP address or port level. However, it doesn't handle authentication (authn), authorization (authz), or encryption directly like the kube-rbac-proxy solution.
How the metrics endpoint can be protected ?
v4.1.0
) By using Controller-Runtime's feature WithAuthenticationAndAuthorization which can handleauthn/authz
similar what was provided viakube-rbac-proxy
.Please ensure that you update your configurations accordingly to avoid any disruptions. If you have any questions or need further assistance, feel free to ask in this discussion thread and/or kubebuilder slack channel
Beta Was this translation helpful? Give feedback.
All reactions