Discontinue Kube RBAC Proxy in Default Kubebuilder Scaffolding

.github/workflows/test-sample-go.yml

@@ -25,9 +25,10 @@ jobs:
           KUSTOMIZATION_FILE_PATH="testdata/project-v4/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           sed -i '27s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '42s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '46,143s/^#//' $KUSTOMIZATION_FILE_PATH
-      
+          sed -i '38s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '48s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '52,148s/^#//' $KUSTOMIZATION_FILE_PATH
+
       - name: Test
         run: |
           cd testdata/project-v4

CONTRIBUTING.md

@@ -69,6 +69,27 @@ Following the targets that can be used to test your changes locally.
 
 **NOTE** To use the `make lint` is required to install `golangci-lint` locally. More info: https://github.com/golangci/golangci-lint#install
 
+### Running e2e tests locally
+
+See that you can run `test-e2e-local` to setup Kind and run e2e tests locally.
+Another option is by manually starting up Kind and configuring it and then,
+you can for example via your IDEA debug the e2e tests.
+
+To manually setup run:
+
+```shell
+# To generate an Kubebuilder local binary with your changes
+make install
+# To create the cluster and configure a CNI which supports NetworkPolicy
+kind create cluster --config ./test/e2e/kind-config.yaml
+kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
+```
+
+Now, you can for example, run in debug mode the `test/e2e/v4/e2e_suite_test.go`:
+
+![example](https://github.com/kubernetes-sigs/kubebuilder/assets/7708031/277d26d5-c94d-41f0-8f02-1381458ef750)
+
+
 ### Test Plugin
 
 If your intended PR creates a new plugin, make sure the PR also provides test cases. Testing should include:

docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml

@@ -25,12 +25,18 @@ resources:
 #- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
+# [NETWORK POLICY] Protect the /metrics endpoint with NetworkPolicy. If you want your controller-manager to
+# expose the /metrics, it is recommended uncomment the following line. Therefore, only Pod(s) running a namespace 
+# with the label 'monitoring: enabled' will be able to gather the metrics.
+# Be aware that NetworkPolicy alone does not ensure fully protection. Please, ensure that you check the Metrics
+# documentation: https://kubebuilder.io/reference/metrics
+#- ../policy
 
 patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
+# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint.
+# More info: https://book.kubebuilder.io/reference/metrics
+# If you want to expose the metric endpoint of your controller-manager uncomment the following line.
+#- path: manager_metrics_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type

docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml

@@ -0,0 +1,13 @@
+# This patch adds the args to allow exposing the metrics endpoint securely
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--metrics-bind-address=0.0.0.0:8080"

docs/book/src/component-config-tutorial/testdata/project/config/policy/allow-cert-manager.yaml

@@ -0,0 +1,18 @@
+# Allow CertManager have communication across the cluster
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-cert-manager
+  namespace: cert-manager
+spec:
+  podSelector: {}  # This applies to all pods within the cert-manager namespace
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Allow ingress from all pods in the same namespace
+    - from:
+      - podSelector: {}  # This effectively allows all pods within the namespace
+  egress:
+    # Allow egress to all destinations
+    - {}

docs/book/src/component-config-tutorial/testdata/project/config/policy/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- protect-metrics.yaml

docs/book/src/component-config-tutorial/testdata/project/config/policy/protect-metrics.yaml

@@ -0,0 +1,26 @@
+# NetworkPolicy to protect metrics endpoint
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/name: project
+    app.kubernetes.io/managed-by: kustomize
+  name: protect-metrics
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+    - Egress
+    - Ingress
+  egress:
+    - {}
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            monitoring: enabled  # Only from namespaces with this label
+      ports:
+        - protocol: TCP
+          port: 8080  # TCP port for metrics

docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml

@@ -11,11 +11,8 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https
-      scheme: https
-      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      tlsConfig:
-        insecureSkipVerify: true
+      port: http # Ensure this is the name of the port that exposes HTTP metrics
+      scheme: http
   selector:
     matchLabels:
       control-plane: controller-manager

docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml

@@ -9,16 +9,11 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- metrics_service.yaml
 # For each CRD, "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
 - projectconfig_editor_role.yaml
 - projectconfig_viewer_role.yaml
+

docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml → docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml

@@ -9,9 +9,9 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
+  - name: http
+    port: 8080
     protocol: TCP
-    targetPort: https
+    targetPort: 8080
   selector:
     control-plane: controller-manager

docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml

@@ -25,12 +25,18 @@ resources:
 - ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 - ../prometheus
+# [NETWORK POLICY] Protect the /metrics endpoint with NetworkPolicy. If you want your controller-manager to
+# expose the /metrics, it is recommended uncomment the following line. Therefore, only Pod(s) running a namespace 
+# with the label 'monitoring: enabled' will be able to gather the metrics.
+# Be aware that NetworkPolicy alone does not ensure fully protection. Please, ensure that you check the Metrics
+# documentation: https://kubebuilder.io/reference/metrics
+- ../policy
 
 patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
+# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint.
+# More info: https://book.kubebuilder.io/reference/metrics
+# If you want to expose the metric endpoint of your controller-manager uncomment the following line.
+#- path: manager_metrics_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml

docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml

@@ -0,0 +1,13 @@
+# This patch adds the args to allow exposing the metrics endpoint securely
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--metrics-bind-address=0.0.0.0:8080"

docs/book/src/cronjob-tutorial/testdata/project/config/manager/manager.yaml

@@ -61,7 +61,9 @@ spec:
       - command:
         - /manager
         args:
-        - --leader-elect
+          - --leader-elect
+          - --health-probe-bind-address=:8081
+          - --metrics-bind-address=0
         image: controller:latest
         name: manager
         securityContext:

docs/book/src/cronjob-tutorial/testdata/project/config/policy/allow-cert-manager.yaml

@@ -0,0 +1,18 @@
+# Allow CertManager have communication across the cluster
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-cert-manager
+  namespace: cert-manager
+spec:
+  podSelector: {}  # This applies to all pods within the cert-manager namespace
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Allow ingress from all pods in the same namespace
+    - from:
+      - podSelector: {}  # This effectively allows all pods within the namespace
+  egress:
+    # Allow egress to all destinations
+    - {}