✨ Add protection to metrics endpoint using authn/authz via controller-runtime feature #4003
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
size/XXL
…untime feature This PR re-introduce authn/authz protection for the endpoint but without use the kube-rbac-proxy project and image. Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
|
/skip APIDiff /override APIDiff |
|
@camilamacedo86: /override requires failed status contexts, check run or a prowjob name to operate on.
Only the following failed contexts/checkruns were expected:
If you are trying to override a checkrun that has a space in it, you must put a double quote on the context. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| // These configurations ensure that only authorized users and service accounts | ||
| // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: | ||
| // https://pkg.go.dev/sigs.k8s.io/controller-runtime@{{ .ControllerRuntimeVersion }}/pkg/metrics/filters#WithAuthenticationAndAuthorization | ||
| FilterProvider: filters.WithAuthenticationAndAuthorization, |
There was a problem hiding this comment.
Nits:
Similar to the concern in the previous PR, would it be necessary/good to remind user of assigning the cluster role to the clients with the permission to scrape the metrics?
See the ref:
To scrape metrics e.g. via Prometheus the client needs a ClusterRole with the following rule: * nonResourceURLs: "/metrics", verbs: get
There was a problem hiding this comment.
I think that the problem is that depends on how the Prometheus is configured.
We might could say something like Prometheus requires access to the metrics endpoint.
But we are either linking the metrics doc so users can check that, there we are clarifying it right.
Anyway, lets to do one thing:
Since it is a nit, lets move forward with as it is, however, if you see any good way to improve the comments/docs etc, please feel free to push a PR with your idea and we can shape things around.
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: camilamacedo86, Kavinjsir, varshaprasad96 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| // These configurations ensure that only authorized users and service accounts | ||
| // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: | ||
| // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization | ||
| FilterProvider: filters.WithAuthenticationAndAuthorization, |
There was a problem hiding this comment.
I think this should only be set if secureMetrics is true.
By always enabling this folks have to always provide a ServiceAccount token. But these tokens should never be send via HTTP
There was a problem hiding this comment.
we can address this one good catcher.
Images provided under gcr.io/kubebuilder/ will be unavailable from March 18, 2025. Projects initialized with Kubebuilder versions v3.14 or lower utilize gcr.io/kubebuilder/kube-rbac-proxy to protect the metrics endpoint. Following the work in kubernetes-sigs/kubebuilder#4003, this commit removes the kube-rbac-proxy container and let the main container of the controller expose the metrics via HTTPS and by using the WithAuthenticatoinAndAuthorization filter. This also includes a minor fix in BuildService escaped during the resolution of some conflicts during a rebase. Related to kubernetes-sigs/kubebuilder#3871
Images provided under gcr.io/kubebuilder/ will be unavailable from March 18, 2025. Projects initialized with Kubebuilder versions v3.14 or lower utilize gcr.io/kubebuilder/kube-rbac-proxy to protect the metrics endpoint. Following the work in kubernetes-sigs/kubebuilder#4003, this commit removes the kube-rbac-proxy container and let the main container of the controller expose the metrics via HTTPS and by using the WithAuthenticatoinAndAuthorization filter. This also includes a minor fix in BuildService escaped during the resolution of some conflicts during a rebase. Related to kubernetes-sigs/kubebuilder#3871
Images provided under gcr.io/kubebuilder/ will be unavailable from March 18, 2025. Projects initialized with Kubebuilder versions v3.14 or lower utilize gcr.io/kubebuilder/kube-rbac-proxy to protect the metrics endpoint. Following the work in kubernetes-sigs/kubebuilder#4003, this commit removes the kube-rbac-proxy container and let the main container of the controller expose the metrics via HTTPS and by using the WithAuthenticatoinAndAuthorization filter. This also includes a minor fix in BuildService escaped during the resolution of some conflicts during a rebase. Related to kubernetes-sigs/kubebuilder#3871
This PR re-introduces authentication and authorization protection for the metrics endpoint using
WithAuthenticationAndAuthorizationprovided by controller-runtime.We are re-introducing this protection, which is similar to what was previously done via
kube-rbac-proxy, whose usage was discontinued in the project.PS.:: Address item 3 mapped in : #3871
Author: Joe Lanford joe.lanford@gmail.com
Co-Author: Camila Macedo