From 1aee28338f5c962ef44ca87c13aa38a54ac9f8b6 Mon Sep 17 00:00:00 2001 From: Camila Macedo Date: Mon, 6 May 2024 16:48:52 +0100 Subject: [PATCH] Discontinue Kube RBAC Proxy in Default Kubebuilder Scaffolding --- .github/workflows/test-sample-go.yml | 2 +- .../project/config/default/kustomization.yaml | 8 +- .../default/manager_auth_proxy_patch.yaml | 34 --- .../config/default/manager_metrics_patch.yaml | 13 + .../project/config/prometheus/monitor.yaml | 7 +- .../rbac/auth_proxy_client_clusterrole.yaml | 12 - .../project/config/rbac/auth_proxy_role.yaml | 20 -- .../config/rbac/auth_proxy_role_binding.yaml | 15 -- .../project/config/rbac/kustomization.yaml | 9 +- ...roxy_service.yaml => metrics_service.yaml} | 6 +- .../project/config/default/kustomization.yaml | 8 +- .../default/manager_auth_proxy_patch.yaml | 55 ----- .../config/default/manager_metrics_patch.yaml | 13 + .../project/config/manager/manager.yaml | 4 +- .../project/config/prometheus/monitor.yaml | 7 +- .../rbac/auth_proxy_client_clusterrole.yaml | 12 - .../project/config/rbac/auth_proxy_role.yaml | 20 -- .../config/rbac/auth_proxy_role_binding.yaml | 15 -- .../project/config/rbac/kustomization.yaml | 9 +- .../project/config/rbac/metrics_service.yaml} | 6 +- .../project/config/default/kustomization.yaml | 8 +- .../default/manager_auth_proxy_patch.yaml | 39 --- .../config/default/manager_metrics_patch.yaml | 13 + .../project/config/manager/manager.yaml | 4 +- .../project/config/prometheus/monitor.yaml | 7 +- .../rbac/auth_proxy_client_clusterrole.yaml | 12 - .../project/config/rbac/auth_proxy_role.yaml | 20 -- .../config/rbac/auth_proxy_role_binding.yaml | 15 -- .../project/config/rbac/kustomization.yaml | 9 +- .../project/config/rbac/metrics_service.yaml} | 6 +- docs/book/src/reference/metrics.md | 221 ++++++++++++++--- .../cronjob-tutorial/generate_cronjob.go | 7 - hack/docs/internal/cronjob-tutorial/sample.go | 18 -- pkg/plugin/util/util.go | 30 +++ .../common/kustomize/v2/scaffolds/api.go | 27 ++- .../common/kustomize/v2/scaffolds/init.go | 7 +- .../enable_matrics_patch.go} | 40 +-- .../config/kdefault/kustomization.go | 8 +- .../kdefault/manager_auth_proxy_patch.go | 87 ------- .../templates/config/manager/config.go | 4 +- .../templates/config/prometheus/monitor.go | 7 +- .../config/rbac/auth_proxy_client_role.go | 56 ----- .../templates/config/rbac/auth_proxy_role.go | 64 ----- .../templates/config/rbac/kustomization.go | 8 +- ...th_proxy_service.go => metrics_service.go} | 20 +- test/e2e/v4/generate_test.go | 43 ++++ test/e2e/v4/plugin_cluster_test.go | 227 +++++++++--------- .../config/default/kustomization.yaml | 8 +- .../default/manager_auth_proxy_patch.yaml | 39 --- .../config/default/manager_metrics_patch.yaml | 13 + .../config/manager/manager.yaml | 4 +- .../config/prometheus/monitor.yaml | 7 +- .../rbac/auth_proxy_client_clusterrole.yaml | 12 - .../config/rbac/auth_proxy_role.yaml | 20 -- .../config/rbac/auth_proxy_role_binding.yaml | 15 -- .../config/rbac/kustomization.yaml | 9 +- ...roxy_service.yaml => metrics_service.yaml} | 6 +- .../dist/install.yaml | 83 +------ .../config/default/kustomization.yaml | 8 +- .../default/manager_auth_proxy_patch.yaml | 39 --- .../config/default/manager_metrics_patch.yaml | 13 + .../config/manager/manager.yaml | 4 +- .../config/prometheus/monitor.yaml | 7 +- .../rbac/auth_proxy_client_clusterrole.yaml | 12 - .../config/rbac/auth_proxy_role.yaml | 20 -- .../config/rbac/auth_proxy_role_binding.yaml | 15 -- .../config/rbac/kustomization.yaml | 9 +- ...roxy_service.yaml => metrics_service.yaml} | 6 +- .../project-v4-multigroup/dist/install.yaml | 83 +------ .../config/default/kustomization.yaml | 8 +- .../default/manager_auth_proxy_patch.yaml | 39 --- .../config/default/manager_metrics_patch.yaml | 13 + .../config/manager/manager.yaml | 4 +- .../config/prometheus/monitor.yaml | 7 +- .../rbac/auth_proxy_client_clusterrole.yaml | 12 - .../config/rbac/auth_proxy_role.yaml | 20 -- .../config/rbac/auth_proxy_role_binding.yaml | 15 -- .../config/rbac/kustomization.yaml | 9 +- ...roxy_service.yaml => metrics_service.yaml} | 6 +- .../dist/install.yaml | 83 +------ .../config/default/kustomization.yaml | 8 +- .../default/manager_auth_proxy_patch.yaml | 39 --- .../config/default/manager_metrics_patch.yaml | 13 + .../config/manager/manager.yaml | 4 +- .../config/prometheus/monitor.yaml | 7 +- .../rbac/auth_proxy_client_clusterrole.yaml | 12 - .../config/rbac/auth_proxy_role.yaml | 20 -- .../config/rbac/auth_proxy_role_binding.yaml | 15 -- .../config/rbac/kustomization.yaml | 8 +- ...roxy_service.yaml => metrics_service.yaml} | 6 +- .../project-v4-with-grafana/dist/install.yaml | 83 +------ .../config/default/kustomization.yaml | 8 +- .../default/manager_auth_proxy_patch.yaml | 39 --- .../config/default/manager_metrics_patch.yaml | 13 + .../project-v4/config/manager/manager.yaml | 4 +- .../project-v4/config/prometheus/monitor.yaml | 7 +- .../rbac/auth_proxy_client_clusterrole.yaml | 12 - .../config/rbac/auth_proxy_role.yaml | 20 -- .../config/rbac/auth_proxy_role_binding.yaml | 15 -- .../project-v4/config/rbac/kustomization.yaml | 9 +- ...roxy_service.yaml => metrics_service.yaml} | 6 +- testdata/project-v4/dist/install.yaml | 83 +------ 102 files changed, 679 insertions(+), 1682 deletions(-) delete mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml create mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml delete mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml delete mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml rename docs/book/src/component-config-tutorial/testdata/project/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (85%) delete mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml create mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml delete mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml delete mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml rename docs/book/src/{getting-started/testdata/project/config/rbac/auth_proxy_service.yaml => cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml} (85%) delete mode 100644 docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml create mode 100644 docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml delete mode 100644 docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role.yaml delete mode 100644 docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml rename docs/book/src/{cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml => getting-started/testdata/project/config/rbac/metrics_service.yaml} (85%) rename pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/{rbac/auth_proxy_role_binding.go => kdefault/enable_matrics_patch.go} (52%) delete mode 100644 pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go delete mode 100644 pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_client_role.go delete mode 100644 pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role.go rename pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/{auth_proxy_service.go => metrics_service.go} (72%) delete mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml delete mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role.yaml delete mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml rename testdata/project-v4-multigroup-with-deploy-image/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (86%) delete mode 100644 testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml delete mode 100644 testdata/project-v4-multigroup/config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 testdata/project-v4-multigroup/config/rbac/auth_proxy_role.yaml delete mode 100644 testdata/project-v4-multigroup/config/rbac/auth_proxy_role_binding.yaml rename testdata/project-v4-multigroup/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (86%) delete mode 100644 testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml delete mode 100644 testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role.yaml delete mode 100644 testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml rename testdata/project-v4-with-deploy-image/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (86%) delete mode 100644 testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml delete mode 100644 testdata/project-v4-with-grafana/config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 testdata/project-v4-with-grafana/config/rbac/auth_proxy_role.yaml delete mode 100644 testdata/project-v4-with-grafana/config/rbac/auth_proxy_role_binding.yaml rename testdata/project-v4-with-grafana/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (86%) delete mode 100644 testdata/project-v4/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4/config/default/manager_metrics_patch.yaml delete mode 100644 testdata/project-v4/config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 testdata/project-v4/config/rbac/auth_proxy_role.yaml delete mode 100644 testdata/project-v4/config/rbac/auth_proxy_role_binding.yaml rename testdata/project-v4/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (85%) diff --git a/.github/workflows/test-sample-go.yml b/.github/workflows/test-sample-go.yml index 08e1c9a1984..debc8f909b3 100644 --- a/.github/workflows/test-sample-go.yml +++ b/.github/workflows/test-sample-go.yml @@ -26,7 +26,7 @@ jobs: sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH sed -i '27s/^#//' $KUSTOMIZATION_FILE_PATH sed -i '42s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '46,143s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '46,142s/^#//' $KUSTOMIZATION_FILE_PATH - name: Test run: | diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml index e0e588792cf..a90721e62b2 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml @@ -27,10 +27,10 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# More info: https://book.kubebuilder.io/reference/metrics +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # Mount the controller config file for loading manager configurations # through a ComponentConfig type diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 74c49152afb..00000000000 --- a/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..ee197d3f718 --- /dev/null +++ b/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml @@ -0,0 +1,13 @@ +# This patch adds the args to allow exposing the metrics endpoint securely +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=0.0.0.0:8080" diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml index 893610e2014..91d41742932 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml @@ -11,11 +11,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index ac8e7be7bc9..00000000000 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 17e0a11d32b..00000000000 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index e1f50c3178a..00000000000 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml index 9f6506d4c5b..20b2e1d12aa 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml @@ -9,16 +9,11 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines # if you do not want those helpers be installed with your Project. - projectconfig_editor_role.yaml - projectconfig_viewer_role.yaml + diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml similarity index 85% rename from docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml rename to docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml index aff147e644a..1cb008b3b59 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml @@ -9,9 +9,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml index e445fec445d..9cd07c6181b 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml @@ -27,10 +27,10 @@ resources: - ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# More info: https://book.kubebuilder.io/reference/metrics +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 1064aa49c80..00000000000 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..ee197d3f718 --- /dev/null +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml @@ -0,0 +1,13 @@ +# This patch adds the args to allow exposing the metrics endpoint securely +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=0.0.0.0:8080" diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/manager/manager.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/manager/manager.yaml index 839f4b67565..c51cb2471d6 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/manager/manager.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/manager/manager.yaml @@ -61,7 +61,9 @@ spec: - command: - /manager args: - - --leader-elect + - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 image: controller:latest name: manager securityContext: diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml index 893610e2014..91d41742932 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml @@ -11,11 +11,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index ac8e7be7bc9..00000000000 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 17e0a11d32b..00000000000 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index e1f50c3178a..00000000000 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml index 8db606e9e72..09d2ee4d606 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml @@ -9,16 +9,11 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines # if you do not want those helpers be installed with your Project. - cronjob_editor_role.yaml - cronjob_viewer_role.yaml + diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_service.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml similarity index 85% rename from docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_service.yaml rename to docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml index aff147e644a..1cb008b3b59 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_service.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml @@ -9,9 +9,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml index d851be9cae7..3e7e6da4538 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml @@ -27,10 +27,10 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# More info: https://book.kubebuilder.io/reference/metrics +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..ee197d3f718 --- /dev/null +++ b/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml @@ -0,0 +1,13 @@ +# This patch adds the args to allow exposing the metrics endpoint securely +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=0.0.0.0:8080" diff --git a/docs/book/src/getting-started/testdata/project/config/manager/manager.yaml b/docs/book/src/getting-started/testdata/project/config/manager/manager.yaml index 60fe260a2d6..602974cc5fc 100644 --- a/docs/book/src/getting-started/testdata/project/config/manager/manager.yaml +++ b/docs/book/src/getting-started/testdata/project/config/manager/manager.yaml @@ -61,7 +61,9 @@ spec: - command: - /manager args: - - --leader-elect + - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 image: controller:latest name: manager env: diff --git a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml index 893610e2014..91d41742932 100644 --- a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml @@ -11,11 +11,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index ac8e7be7bc9..00000000000 --- a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 17e0a11d32b..00000000000 --- a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index e1f50c3178a..00000000000 --- a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: project - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml index 3dc289427b8..a8f1075285b 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml @@ -9,16 +9,11 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines # if you do not want those helpers be installed with your Project. - memcached_editor_role.yaml - memcached_viewer_role.yaml + diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_service.yaml similarity index 85% rename from docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml rename to docs/book/src/getting-started/testdata/project/config/rbac/metrics_service.yaml index aff147e644a..1cb008b3b59 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_service.yaml @@ -9,9 +9,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/docs/book/src/reference/metrics.md b/docs/book/src/reference/metrics.md index 33e7e3b0a13..d80d7829af2 100644 --- a/docs/book/src/reference/metrics.md +++ b/docs/book/src/reference/metrics.md @@ -3,45 +3,204 @@ By default, controller-runtime builds a global prometheus registry and publishes [a collection of performance metrics](/reference/metrics-reference.md) for each controller. + + +## Enabling the Metrics + +First, you will need enable the Metrics by uncommenting the following line +in the file `config/default/kustomization.yaml`, see: + +```sh +# [Metrics] The following patch will enable the metrics endpoint. +# Ensure that you also protect this endpoint. +#- path: manager_metrics_patch.yaml +``` + ## Protecting the Metrics -These metrics are protected by [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) -by default if using kubebuilder. Kubebuilder v2.2.0+ scaffold a clusterrole which -can be found at `config/rbac/auth_proxy_client_clusterrole.yaml`. +Unprotected metrics endpoints can expose valuable data to unauthorized users, +such as system performance, application behavior, and potentially confidential +operational metrics. This exposure can lead to security vulnerabilities +where an attacker could gain insights into the system's operation +and exploit weaknesses. + +### By using Network Policy -You will need to grant permissions to your Prometheus server so that it can -scrape the protected metrics. To achieve that, you can create a -`clusterRoleBinding` to bind the `clusterRole` to the service account that your -Prometheus server uses. If you are using [kube-prometheus](https://github.com/prometheus-operator/kube-prometheus), -this cluster binding already exists. +NetworkPolicy acts as a basic firewall for pods within a Kubernetes cluster, controlling traffic +flow at the IP address or port level. However, it doesn't handle authentication (authn), authorization (authz), +or encryption directly like [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) solution. -You can either run the following command, or apply the example yaml file provided below to create `clusterRoleBinding`. +### By exposing the metrics endpoint using HTTPS and CertManager -If using kubebuilder -`` is the `namePrefix` field in `config/default/kustomization.yaml`. +Integrating `cert-manager` with your metrics service can secure the endpoint via TLS encryption. -```bash -kubectl create clusterrolebinding metrics --clusterrole=-metrics-reader --serviceaccount=: +To modify your project setup to expose metrics using HTTPS with +the help of cert-manager, you'll need to change the configuration of both +the `Service` and the `ServiceMonitor` to use a secure HTTPS port +and ensure the necessary certificate is applied. + +**Example** + +- Modify the `Service` under `config/rbac/metrics_service.yaml` to expose HTTPS: + +```ymalapiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: my-project + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager ``` -You can also apply the following `ClusterRoleBinding`: +- You will need to configure `cert-manager` to issue a certificate for the metrics +service which would like: ```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +apiVersion: cert-manager.io/v1 +kind: Certificate metadata: - name: prometheus-k8s-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus-k8s-role -subjects: - - kind: ServiceAccount - name: - namespace: + name: controller-manager-metrics-certificate + namespace: system +spec: + secretName: controller-manager-metrics-cert + issuerRef: + name: letsencrypt-prod + kind: Issuer + dnsNames: + - "controller-manager-metrics-service.system.svc.cluster.local" ``` -The `prometheus-k8s-role` referenced here should provide the necessary permissions to allow prometheus scrape metrics from operator pods. +**Note**: Make sure that issuerRef refers to a valid Issuer or ClusterIssuer +that you have configured in your cluster. + +- Modify the `ServiceMonitor` under `config/prometheus/monitor.yaml` +to use HTTPS, such as: + +``` +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: my-project + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: https + scheme: https + tlsConfig: + caFile: /etc/prometheus/secrets/controller-manager-metrics-cert/ca.crt + certFile: /etc/prometheus/secrets/controller-manager-metrics-cert/tls.crt + keyFile: /etc/prometheus/secrets/controller-manager-metrics-cert/tls.key + serverName: "controller-manager-metrics-service.system.svc.cluster.local" + insecureSkipVerify: false + selector: + matchLabels: + control-plane: controller-manager +``` + +- Update your Manager config under `config/manager/manager.yaml` +to mount the TLS certificates: + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + ... +spec: + ... + spec: + containers: + - name: manager + args: + - "--leader-elect" + - "--cert-dir=/etc/certs" + image: controller:latest + ports: + - containerPort: 8443 + name: https + volumeMounts: + - name: cert-volume + mountPath: /etc/certs + readOnly: true + volumes: + - name: cert-volume + secret: + secretName: controller-manager-metrics-cert + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 +``` + +- By last change the metrics port at `config/default/,amager_metrics_patch.yaml` +the patch to use the port `8443`: + +```yaml +... + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=0.0.0.0:8443" +``` + +### By using Controller-Runtime new feature + +Also, you might want to check the new feature added in Controller-Runtime via +the [pr](https://github.com/kubernetes-sigs/controller-runtime/pull/2407) which can handle authentication (authn), +authorization (authz) such as kube-rbac-proxy. + +Note that, after the [issue](https://github.com/kubernetes-sigs/controller-runtime/issues/2781) opened +for controller-runtime enhance this new feature to address the concerns raised we plan add an option +to use it in the default scaffold combined with cert-manager. For further information, please check the +[proposal](../../../../designs/discontinue_usage_of_kube_rbac_proxy.md). ## Exporting Metrics for Prometheus @@ -91,6 +250,14 @@ for the metrics exported from the namespace where the project is running Screenshot 2019-10-02 at 13 07 13 +## Consuming the Metrics from other Pods. + +Then, see an example to create a Pod using Curl to reach out the metrics: + +```sh +kubectl run curl --restart=Never -n --image=curlimages/curl:7.78.0 -- /bin/sh -c "curl -v http://-controller-manager-metrics-service..svc.cluster.local:8080/metrics" +``` + ## Publishing Additional Metrics If you wish to publish additional metrics from your controllers, this @@ -141,4 +308,4 @@ In order to publish metrics and view them on the Prometheus UI, the Prometheus i Those metrics will be available for prometheus or other openmetrics systems to scrape. -![Screen Shot 2021-06-14 at 10 15 59 AM](https://user-images.githubusercontent.com/37827279/121932262-8843cd80-ccf9-11eb-9c8e-98d0eda80169.png) +![Screen Shot 2021-06-14 at 10 15 59 AM](https://user-images.githubusercontent.com/37827279/121932262-8843cd80-ccf9-11eb-9c8e-98d0eda80169.png) \ No newline at end of file diff --git a/hack/docs/internal/cronjob-tutorial/generate_cronjob.go b/hack/docs/internal/cronjob-tutorial/generate_cronjob.go index 97258ee47aa..3de1859c668 100644 --- a/hack/docs/internal/cronjob-tutorial/generate_cronjob.go +++ b/hack/docs/internal/cronjob-tutorial/generate_cronjob.go @@ -583,13 +583,6 @@ func updateExample(sp *Sample) { filepath.Join(sp.ctx.Dir, "config/samples/batch_v1_cronjob.yaml"), `# TODO(user): Add fields here`, "") CheckError("fixing samples/batch_v1_cronjob.yaml", err) - - // update default/manager_auth_proxy_patch.yaml - err = pluginutil.InsertCode( - filepath.Join(sp.ctx.Dir, "config/default/manager_auth_proxy_patch.yaml"), - ` template: - spec:`, ManagerAuthProxySample) - CheckError("fixing default/manager_auth_proxy_patch.yaml", err) } func addControllerTest(sp *Sample) { diff --git a/hack/docs/internal/cronjob-tutorial/sample.go b/hack/docs/internal/cronjob-tutorial/sample.go index baebb4cfa4b..7e413af1065 100644 --- a/hack/docs/internal/cronjob-tutorial/sample.go +++ b/hack/docs/internal/cronjob-tutorial/sample.go @@ -130,21 +130,3 @@ const DefaultKustomization = `#replacements: # delimiter: '.' # index: 1 # create: true` - -const ManagerAuthProxySample = ` - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux` diff --git a/pkg/plugin/util/util.go b/pkg/plugin/util/util.go index ebf5418adda..bae4e76f47f 100644 --- a/pkg/plugin/util/util.go +++ b/pkg/plugin/util/util.go @@ -97,6 +97,36 @@ func InsertCodeIfNotExist(filename, target, code string) error { return InsertCode(filename, target, code) } +// AppendCodeIfNotExist checks if the code does not already exist in the file, and if not, appends it to the end. +func AppendCodeIfNotExist(filename, code string) error { + contents, err := os.ReadFile(filename) + if err != nil { + return err + } + + if strings.Contains(string(contents), code) { + return nil // Code already exists, no need to append. + } + + return AppendCodeAtTheEnd(filename, code) +} + +// AppendCodeAtTheEnd appends the given code at the end of the file. +func AppendCodeAtTheEnd(filename, code string) error { + f, err := os.OpenFile(filename, os.O_APPEND|os.O_WRONLY, 0644) + if err != nil { + return err + } + defer func() { + if err := f.Close(); err != nil { + return + } + }() + + _, err = f.WriteString(code) + return err +} + // UncommentCode searches for target in the file and remove the comment prefix // of the target content. The target content may span multiple lines. func UncommentCode(filename, target, prefix string) error { diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/api.go b/pkg/plugins/common/kustomize/v2/scaffolds/api.go index dc875d01235..03e3ec2b8e6 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/api.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/api.go @@ -102,28 +102,37 @@ func (s *apiScaffolder) Scaffold() error { // Add scaffolded CRD Editor and Viewer roles in config/rbac/kustomization.yaml rbacKustomizeFilePath := "config/rbac/kustomization.yaml" - comment := ` -# For each CRD, "Editor" and "Viewer" roles are scaffolded by -# default, aiding admins in cluster management. Those roles are -# not used by the Project itself. You can comment the following lines -# if you do not want those helpers be installed with your Project.` - err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, - "- auth_proxy_client_clusterrole.yaml", comment) + err = pluginutil.AppendCodeIfNotExist(rbacKustomizeFilePath, + editViewRulesCommentFragment) if err != nil { - log.Errorf("Unable to add a comment in the file "+ + log.Errorf("Unable to append the edit/view roles editViewRulesCommentFragment in the file "+ "%s.", rbacKustomizeFilePath) } crdName := strings.ToLower(s.resource.Kind) if s.config.IsMultiGroup() && s.resource.Group != "" { crdName = strings.ToLower(s.resource.Group) + "_" + crdName } - err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, comment, + err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, editViewRulesCommentFragment, fmt.Sprintf("\n- %[1]s_editor_role.yaml\n- %[1]s_viewer_role.yaml", crdName)) if err != nil { log.Errorf("Unable to add Editor and Viewer roles in the file "+ "%s.", rbacKustomizeFilePath) } + // Add an empty line at the end of the file + err = pluginutil.AppendCodeIfNotExist(rbacKustomizeFilePath, + ` + +`) + if err != nil { + log.Errorf("Unable to append empty line at the end of the file"+ + "%s.", rbacKustomizeFilePath) + } } return nil } + +const editViewRulesCommentFragment = `# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. Those roles are +# not used by the Project itself. You can comment the following lines +# if you do not want those helpers be installed with your Project.` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/init.go b/pkg/plugins/common/kustomize/v2/scaffolds/init.go index baea4bb55c6..cc034727e11 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/init.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/init.go @@ -64,10 +64,7 @@ func (s *initScaffolder) Scaffold() error { templates := []machinery.Builder{ &rbac.Kustomization{}, - &rbac.AuthProxyRole{}, - &rbac.AuthProxyRoleBinding{}, - &rbac.AuthProxyService{}, - &rbac.AuthProxyClientRole{}, + &rbac.MetricsService{}, &rbac.RoleBinding{}, // We need to create a Role because if the project // has not CRD define the controller-gen will not generate this file @@ -76,9 +73,9 @@ func (s *initScaffolder) Scaffold() error { &rbac.LeaderElectionRoleBinding{}, &rbac.ServiceAccount{}, &manager.Kustomization{}, + &kdefault.ManagerMetricsPatch{}, &manager.Config{Image: imageName}, &kdefault.Kustomization{}, - &kdefault.ManagerAuthProxyPatch{}, &kdefault.ManagerConfigPatch{}, &prometheus.Kustomization{}, &prometheus.Monitor{}, diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role_binding.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/enable_matrics_patch.go similarity index 52% rename from pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role_binding.go rename to pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/enable_matrics_patch.go index 4ee86ed5c0f..d403c557765 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role_binding.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/enable_matrics_patch.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package rbac +package kdefault import ( "path/filepath" @@ -22,38 +22,38 @@ import ( "sigs.k8s.io/kubebuilder/v3/pkg/machinery" ) -var _ machinery.Template = &AuthProxyRoleBinding{} +var _ machinery.Template = &ManagerMetricsPatch{} -// AuthProxyRoleBinding scaffolds a file that defines the role binding for the auth proxy -type AuthProxyRoleBinding struct { +// ManagerMetricsPatch scaffolds a file that defines the patch that enables prometheus metrics for the manager +type ManagerMetricsPatch struct { machinery.TemplateMixin - machinery.ProjectNameMixin + machinery.ComponentConfigMixin } // SetTemplateDefaults implements file.Template -func (f *AuthProxyRoleBinding) SetTemplateDefaults() error { +func (f *ManagerMetricsPatch) SetTemplateDefaults() error { if f.Path == "" { - f.Path = filepath.Join("config", "rbac", "auth_proxy_role_binding.yaml") + f.Path = filepath.Join("config", "default", "manager_metrics_patch.yaml") } - f.TemplateBody = proxyRoleBindinggTemplate + f.TemplateBody = kustomizeMetricsPatchTemplate + + f.IfExistsAction = machinery.Error return nil } -const proxyRoleBindinggTemplate = `apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +const kustomizeMetricsPatchTemplate = `# This patch adds the args to allow exposing the metrics endpoint securely +apiVersion: apps/v1 +kind: Deployment metadata: - labels: - app.kubernetes.io/name: {{ .ProjectName }} - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount name: controller-manager namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=0.0.0.0:8080" ` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go index 319bcf1a6b3..c676a357010 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go @@ -73,10 +73,10 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# More info: https://book.kubebuilder.io/reference/metrics +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml {{ if .ComponentConfig -}} # Mount the controller config file for loading manager configurations diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go deleted file mode 100644 index d8d57261952..00000000000 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go +++ /dev/null @@ -1,87 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package kdefault - -import ( - "path/filepath" - - "sigs.k8s.io/kubebuilder/v3/pkg/machinery" -) - -var _ machinery.Template = &ManagerAuthProxyPatch{} - -// ManagerAuthProxyPatch scaffolds a file that defines the patch that enables prometheus metrics for the manager -type ManagerAuthProxyPatch struct { - machinery.TemplateMixin - machinery.ComponentConfigMixin -} - -// SetTemplateDefaults implements file.Template -func (f *ManagerAuthProxyPatch) SetTemplateDefaults() error { - if f.Path == "" { - f.Path = filepath.Join("config", "default", "manager_auth_proxy_patch.yaml") - } - - f.TemplateBody = kustomizeAuthProxyPatchTemplate - - f.IfExistsAction = machinery.Error - - return nil -} - -const kustomizeAuthProxyPatchTemplate = `# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi -{{- if not .ComponentConfig }} - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" -{{- end }} -` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go index 271ccd633f2..cf8b6036794 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go @@ -109,7 +109,9 @@ spec: - /manager {{- if not .ComponentConfig }} args: - - --leader-elect + - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 {{- end }} image: {{ .Image }} name: manager diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go index 339ca03f072..dbae8fdfb8a 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go @@ -54,11 +54,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_client_role.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_client_role.go deleted file mode 100644 index a348524ab4a..00000000000 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_client_role.go +++ /dev/null @@ -1,56 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package rbac - -import ( - "path/filepath" - - "sigs.k8s.io/kubebuilder/v3/pkg/machinery" -) - -var _ machinery.Template = &AuthProxyClientRole{} - -// AuthProxyClientRole scaffolds a file that defines the role for the metrics reader -type AuthProxyClientRole struct { - machinery.TemplateMixin - machinery.ProjectNameMixin -} - -// SetTemplateDefaults implements file.Template -func (f *AuthProxyClientRole) SetTemplateDefaults() error { - if f.Path == "" { - f.Path = filepath.Join("config", "rbac", "auth_proxy_client_clusterrole.yaml") - } - - f.TemplateBody = clientClusterRoleTemplate - - return nil -} - -const clientClusterRoleTemplate = `apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: {{ .ProjectName }} - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get -` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role.go deleted file mode 100644 index d1b639c0ee3..00000000000 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role.go +++ /dev/null @@ -1,64 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package rbac - -import ( - "path/filepath" - - "sigs.k8s.io/kubebuilder/v3/pkg/machinery" -) - -var _ machinery.Template = &AuthProxyRole{} - -// AuthProxyRole scaffolds a file that defines the role for the auth proxy -type AuthProxyRole struct { - machinery.TemplateMixin - machinery.ProjectNameMixin -} - -// SetTemplateDefaults implements file.Template -func (f *AuthProxyRole) SetTemplateDefaults() error { - if f.Path == "" { - f.Path = filepath.Join("config", "rbac", "auth_proxy_role.yaml") - } - - f.TemplateBody = proxyRoleTemplate - - return nil -} - -const proxyRoleTemplate = `apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: {{ .ProjectName }} - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/kustomization.go index d3ea9b22fd9..b2ce8b8ebc3 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/kustomization.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/kustomization.go @@ -53,11 +53,5 @@ const kustomizeRBACTemplate = `resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml ` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_service.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_service.go similarity index 72% rename from pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_service.go rename to pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_service.go index 219efc86ed7..8ab5b4d6c3b 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_service.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_service.go @@ -22,26 +22,26 @@ import ( "sigs.k8s.io/kubebuilder/v3/pkg/machinery" ) -var _ machinery.Template = &AuthProxyService{} +var _ machinery.Template = &MetricsService{} -// AuthProxyService scaffolds a file that defines the service for the auth proxy -type AuthProxyService struct { +// MetricsService scaffolds a file that defines the service for the auth proxy +type MetricsService struct { machinery.TemplateMixin machinery.ProjectNameMixin } // SetTemplateDefaults implements file.Template -func (f *AuthProxyService) SetTemplateDefaults() error { +func (f *MetricsService) SetTemplateDefaults() error { if f.Path == "" { - f.Path = filepath.Join("config", "rbac", "auth_proxy_service.yaml") + f.Path = filepath.Join("config", "rbac", "metrics_service.yaml") } - f.TemplateBody = authProxyServiceTemplate + f.TemplateBody = metricsServiceTemplate return nil } -const authProxyServiceTemplate = `apiVersion: v1 +const metricsServiceTemplate = `apiVersion: v1 kind: Service metadata: labels: @@ -52,10 +52,10 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager ` diff --git a/test/e2e/v4/generate_test.go b/test/e2e/v4/generate_test.go index 02f72b01910..582d60d3ef7 100644 --- a/test/e2e/v4/generate_test.go +++ b/test/e2e/v4/generate_test.go @@ -54,6 +54,49 @@ func GenerateV4(kbc *utils.TestContext) { fmt.Sprintf("%s_webhook.go", strings.ToLower(kbc.Kind)))) ExpectWithOffset(1, err).NotTo(HaveOccurred()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- ../certmanager", "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- ../prometheus", "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- path: webhookcainjection_patch.yaml", "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- path: manager_metrics_patch.yaml", "#")).To(Succeed()) + + ExpectWithOffset(1, pluginutil.UncommentCode(filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + certManagerTarget, "#")).To(Succeed()) + + if kbc.IsRestricted { + By("uncomment kustomize files to ensure that pods are restricted") + uncommentPodStandards(kbc) + } +} + +// GenerateV4WithoutMetrics implements a go/v4 plugin project defined by a TestContext. +func GenerateV4WithoutMetrics(kbc *utils.TestContext) { + initingTheProject(kbc) + creatingAPI(kbc) + + By("scaffolding mutating and validating webhooks") + err := kbc.CreateWebhook( + "--group", kbc.Group, + "--version", kbc.Version, + "--kind", kbc.Kind, + "--defaulting", + "--programmatic-validation", + ) + ExpectWithOffset(1, err).NotTo(HaveOccurred()) + + By("implementing the mutating and validating webhooks") + err = pluginutil.ImplementWebhooks(filepath.Join( + kbc.Dir, "api", kbc.Version, + fmt.Sprintf("%s_webhook.go", strings.ToLower(kbc.Kind)))) + ExpectWithOffset(1, err).NotTo(HaveOccurred()) + ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), "#- ../certmanager", "#")).To(Succeed()) diff --git a/test/e2e/v4/plugin_cluster_test.go b/test/e2e/v4/plugin_cluster_test.go index 034266e6741..1e312a13bbf 100644 --- a/test/e2e/v4/plugin_cluster_test.go +++ b/test/e2e/v4/plugin_cluster_test.go @@ -17,7 +17,6 @@ limitations under the License. package v4 import ( - "encoding/json" "fmt" "os" "os/exec" @@ -35,18 +34,6 @@ import ( "sigs.k8s.io/kubebuilder/v3/test/e2e/utils" ) -const ( - tokenRequestRawString = `{"apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest"}` -) - -// tokenRequest is a trimmed down version of the authentication.k8s.io/v1/TokenRequest Type -// that we want to use for extracting the token. -type tokenRequest struct { - Status struct { - Token string `json:"token"` - } `json:"status"` -} - var _ = Describe("kubebuilder", func() { Context("plugin go/v4", func() { var kbc *utils.TestContext @@ -68,24 +55,29 @@ var _ = Describe("kubebuilder", func() { It("should generate a runnable project", func() { kbc.IsRestricted = false GenerateV4(kbc) - Run(kbc, true, false) + Run(kbc, true, false, true) }) It("should generate a runnable project with the Installer", func() { kbc.IsRestricted = false GenerateV4(kbc) - Run(kbc, false, true) + Run(kbc, false, true, true) + }) + It("should generate a runnable project without metrics exposed", func() { + kbc.IsRestricted = false + GenerateV4WithoutMetrics(kbc) + Run(kbc, true, false, false) }) It("should generate a runnable project with the manager running "+ "as restricted and without webhooks", func() { kbc.IsRestricted = true GenerateV4WithoutWebhooks(kbc) - Run(kbc, false, false) + Run(kbc, false, false, true) }) }) }) // Run runs a set of e2e tests for a scaffolded project defined by a TestContext. -func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) { +func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller, hasMetrics bool) { var controllerPodName string var err error @@ -119,13 +111,7 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) { var output []byte if !isToUseInstaller { - // NOTE: If you want to run the test against a GKE cluster, you will need to grant yourself permission. - // Otherwise, you may see "... is forbidden: attempt to grant extra privileges" - // $ kubectl create clusterrolebinding myname-cluster-admin-binding \ - // --clusterrole=cluster-admin --user=myname@mycompany.com - // https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control By("deploying the controller-manager") - cmd := exec.Command("make", "deploy", "IMG="+kbc.ImageName) output, err = kbc.Run(cmd) ExpectWithOffset(1, err).NotTo(HaveOccurred()) @@ -134,13 +120,7 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) { err = kbc.Make("build-installer", "IMG="+kbc.ImageName) ExpectWithOffset(1, err).NotTo(HaveOccurred()) - // NOTE: If you want to run the test against a GKE cluster, you will need to grant yourself permission. - // Otherwise, you may see "... is forbidden: attempt to grant extra privileges" - // $ kubectl create clusterrolebinding myname-cluster-admin-binding \ - // --clusterrole=cluster-admin --user=myname@mycompany.com - // https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control By("deploying the controller-manager with the installer") - _, err = kbc.Kubectl.Apply(true, "-f", "dist/install.yaml") ExpectWithOffset(1, err).NotTo(HaveOccurred()) } @@ -183,14 +163,8 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) { }() EventuallyWithOffset(1, verifyControllerUp, time.Minute, time.Second).Should(Succeed()) - By("granting permissions to access the metrics") - _, err = kbc.Kubectl.Command( - "create", "clusterrolebinding", fmt.Sprintf("metrics-%s", kbc.TestSuffix), - fmt.Sprintf("--clusterrole=e2e-%s-metrics-reader", kbc.TestSuffix), - fmt.Sprintf("--serviceaccount=%s:%s", kbc.Kubectl.Namespace, kbc.Kubectl.ServiceAccount)) - ExpectWithOffset(1, err).NotTo(HaveOccurred()) - - _ = curlMetrics(kbc) + By("validating the metrics endpoint") + _ = curlMetrics(kbc, hasMetrics) if hasWebhook { By("validating that cert-manager has provisioned the certificate Secret") @@ -267,12 +241,14 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) { return err }, time.Minute, time.Second).Should(Succeed()) - By("validating that the created resource object gets reconciled in the controller") - metricsOutput := curlMetrics(kbc) - ExpectWithOffset(1, metricsOutput).To(ContainSubstring(fmt.Sprintf( - `controller_runtime_reconcile_total{controller="%s",result="success"} 1`, - strings.ToLower(kbc.Kind), - ))) + if hasMetrics { + By("checking the metrics values to validate that the created resource object gets reconciled") + metricsOutput := curlMetrics(kbc, hasMetrics) + ExpectWithOffset(1, metricsOutput).To(ContainSubstring(fmt.Sprintf( + `controller_runtime_reconcile_total{controller="%s",result="success"} 1`, + strings.ToLower(kbc.Kind), + ))) + } if hasWebhook { By("validating that mutating and validating webhooks are working fine") @@ -285,92 +261,117 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) { ExpectWithOffset(1, err).NotTo(HaveOccurred()) ExpectWithOffset(1, count).To(BeNumerically("==", 5)) } + } // curlMetrics curl's the /metrics endpoint, returning all logs once a 200 status is returned. -func curlMetrics(kbc *utils.TestContext) string { - By("reading the metrics token") - // Filter token query by service account in case more than one exists in a namespace. - token, err := ServiceAccountToken(kbc) - ExpectWithOffset(2, err).NotTo(HaveOccurred()) - ExpectWithOffset(2, len(token)).To(BeNumerically(">", 0)) +func curlMetrics(kbc *utils.TestContext, hasMetrics bool) string { + By("validating that the controller-manager service is available") + _, err := kbc.Kubectl.Get( + true, + "service", fmt.Sprintf("e2e-%s-controller-manager-metrics-service", kbc.TestSuffix), + ) + ExpectWithOffset(2, err).NotTo(HaveOccurred(), "Controller-manager service should exist") - By("creating a curl pod") - cmdOpts := []string{ - "run", "curl", "--image=curlimages/curl:7.68.0", "--restart=OnFailure", "--", - "curl", "-v", "-k", "-H", fmt.Sprintf(`Authorization: Bearer %s`, strings.TrimSpace(token)), - fmt.Sprintf("https://e2e-%s-controller-manager-metrics-service.%s.svc:8443/metrics", - kbc.TestSuffix, kbc.Kubectl.Namespace), + By("validating that the controller-manager deployment is ready") + verifyDeploymentReady := func() error { + output, err := kbc.Kubectl.Get( + true, + "deployment", fmt.Sprintf("e2e-%s-controller-manager", kbc.TestSuffix), + "-o", "jsonpath={.status.readyReplicas}", + ) + if err != nil { + return err + } + readyReplicas, _ := strconv.Atoi(output) + if readyReplicas < 1 { + return fmt.Errorf("expected at least 1 ready replica, got %d", readyReplicas) + } + return nil } - _, err = kbc.Kubectl.CommandInNamespace(cmdOpts...) - ExpectWithOffset(2, err).NotTo(HaveOccurred()) + EventuallyWithOffset(2, verifyDeploymentReady, 240*time.Second, time.Second).Should(Succeed(), + "Deployment is not ready") - By("validating that the curl pod is running as expected") - verifyCurlUp := func() error { - // Validate pod status - status, err := kbc.Kubectl.Get( + By("ensuring the service endpoint is ready") + eventuallyCheckServiceEndpoint := func() error { + output, err := kbc.Kubectl.Get( true, - "pods", "curl", "-o", "jsonpath={.status.phase}") - ExpectWithOffset(3, err).NotTo(HaveOccurred()) - if status != "Completed" && status != "Succeeded" { - return fmt.Errorf("curl pod in %s status", status) + "endpoints", fmt.Sprintf("e2e-%s-controller-manager-metrics-service", kbc.TestSuffix), + "-o", "jsonpath={.subsets[*].addresses[*].ip}", + ) + if err != nil { + return err + } + if output == "" { + return fmt.Errorf("no endpoints found") } return nil } - EventuallyWithOffset(2, verifyCurlUp, 240*time.Second, time.Second).Should(Succeed()) + EventuallyWithOffset(2, eventuallyCheckServiceEndpoint, 2*time.Minute, time.Second).Should(Succeed(), + "Service endpoint should be ready") - By("validating that the metrics endpoint is serving as expected") - var metricsOutput string - getCurlLogs := func() string { - metricsOutput, err = kbc.Kubectl.Logs("curl") - ExpectWithOffset(3, err).NotTo(HaveOccurred()) - return metricsOutput + By("creating a curl pod to access the metrics endpoint") + // nolint:lll + cmdOpts := []string{ + "run", "curl", + "--restart=Never", + "--namespace", kbc.Kubectl.Namespace, + "--image=curlimages/curl:7.78.0", + "--", + "/bin/sh", "-c", fmt.Sprintf("curl -v -k http://e2e-%s-controller-manager-metrics-service.%s.svc.cluster.local:8080/metrics", + kbc.TestSuffix, kbc.Kubectl.Namespace), } - EventuallyWithOffset(2, getCurlLogs, 10*time.Second, time.Second).Should(ContainSubstring("< HTTP/2 200")) + _, err = kbc.Kubectl.CommandInNamespace(cmdOpts...) + ExpectWithOffset(2, err).NotTo(HaveOccurred()) + + var metricsOutput string + if hasMetrics { + By("validating that the curl pod is running as expected") + verifyCurlUp := func() error { + status, err := kbc.Kubectl.Get( + true, + "pods", "curl", "-o", "jsonpath={.status.phase}") + ExpectWithOffset(3, err).NotTo(HaveOccurred()) + if status != "Succeeded" { + return fmt.Errorf("curl pod in %s status", status) + } + return nil + } + EventuallyWithOffset(2, verifyCurlUp, 240*time.Second, time.Second).Should(Succeed()) + + By("validating that the metrics endpoint is serving as expected") + getCurlLogs := func() string { + metricsOutput, err = kbc.Kubectl.Logs("curl") + ExpectWithOffset(3, err).NotTo(HaveOccurred()) + return metricsOutput + } + EventuallyWithOffset(2, getCurlLogs, 10*time.Second, time.Second).Should(ContainSubstring("< HTTP/1.1 200 OK")) + } else { + By("validating that the curl pod fail as expected") + verifyCurlUp := func() error { + status, err := kbc.Kubectl.Get( + true, + "pods", "curl", "-o", "jsonpath={.status.phase}") + ExpectWithOffset(3, err).NotTo(HaveOccurred()) + if status == "Succeeded" { + return fmt.Errorf( + "curl pod in %s status when should fail with an error", status) + } + return nil + } + EventuallyWithOffset(2, verifyCurlUp, 240*time.Second, time.Second).Should(Succeed()) + By("validating that the metrics endpoint is not working as expected") + getCurlLogs := func() string { + metricsOutput, err = kbc.Kubectl.Logs("curl") + ExpectWithOffset(3, err).NotTo(HaveOccurred()) + return metricsOutput + } + EventuallyWithOffset(2, getCurlLogs, 10*time.Second, time.Second).Should(ContainSubstring("Connection refused")) + } By("cleaning up the curl pod") _, err = kbc.Kubectl.Delete(true, "pods/curl") ExpectWithOffset(3, err).NotTo(HaveOccurred()) return metricsOutput } - -// ServiceAccountToken provides a helper function that can provide you with a service account -// token that you can use to interact with the service. This function leverages the k8s' -// TokenRequest API in raw format in order to make it generic for all version of the k8s that -// is currently being supported in kubebuilder test infra. -// TokenRequest API returns the token in raw JWT format itself. There is no conversion required. -func ServiceAccountToken(kbc *utils.TestContext) (out string, err error) { - By("Creating the ServiceAccount token") - secretName := fmt.Sprintf("%s-token-request", kbc.Kubectl.ServiceAccount) - tokenRequestFile := filepath.Join(kbc.Dir, secretName) - err = os.WriteFile(tokenRequestFile, []byte(tokenRequestRawString), os.FileMode(0o755)) - if err != nil { - return out, err - } - var rawJson string - Eventually(func() error { - // Output of this is already a valid JWT token. No need to covert this from base64 to string format - rawJson, err = kbc.Kubectl.Command( - "create", - "--raw", fmt.Sprintf( - "/api/v1/namespaces/%s/serviceaccounts/%s/token", - kbc.Kubectl.Namespace, - kbc.Kubectl.ServiceAccount, - ), - "-f", tokenRequestFile, - ) - if err != nil { - return err - } - var token tokenRequest - err = json.Unmarshal([]byte(rawJson), &token) - if err != nil { - return err - } - out = token.Status.Token - return nil - }, time.Minute, time.Second).Should(Succeed()) - - return out, err -} diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml index 2f78dfb54aa..e81d73d4bc3 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml @@ -27,10 +27,10 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# More info: https://book.kubebuilder.io/reference/metrics +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..ee197d3f718 --- /dev/null +++ b/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml @@ -0,0 +1,13 @@ +# This patch adds the args to allow exposing the metrics endpoint securely +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=0.0.0.0:8080" diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/manager/manager.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/manager/manager.yaml index 22430e2a678..4e217f48c6d 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/manager/manager.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/manager/manager.yaml @@ -61,7 +61,9 @@ spec: - command: - /manager args: - - --leader-elect + - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 image: controller:latest name: manager securityContext: diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml index c7e880652bc..afc86491c6f 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml @@ -11,11 +11,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index 8f3b7014f0b..00000000000 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project-v4-multigroup-with-deploy-image - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 13038ff7689..00000000000 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project-v4-multigroup-with-deploy-image - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index aae73208a49..00000000000 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: project-v4-multigroup-with-deploy-image - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml index 08b359e46b5..51bf3b2bea4 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml @@ -9,13 +9,7 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -40,3 +34,4 @@ resources: - ship_frigate_viewer_role.yaml - crew_captain_editor_role.yaml - crew_captain_viewer_role.yaml + diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_service.yaml similarity index 86% rename from testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_service.yaml index 32b2aac0952..a01a6872e4a 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_service.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_service.yaml @@ -9,9 +9,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml b/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml index 26592d65d9a..1f880c1fcdc 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml @@ -1191,40 +1191,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-multigroup-with-deploy-image - name: project-v4-multigroup-with-deploy-image-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-multigroup-with-deploy-image - name: project-v4-multigroup-with-deploy-image-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1506,22 +1472,6 @@ subjects: name: project-v4-multigroup-with-deploy-image-controller-manager namespace: project-v4-multigroup-with-deploy-image-system --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-multigroup-with-deploy-image - name: project-v4-multigroup-with-deploy-image-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: project-v4-multigroup-with-deploy-image-proxy-role -subjects: -- kind: ServiceAccount - name: project-v4-multigroup-with-deploy-image-controller-manager - namespace: project-v4-multigroup-with-deploy-image-system ---- apiVersion: v1 kind: Service metadata: @@ -1533,10 +1483,10 @@ metadata: namespace: project-v4-multigroup-with-deploy-image-system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager --- @@ -1579,9 +1529,9 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 command: - /manager image: controller:latest @@ -1618,29 +1568,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-multigroup-with-deploy-image-controller-manager diff --git a/testdata/project-v4-multigroup/config/default/kustomization.yaml b/testdata/project-v4-multigroup/config/default/kustomization.yaml index 9fe6e3630df..d00ee2596e1 100644 --- a/testdata/project-v4-multigroup/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/default/kustomization.yaml @@ -27,10 +27,10 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# More info: https://book.kubebuilder.io/reference/metrics +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml b/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..ee197d3f718 --- /dev/null +++ b/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml @@ -0,0 +1,13 @@ +# This patch adds the args to allow exposing the metrics endpoint securely +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=0.0.0.0:8080" diff --git a/testdata/project-v4-multigroup/config/manager/manager.yaml b/testdata/project-v4-multigroup/config/manager/manager.yaml index d80c8f33132..a65ca4a1bc2 100644 --- a/testdata/project-v4-multigroup/config/manager/manager.yaml +++ b/testdata/project-v4-multigroup/config/manager/manager.yaml @@ -61,7 +61,9 @@ spec: - command: - /manager args: - - --leader-elect + - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 image: controller:latest name: manager securityContext: diff --git a/testdata/project-v4-multigroup/config/prometheus/monitor.yaml b/testdata/project-v4-multigroup/config/prometheus/monitor.yaml index bb60c0d334a..7b9bc2077a7 100644 --- a/testdata/project-v4-multigroup/config/prometheus/monitor.yaml +++ b/testdata/project-v4-multigroup/config/prometheus/monitor.yaml @@ -11,11 +11,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-multigroup/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index 53613e3eeef..00000000000 --- a/testdata/project-v4-multigroup/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project-v4-multigroup - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-multigroup/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 56c97ddca82..00000000000 --- a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project-v4-multigroup - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-multigroup/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 10f89301cdb..00000000000 --- a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: project-v4-multigroup - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml index 08b359e46b5..51bf3b2bea4 100644 --- a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml @@ -9,13 +9,7 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -40,3 +34,4 @@ resources: - ship_frigate_viewer_role.yaml - crew_captain_editor_role.yaml - crew_captain_viewer_role.yaml + diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-multigroup/config/rbac/metrics_service.yaml similarity index 86% rename from testdata/project-v4-multigroup/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-multigroup/config/rbac/metrics_service.yaml index b168382998d..efdd5394534 100644 --- a/testdata/project-v4-multigroup/config/rbac/auth_proxy_service.yaml +++ b/testdata/project-v4-multigroup/config/rbac/metrics_service.yaml @@ -9,9 +9,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup/dist/install.yaml b/testdata/project-v4-multigroup/dist/install.yaml index e2584bdeac2..8b03103111f 100644 --- a/testdata/project-v4-multigroup/dist/install.yaml +++ b/testdata/project-v4-multigroup/dist/install.yaml @@ -1191,40 +1191,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-multigroup - name: project-v4-multigroup-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-multigroup - name: project-v4-multigroup-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1506,22 +1472,6 @@ subjects: name: project-v4-multigroup-controller-manager namespace: project-v4-multigroup-system --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-multigroup - name: project-v4-multigroup-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: project-v4-multigroup-proxy-role -subjects: -- kind: ServiceAccount - name: project-v4-multigroup-controller-manager - namespace: project-v4-multigroup-system ---- apiVersion: v1 kind: Service metadata: @@ -1533,10 +1483,10 @@ metadata: namespace: project-v4-multigroup-system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager --- @@ -1579,9 +1529,9 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 command: - /manager image: controller:latest @@ -1618,29 +1568,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-multigroup-controller-manager diff --git a/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml index 62e78ccdbbe..bf965dc95f0 100644 --- a/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml +++ b/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml @@ -27,10 +27,10 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# More info: https://book.kubebuilder.io/reference/metrics +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml b/testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..ee197d3f718 --- /dev/null +++ b/testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml @@ -0,0 +1,13 @@ +# This patch adds the args to allow exposing the metrics endpoint securely +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=0.0.0.0:8080" diff --git a/testdata/project-v4-with-deploy-image/config/manager/manager.yaml b/testdata/project-v4-with-deploy-image/config/manager/manager.yaml index f232684fa6b..1fd54a41dc2 100644 --- a/testdata/project-v4-with-deploy-image/config/manager/manager.yaml +++ b/testdata/project-v4-with-deploy-image/config/manager/manager.yaml @@ -61,7 +61,9 @@ spec: - command: - /manager args: - - --leader-elect + - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 image: controller:latest name: manager env: diff --git a/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml b/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml index 0f805f2c2e7..2d08ceebac3 100644 --- a/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml +++ b/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml @@ -11,11 +11,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index b439cad7f2c..00000000000 --- a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project-v4-with-deploy-image - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 438d9bd0702..00000000000 --- a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project-v4-with-deploy-image - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 3be0002395d..00000000000 --- a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: project-v4-with-deploy-image - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml index 67076dab990..234947b0ce5 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml @@ -9,13 +9,7 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -24,3 +18,4 @@ resources: - busybox_viewer_role.yaml - memcached_editor_role.yaml - memcached_viewer_role.yaml + diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-with-deploy-image/config/rbac/metrics_service.yaml similarity index 86% rename from testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-with-deploy-image/config/rbac/metrics_service.yaml index 80efb4fa08c..905ebc18c94 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_service.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/metrics_service.yaml @@ -9,9 +9,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4-with-deploy-image/dist/install.yaml b/testdata/project-v4-with-deploy-image/dist/install.yaml index 70babe98cbe..b2abdf48910 100644 --- a/testdata/project-v4-with-deploy-image/dist/install.yaml +++ b/testdata/project-v4-with-deploy-image/dist/install.yaml @@ -516,40 +516,6 @@ rules: - get --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-with-deploy-image - name: project-v4-with-deploy-image-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-with-deploy-image - name: project-v4-with-deploy-image-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: @@ -582,22 +548,6 @@ subjects: name: project-v4-with-deploy-image-controller-manager namespace: project-v4-with-deploy-image-system --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-with-deploy-image - name: project-v4-with-deploy-image-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: project-v4-with-deploy-image-proxy-role -subjects: -- kind: ServiceAccount - name: project-v4-with-deploy-image-controller-manager - namespace: project-v4-with-deploy-image-system ---- apiVersion: v1 kind: Service metadata: @@ -609,10 +559,10 @@ metadata: namespace: project-v4-with-deploy-image-system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager --- @@ -655,9 +605,9 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 command: - /manager env: @@ -699,29 +649,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-with-deploy-image-controller-manager diff --git a/testdata/project-v4-with-grafana/config/default/kustomization.yaml b/testdata/project-v4-with-grafana/config/default/kustomization.yaml index 7fca0820b0c..df5296e37fd 100644 --- a/testdata/project-v4-with-grafana/config/default/kustomization.yaml +++ b/testdata/project-v4-with-grafana/config/default/kustomization.yaml @@ -27,10 +27,10 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# More info: https://book.kubebuilder.io/reference/metrics +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml b/testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..ee197d3f718 --- /dev/null +++ b/testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml @@ -0,0 +1,13 @@ +# This patch adds the args to allow exposing the metrics endpoint securely +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=0.0.0.0:8080" diff --git a/testdata/project-v4-with-grafana/config/manager/manager.yaml b/testdata/project-v4-with-grafana/config/manager/manager.yaml index 3d44ae43d62..64ab9a2daa7 100644 --- a/testdata/project-v4-with-grafana/config/manager/manager.yaml +++ b/testdata/project-v4-with-grafana/config/manager/manager.yaml @@ -61,7 +61,9 @@ spec: - command: - /manager args: - - --leader-elect + - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 image: controller:latest name: manager securityContext: diff --git a/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml b/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml index 8505bfa5bfc..5f3e9887eae 100644 --- a/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml +++ b/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml @@ -11,11 +11,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-with-grafana/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index 5a5a1d0259d..00000000000 --- a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project-v4-with-grafana - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 979bc272f7a..00000000000 --- a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project-v4-with-grafana - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index b5302ea3805..00000000000 --- a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: project-v4-with-grafana - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml b/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml index 731832a6ac3..cb51d20d1cf 100644 --- a/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml +++ b/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml @@ -9,10 +9,4 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-with-grafana/config/rbac/metrics_service.yaml similarity index 86% rename from testdata/project-v4-with-grafana/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-with-grafana/config/rbac/metrics_service.yaml index b52e2ef0f4d..4c40c3579cb 100644 --- a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_service.yaml +++ b/testdata/project-v4-with-grafana/config/rbac/metrics_service.yaml @@ -9,9 +9,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4-with-grafana/dist/install.yaml b/testdata/project-v4-with-grafana/dist/install.yaml index 5877a647805..97764fed65b 100644 --- a/testdata/project-v4-with-grafana/dist/install.yaml +++ b/testdata/project-v4-with-grafana/dist/install.yaml @@ -75,40 +75,6 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-with-grafana - name: project-v4-with-grafana-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-with-grafana - name: project-v4-with-grafana-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: @@ -141,22 +107,6 @@ subjects: name: project-v4-with-grafana-controller-manager namespace: project-v4-with-grafana-system --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4-with-grafana - name: project-v4-with-grafana-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: project-v4-with-grafana-proxy-role -subjects: -- kind: ServiceAccount - name: project-v4-with-grafana-controller-manager - namespace: project-v4-with-grafana-system ---- apiVersion: v1 kind: Service metadata: @@ -168,10 +118,10 @@ metadata: namespace: project-v4-with-grafana-system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager --- @@ -198,32 +148,9 @@ spec: spec: containers: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 command: - /manager image: controller:latest diff --git a/testdata/project-v4/config/default/kustomization.yaml b/testdata/project-v4/config/default/kustomization.yaml index ae7fc170730..131ea0843e0 100644 --- a/testdata/project-v4/config/default/kustomization.yaml +++ b/testdata/project-v4/config/default/kustomization.yaml @@ -27,10 +27,10 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# More info: https://book.kubebuilder.io/reference/metrics +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4/config/default/manager_metrics_patch.yaml b/testdata/project-v4/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..ee197d3f718 --- /dev/null +++ b/testdata/project-v4/config/default/manager_metrics_patch.yaml @@ -0,0 +1,13 @@ +# This patch adds the args to allow exposing the metrics endpoint securely +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-bind-address=0.0.0.0:8080" diff --git a/testdata/project-v4/config/manager/manager.yaml b/testdata/project-v4/config/manager/manager.yaml index 7c552d545f1..29ab53f42f9 100644 --- a/testdata/project-v4/config/manager/manager.yaml +++ b/testdata/project-v4/config/manager/manager.yaml @@ -61,7 +61,9 @@ spec: - command: - /manager args: - - --leader-elect + - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 image: controller:latest name: manager securityContext: diff --git a/testdata/project-v4/config/prometheus/monitor.yaml b/testdata/project-v4/config/prometheus/monitor.yaml index 767555588d4..d4a09ebf9fe 100644 --- a/testdata/project-v4/config/prometheus/monitor.yaml +++ b/testdata/project-v4/config/prometheus/monitor.yaml @@ -11,11 +11,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index c534a7a5387..00000000000 --- a/testdata/project-v4/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project-v4 - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/testdata/project-v4/config/rbac/auth_proxy_role.yaml b/testdata/project-v4/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 43aa96480ad..00000000000 --- a/testdata/project-v4/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: project-v4 - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/testdata/project-v4/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index e5bbe0214cd..00000000000 --- a/testdata/project-v4/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: project-v4 - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/testdata/project-v4/config/rbac/kustomization.yaml b/testdata/project-v4/config/rbac/kustomization.yaml index 8518bf9e24d..6dd56c7db27 100644 --- a/testdata/project-v4/config/rbac/kustomization.yaml +++ b/testdata/project-v4/config/rbac/kustomization.yaml @@ -9,13 +9,7 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -26,3 +20,4 @@ resources: - firstmate_viewer_role.yaml - captain_editor_role.yaml - captain_viewer_role.yaml + diff --git a/testdata/project-v4/config/rbac/auth_proxy_service.yaml b/testdata/project-v4/config/rbac/metrics_service.yaml similarity index 85% rename from testdata/project-v4/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4/config/rbac/metrics_service.yaml index 2b723ff3239..3cd90980fa3 100644 --- a/testdata/project-v4/config/rbac/auth_proxy_service.yaml +++ b/testdata/project-v4/config/rbac/metrics_service.yaml @@ -9,9 +9,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4/dist/install.yaml b/testdata/project-v4/dist/install.yaml index 4466171f902..47b70abe185 100644 --- a/testdata/project-v4/dist/install.yaml +++ b/testdata/project-v4/dist/install.yaml @@ -510,40 +510,6 @@ rules: - update --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4 - name: project-v4-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4 - name: project-v4-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: @@ -576,22 +542,6 @@ subjects: name: project-v4-controller-manager namespace: project-v4-system --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: project-v4 - name: project-v4-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: project-v4-proxy-role -subjects: -- kind: ServiceAccount - name: project-v4-controller-manager - namespace: project-v4-system ---- apiVersion: v1 kind: Service metadata: @@ -603,10 +553,10 @@ metadata: namespace: project-v4-system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager --- @@ -649,9 +599,9 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 command: - /manager image: controller:latest @@ -688,29 +638,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-controller-manager