Migrate from kube-rbac-proxy to authn/authz filter
What does this MR do?
Migrate from kube-rbac-proxy to authn/authz filter
Kubebuilder deprecated it's kube-rbac-proxy images in images will be unavailable from 2025-03-18. This migrates to use a authn/authz filter as described in https://book.kubebuilder.io/reference/metrics#by-using-authnauthz-enabled-by-default.
- Deprecation notice: https://github.com/kubernetes-sigs/kubebuilder/discussions/3907
- Filter function documentation: https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/filters#WithAuthenticationAndAuthorization
Author's Checklist
For anything in this list which will not be completed, please provide a reason in the MR discussion.
Required
-
Ensure a release milestone is set. -
MR title and description are up to date, accurate, and descriptive. -
MR targeting the appropriate branch. -
MR has a green pipeline on GitLab.com. -
When ready for review, MR is labeled workflowready for review per the MR workflow.
Expected
-
Test plan indicating conditions for success has been posted and passes. -
Documentation is created or updated. -
Tests are added.
Test Plan
-
Install the Operator
-
Confirm metrics are served as expected by deploying a metrics reader/consumer:
apiVersion: v1 kind: ServiceAccount metadata: name: metrics-consumer namespace: gitlab-operator-v2-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: metrics-consumer-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: gitlab-operator-v2-metrics-reader subjects: - kind: ServiceAccount name: metrics-consumer namespace: gitlab-operator-v2-system --- # Adapted from https://book.kubebuilder.io/reference/metrics#by-using-authnauthz-enabled-by-default apiVersion: v1 kind: Pod metadata: name: gl-metrics-consumer namespace: gitlab-operator-v2-system spec: serviceAccountName: metrics-consumer containers: - name: metrics-consumer image: curlimages/curl:7.78.0 command: ["/bin/sh"] args: - "-c" - > while true; do # Note here that we are passing the token obtained from the ServiceAccount to curl the metrics endpoint curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://gitlab-operator-v2-controller-manager-metrics-service:8443/metrics; sleep 5; done
Related issues
Closes #91 (closed)
Edited by Clemens Beck