Merge pull request #340 from Fedosin/remove_kube_rbac_proxy

⚠️ Remove kube-rbac-proxy and expose metrics on localhost:8080

Author: k8s-ci-robot

cmd/main.go

@@ -78,7 +78,7 @@ func init() {
 
 // InitFlags initializes the flags.
 func InitFlags(fs *pflag.FlagSet) {
-	fs.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8080",
+	fs.StringVar(&metricsBindAddr, "metrics-bind-addr", "localhost:8080",
 		"The address the metric endpoint binds to.")
 
 	fs.BoolVar(&enableLeaderElection, "leader-elect", false,

config/default/kustomization.yaml

@@ -26,10 +26,6 @@ bases:
 - ../namespace
 
 patchesStrategicMerge:
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
   # Provide customizable hook for make targets.
 - manager_image_patch.yaml
 - manager_pull_policy.yaml

config/default/manager_auth_proxy_patch.yaml

@@ -3,10 +3,3 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml

config/rbac/auth_proxy_client_clusterrole.yaml

@@ -101,30 +101,6 @@ spec:
         volumeMounts:
         {{- toYaml . | nindent 12 }}
         {{- end }}
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        {{- if .Values.logLevel }}
-        - --v={{ .Values.logLevel }}
-        {{- end }}
-        {{- with .Values.image.kubeRBACProxy }}
-        image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-        {{- end }}
-        imagePullPolicy: {{ .Values.image.kubeRBACProxy.pullPolicy }}
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        {{- with .Values.resources.kubeRBACProxy }}
-        resources:
-        {{- toYaml . | nindent 12 }}
-        {{- end }}
-        {{- with .Values.containerSecurityContext.kubeRBACProxy }}
-        securityContext:
-        {{- toYaml . | nindent 12 }}
-        {{- end }}
       terminationGracePeriodSeconds: 10
       {{- with .Values.volumes }}
       volumes:

config/rbac/auth_proxy_role.yaml

@@ -26,10 +26,6 @@ image:
     repository: gcr.io/k8s-staging-capi-operator/cluster-api-operator
     tag: dev
     pullPolicy: IfNotPresent
-  kubeRBACProxy:
-    repository: gcr.io/kubebuilder/kube-rbac-proxy
-    tag: v0.14.1
-    pullPolicy: IfNotPresent
 healthAddr: ":8081"
 metricsBindAddr: "127.0.0.1:8080"
 imagePullSecrets: {}
@@ -41,19 +37,7 @@ resources:
     requests:
       cpu: 100m
       memory: 100Mi
-  kubeRBACProxy:
-    limits:
-      cpu: 500m
-      memory: 128Mi
-    requests:
-      cpu: 5m
-      memory: 64Mi
-containerSecurityContext:
-  kubeRBACProxy:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - ALL
+containerSecurityContext: {}
 affinity:
   nodeAffinity:
     requiredDuringSchedulingIgnoredDuringExecution: