Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Deprecation] Removal of options and features that don't fit with upstream #196

Closed
ibihim opened this issue Aug 26, 2022 · 2 comments
Closed

[Deprecation] Removal of options and features that don't fit with upstream #196

ibihim opened this issue Aug 26, 2022 · 2 comments
Labels
deprecation

Comments

@ibihim
Copy link
Collaborator

ibihim commented Aug 26, 2022
edited
Loading

What

We will remove the following options in the v1 release:

  1. --tls-reload-interval as this option is not supported by upstream,
  2. insecure-listen-addresss won't work anymore and
  3. tls-cert-file == nil and tls-private-key-file == nil won't work any more, TLS is now mandatory.

Why

1.

We were asked to use the upstream cert loader, which doesn't support custom intervals.

2. and 3.

We are aware that we create obstacles in running kube-rbac-proxy for testing or debugging purposes.
But we reduce the probability for an insecure set up of kube-rbac-proxy, which is a security relevant component.

Running kube-rbac-proxy without TLS certificates, makes it possible to impersonate kube-rbac-proxy.

The reason that we remove that capability is a pre-acceptance requirement for kube-rbac-proxy, before we can donate the project so sig-auth of k8s.

Reference
@ibihim ibihim mentioned this issue Aug 26, 2022
Merged
@ibihim ibihim mentioned this issue Nov 28, 2022
Closed
@ibihim ibihim changed the title [Deprecation] Removal of interval option: --tls-reload-interval [Deprecation] Removal of options and features that don't fit with upstream Nov 28, 2022
@razo7 razo7 mentioned this issue May 29, 2023
Closed
@camilamacedo86
Copy link
Contributor

HI @ibihim,

Could you please add here how we should replace those flags to sort out the deprecation?

See that we are using:

- "--secure-listen-address=0.0.0.0:8443"
        - "--upstream=http://127.0.0.1:8080/"
        - "--logtostderr=true"
        - "--v=0"

So, how it should be done now?

@camilamacedo86 camilamacedo86 mentioned this issue Aug 17, 2023
Closed
@ibihim
Copy link
Collaborator Author

ibihim commented Jan 26, 2024

I will add a README.md entry for this.

@ibihim ibihim closed this as completed Mar 18, 2024
hoexter added a commit to hoexter/kube-rbac-proxy that referenced this issue Jun 17, 2024
@hoexter
doc: Note that tls-reload-interval is deprecated
fd14029 
Seems this was depcreated as part of
brancz#196 and a log
message warns about it.

Signed-off-by: Sven Höxter <sven.hoexter@paymenttools.com>
@hoexter hoexter mentioned this issue Jun 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
deprecation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@camilamacedo86 @ibihim