Migrate from kube-rbac-proxy to authn/authz filter (!123) · Merge requests · GitLab.org / Cloud Native / GitLab Operator V2

Clemens Beck requested to merge cb-rbac-proxy into main Oct 07, 2024

What does this MR do?

Migrate from kube-rbac-proxy to authn/authz filter

Kubebuilder deprecated it's kube-rbac-proxy images in images will be unavailable from 2025-03-18. This migrates to use a authn/authz filter as described in https://book.kubebuilder.io/reference/metrics#by-using-authnauthz-enabled-by-default.

Deprecation notice: https://github.com/kubernetes-sigs/kubebuilder/discussions/3907
Filter function documentation: https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/filters#WithAuthenticationAndAuthorization

Author's Checklist

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

Ensure a release milestone is set.
MR title and description are up to date, accurate, and descriptive.
MR targeting the appropriate branch.
MR has a green pipeline on GitLab.com.
When ready for review, MR is labeled workflowready for review per the MR workflow.

Expected

Test plan indicating conditions for success has been posted and passes.
~~Documentation is created or updated.~~
~~Tests are added.~~

Test Plan

Install the Operator

Confirm metrics are served as expected by deploying a metrics reader/consumer:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: metrics-consumer
  namespace: gitlab-operator-v2-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metrics-consumer-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gitlab-operator-v2-metrics-reader
subjects:
- kind: ServiceAccount
  name: metrics-consumer
  namespace: gitlab-operator-v2-system
---
# Adapted from https://book.kubebuilder.io/reference/metrics#by-using-authnauthz-enabled-by-default
apiVersion: v1
kind: Pod
metadata:
  name: gl-metrics-consumer
  namespace: gitlab-operator-v2-system
spec:
  serviceAccountName: metrics-consumer
  containers:
  - name: metrics-consumer
    image: curlimages/curl:7.78.0
    command: ["/bin/sh"]
    args:
      - "-c"
      - >
        while true;
        do
          # Note here that we are passing the token obtained from the ServiceAccount to curl the metrics endpoint
          curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://gitlab-operator-v2-controller-manager-metrics-service:8443/metrics;
          sleep 5;
        done

Related issues

Closes #91 (closed)

Edited Oct 07, 2024 by Clemens Beck