-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove usage of kube-rbac-proxy
and switch to the built-in WithAuthenticationAndAuthorization
filter instead
#338
Conversation
5f9d5fd
to
bed266f
Compare
bed266f
to
378f723
Compare
kube-rbac-proxy
and switch to the built-in WithAuthenticationAndAuthorization
filter insteadkube-rbac-proxy
and switch to the built-in WithAuthenticationAndAuthorization
filter instead
2f3c58d
to
8195a4e
Compare
8195a4e
to
d4fdab7
Compare
kube-rbac-proxy
and switch to the built-in WithAuthenticationAndAuthorization
filter insteadkube-rbac-proxy
and switch to the built-in WithAuthenticationAndAuthorization
filter instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems legit though did not test (or fully grok the changes).
…dAuthorization` filter This is enabled only if `--metrics-over-https` is enabled, which is done to avoid passing service account tokens over HTTP. Metrics serving over HTTPS is disabled by default (when running the operator locally), but enabled when deployed either with or without OLM. Ref: https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/metrics/filters#WithAuthenticationAndAuthorization
d4fdab7
to
430941d
Compare
New changes are detected. LGTM label has been removed. |
Rebased and forced-push to fix Git conflicts reported. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gazarenkov, nickboldt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
This removes all usage of the
kube-rbac-proxy
sidecar container, which was used to protect the/metrics
endpoint exposed by the controller. This ensured that only authorized users and service accounts could access potentially sensitive metrics data.Instead, it is now recommended to leverage the built-in
WithAuthenticationAndAuthorization
filter which provides a similar authn/authz protection of this endpoint but without the need for an extra container.More context in kubernetes-sigs/controller-runtime#2073 and https://book.kubebuilder.io/reference/metrics#how-the-metrics-endpoint-can-be-protected-
Which issue(s) does this PR fix or relate to
PR acceptance criteria
rhdh-operator.clusterserviceversion.yaml
file accordinglyHow to test changes / Special notes to the reviewer
From this PR: