✨ Replace deprecated kube-rbac-proxy with controller-runtime built-in metrics auth#1507
Open
aruneshpa wants to merge 1 commit intovmware-tanzu:mainfrom
Conversation
aruneshpa
force-pushed
the
features/use-controller-runtime-instead-of-kube-rbac-proxy
branch
2 times, most recently
from
c6f028d to
3e2d5b7
Compare
… metrics auth kube-rbac-proxy has been deprecated upstream. This replaces it with controller-runtime's built-in SecureServing and FilterProvider using filters.WithAuthenticationAndAuthorization, which performs the same TokenReview/SubjectAccessReview checks in-process. - Enable SecureServing and FilterProvider on metricsserver.Options - Add MetricsTLSOpts to manager Options with default TLS 1.2+ and ECDHE+AES-GCM cipher suites, matching the prior kube-rbac-proxy config - Remove kube-rbac-proxy sidecar from deployment patches - Update default metrics bind address from :8083 to :8443 - Remove proxy_metrics_port_patch.yaml (no longer needed) - Simplify WCP manager_metrics_port_patch to configure manager directly - Keep existing RBAC for TokenReviews/SubjectAccessReviews (still needed) Testing Done: - Modified the deployment in an existing env. Had to update RBAC and patch the deployment. - Directly accessing the metrics port now we get 401: root@4236e339a8bbba37cfa10f814885be6f [ ~ ]# curl -sk https://localhost:9848/metrics Unauthorized - Since the metrics port has TLS enabled, sending HTTP request returns error root@4236e339a8bbba37cfa10f814885be6f [ ~ ]# curl -sk http://localhost:9848/metrics Client sent an HTTP request to an HTTPS server. - Successfully able to get metrics directly by going to the Pod's metrics port: ``` root@4236e339a8bbba37cfa10f814885be6f [ ~ ]# TOKEN=$(kubectl -n vmware-system-vmop create token vmware-system-vmop-vmoperator-service-account --duration=10m) && curl -sk -H "Authorization: Bearer $TOKEN" https://localhost:9848/metrics | more certwatcher_read_certificate_errors_total 0 certwatcher_read_certificate_total 6504 ``` - With Cypher suites for 1.3 root@4236e339a8bbba37cfa10f814885be6f [ ~ ]# TOKEN=$(kubectl -n vmware-system-vmop create token vmware-system-vmop-vmoperator-service-account --duration=10m) && curl --tls13-ciphers 'TLS_AES_256_GCM_SHA384' -sk -H "Authorization: Bearer $TOKEN" https://localhost:9848/metrics | head -5 certwatcher_read_certificate_errors_total 0
aruneshpa
force-pushed
the
features/use-controller-runtime-instead-of-kube-rbac-proxy
branch
from
3e2d5b7 to
727f54b
Compare
aruneshpa
changed the title
Minimum allowed line rate is |
|
Makes sense to me! /lgtm |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do, and why is it needed?
kube-rbac-proxy has been deprecated upstream. This replaces it with controller-runtime's built-in SecureServing and FilterProvider using filters.WithAuthenticationAndAuthorization, which performs the same TokenReview/SubjectAccessReview checks in-process.
Please add a release note if necessary: