From aa27c06e6737abb84aa0f725c97b090ef3db9133 Mon Sep 17 00:00:00 2001 From: Camila Macedo Date: Mon, 6 May 2024 16:48:52 +0100 Subject: [PATCH] Discontinue Kube RBAC Proxy in Default Kubebuilder Scaffolding --- .github/workflows/test-sample-go.yml | 6 +- .../project/config/default/kustomization.yaml | 7 +- .../default/manager_auth_proxy_patch.yaml | 34 -------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../project/config/prometheus/monitor.yaml | 2 +- .../project/config/rbac/kustomization.yaml | 12 +-- ....yaml => metrics_client_cluster_role.yaml} | 0 .../project/config/rbac/metrics_role.yaml} | 2 +- .../config/rbac/metrics_role_binding.yaml} | 4 +- ...roxy_service.yaml => metrics_service.yaml} | 0 .../project/config/default/kustomization.yaml | 7 +- .../default/manager_auth_proxy_patch.yaml | 55 ------------ .../config/default/manager_metrics_patch.yaml | 15 ++++ .../project/config/prometheus/monitor.yaml | 2 +- .../project/config/rbac/kustomization.yaml | 12 +-- ....yaml => metrics_client_cluster_role.yaml} | 0 .../project/config/rbac/metrics_role.yaml} | 2 +- .../config/rbac/metrics_role_binding.yaml} | 4 +- ...roxy_service.yaml => metrics_service.yaml} | 0 .../project/config/default/kustomization.yaml | 7 +- .../default/manager_auth_proxy_patch.yaml | 39 --------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../project/config/prometheus/monitor.yaml | 2 +- .../project/config/rbac/kustomization.yaml | 12 +-- ....yaml => metrics_client_cluster_role.yaml} | 0 ...auth_proxy_role.yaml => metrics_role.yaml} | 2 +- .../config/rbac/metrics_role_binding.yaml} | 4 +- ...roxy_service.yaml => metrics_service.yaml} | 0 docs/book/src/reference/metrics.md | 71 +++++++++++++-- .../cronjob-tutorial/generate_cronjob.go | 7 -- hack/docs/internal/cronjob-tutorial/sample.go | 18 ---- pkg/plugin/util/util.go | 30 +++++++ .../common/kustomize/v2/scaffolds/api.go | 27 ++++-- .../common/kustomize/v2/scaffolds/init.go | 10 +-- .../config/kdefault/enable_matrics_patch.go | 61 +++++++++++++ .../config/kdefault/kustomization.go | 7 +- .../kdefault/manager_auth_proxy_patch.go | 87 ------------------- .../templates/config/prometheus/monitor.go | 2 +- .../templates/config/rbac/kustomization.go | 11 ++- ..._client_role.go => metrics_client_role.go} | 14 +-- .../{auth_proxy_role.go => metrics_role.go} | 16 ++-- ...ole_binding.go => metrics_role_binding.go} | 18 ++-- ...th_proxy_service.go => metrics_service.go} | 14 +-- test/e2e/v4/generate_test.go | 4 + .../config/default/kustomization.yaml | 7 +- .../default/manager_auth_proxy_patch.yaml | 39 --------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../config/prometheus/monitor.yaml | 2 +- .../config/rbac/kustomization.yaml | 12 +-- ....yaml => metrics_client_cluster_role.yaml} | 0 ...auth_proxy_role.yaml => metrics_role.yaml} | 2 +- ...binding.yaml => metrics_role_binding.yaml} | 4 +- ...roxy_service.yaml => metrics_service.yaml} | 0 .../dist/install.yaml | 31 +------ .../config/default/kustomization.yaml | 7 +- .../default/manager_auth_proxy_patch.yaml | 39 --------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../config/prometheus/monitor.yaml | 2 +- .../config/rbac/kustomization.yaml | 12 +-- ....yaml => metrics_client_cluster_role.yaml} | 0 ...auth_proxy_role.yaml => metrics_role.yaml} | 2 +- ...binding.yaml => metrics_role_binding.yaml} | 4 +- ...roxy_service.yaml => metrics_service.yaml} | 0 .../project-v4-multigroup/dist/install.yaml | 31 +------ .../config/default/kustomization.yaml | 7 +- .../default/manager_auth_proxy_patch.yaml | 39 --------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../config/prometheus/monitor.yaml | 2 +- .../config/rbac/kustomization.yaml | 12 +-- ....yaml => metrics_client_cluster_role.yaml} | 0 ...auth_proxy_role.yaml => metrics_role.yaml} | 2 +- ...binding.yaml => metrics_role_binding.yaml} | 4 +- ...roxy_service.yaml => metrics_service.yaml} | 0 .../dist/install.yaml | 31 +------ .../config/default/kustomization.yaml | 7 +- .../default/manager_auth_proxy_patch.yaml | 39 --------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../config/prometheus/monitor.yaml | 2 +- .../config/rbac/kustomization.yaml | 11 ++- ....yaml => metrics_client_cluster_role.yaml} | 0 ...auth_proxy_role.yaml => metrics_role.yaml} | 2 +- ...binding.yaml => metrics_role_binding.yaml} | 4 +- ...roxy_service.yaml => metrics_service.yaml} | 0 .../project-v4-with-grafana/dist/install.yaml | 31 +------ .../config/default/kustomization.yaml | 7 +- .../default/manager_auth_proxy_patch.yaml | 39 --------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../project-v4/config/prometheus/monitor.yaml | 2 +- .../project-v4/config/rbac/kustomization.yaml | 12 +-- ....yaml => metrics_client_cluster_role.yaml} | 0 ...auth_proxy_role.yaml => metrics_role.yaml} | 2 +- ...binding.yaml => metrics_role_binding.yaml} | 4 +- ...roxy_service.yaml => metrics_service.yaml} | 0 testdata/project-v4/dist/install.yaml | 31 +------ 94 files changed, 466 insertions(+), 750 deletions(-) delete mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml create mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml rename docs/book/src/component-config-tutorial/testdata/project/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (100%) rename docs/book/src/{cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml => component-config-tutorial/testdata/project/config/rbac/metrics_role.yaml} (94%) rename docs/book/src/{getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml => component-config-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml} (86%) rename docs/book/src/component-config-tutorial/testdata/project/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (100%) delete mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml create mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml rename docs/book/src/cronjob-tutorial/testdata/project/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (100%) rename docs/book/src/{component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml => cronjob-tutorial/testdata/project/config/rbac/metrics_role.yaml} (94%) rename docs/book/src/{component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml => cronjob-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml} (86%) rename docs/book/src/cronjob-tutorial/testdata/project/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (100%) delete mode 100644 docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml create mode 100644 docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml rename docs/book/src/getting-started/testdata/project/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (100%) rename docs/book/src/getting-started/testdata/project/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (94%) rename docs/book/src/{cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml => getting-started/testdata/project/config/rbac/metrics_role_binding.yaml} (86%) rename docs/book/src/getting-started/testdata/project/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (100%) create mode 100644 pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/enable_matrics_patch.go delete mode 100644 pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go rename pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/{auth_proxy_client_role.go => metrics_client_role.go} (70%) rename pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/{auth_proxy_role.go => metrics_role.go} (74%) rename pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/{auth_proxy_role_binding.go => metrics_role_binding.go} (69%) rename pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/{auth_proxy_service.go => metrics_service.go} (75%) delete mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml rename testdata/project-v4-multigroup-with-deploy-image/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (100%) rename testdata/project-v4-multigroup-with-deploy-image/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (94%) rename testdata/project-v4-multigroup-with-deploy-image/config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (87%) rename testdata/project-v4-multigroup-with-deploy-image/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (100%) delete mode 100644 testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml rename testdata/project-v4-multigroup/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (100%) rename testdata/project-v4-multigroup/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (94%) rename testdata/project-v4-multigroup/config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (86%) rename testdata/project-v4-multigroup/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (100%) delete mode 100644 testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml rename testdata/project-v4-with-deploy-image/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (100%) rename testdata/project-v4-with-deploy-image/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (94%) rename testdata/project-v4-with-deploy-image/config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (87%) rename testdata/project-v4-with-deploy-image/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (100%) delete mode 100644 testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml rename testdata/project-v4-with-grafana/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (100%) rename testdata/project-v4-with-grafana/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (94%) rename testdata/project-v4-with-grafana/config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (87%) rename testdata/project-v4-with-grafana/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (100%) delete mode 100644 testdata/project-v4/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4/config/default/manager_metrics_patch.yaml rename testdata/project-v4/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (100%) rename testdata/project-v4/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (94%) rename testdata/project-v4/config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (86%) rename testdata/project-v4/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (100%) diff --git a/.github/workflows/test-sample-go.yml b/.github/workflows/test-sample-go.yml index 08e1c9a1984..035ddb0aea4 100644 --- a/.github/workflows/test-sample-go.yml +++ b/.github/workflows/test-sample-go.yml @@ -25,8 +25,10 @@ jobs: KUSTOMIZATION_FILE_PATH="testdata/project-v4/config/default/kustomization.yaml" sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH sed -i '27s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '42s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '46,143s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '33s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '38s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '47s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '51,147s/^#//' $KUSTOMIZATION_FILE_PATH - name: Test run: | diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml index e0e588792cf..421174a10b9 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml @@ -27,10 +27,9 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # Mount the controller config file for loading manager configurations # through a ComponentConfig type diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 74c49152afb..00000000000 --- a/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml index 893610e2014..ee7ee7abd33 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml @@ -15,7 +15,7 @@ spec: scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: - insecureSkipVerify: true + insecureSkipVerify: true # TODO(user): Not use this configuration for production selector: matchLabels: control-plane: controller-manager diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml index 9f6506d4c5b..de9ecfd0693 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml @@ -10,15 +10,15 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# the metrics which protects your /metrics endpoint. +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines # if you do not want those helpers be installed with your Project. - projectconfig_editor_role.yaml - projectconfig_viewer_role.yaml + diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml similarity index 100% rename from docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml rename to docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role.yaml similarity index 94% rename from docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml rename to docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role.yaml index 17e0a11d32b..2265a70613e 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: project app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml similarity index 86% rename from docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml rename to docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml index e1f50c3178a..e94f3a89e4c 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml @@ -4,11 +4,11 @@ metadata: labels: app.kubernetes.io/name: project app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml similarity index 100% rename from docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml rename to docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml index e445fec445d..ba2b3d2cbd3 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml @@ -27,10 +27,9 @@ resources: - ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 1064aa49c80..00000000000 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml index 893610e2014..ee7ee7abd33 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml @@ -15,7 +15,7 @@ spec: scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: - insecureSkipVerify: true + insecureSkipVerify: true # TODO(user): Not use this configuration for production selector: matchLabels: control-plane: controller-manager diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml index 8db606e9e72..fbe26d33c8f 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml @@ -10,15 +10,15 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# the metrics which protects your /metrics endpoint. +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines # if you do not want those helpers be installed with your Project. - cronjob_editor_role.yaml - cronjob_viewer_role.yaml + diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml similarity index 100% rename from docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml rename to docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role.yaml similarity index 94% rename from docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml rename to docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role.yaml index 17e0a11d32b..2265a70613e 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: project app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml similarity index 86% rename from docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml rename to docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml index e1f50c3178a..e94f3a89e4c 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml @@ -4,11 +4,11 @@ metadata: labels: app.kubernetes.io/name: project app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml similarity index 100% rename from docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml rename to docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml index d851be9cae7..32c1863fbc5 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml @@ -27,10 +27,9 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml index 893610e2014..ee7ee7abd33 100644 --- a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml @@ -15,7 +15,7 @@ spec: scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: - insecureSkipVerify: true + insecureSkipVerify: true # TODO(user): Not use this configuration for production selector: matchLabels: control-plane: controller-manager diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml index 3dc289427b8..67272c849a9 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml @@ -10,15 +10,15 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# the metrics which protects your /metrics endpoint. +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines # if you do not want those helpers be installed with your Project. - memcached_editor_role.yaml - memcached_viewer_role.yaml + diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_client_cluster_role.yaml similarity index 100% rename from docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml rename to docs/book/src/getting-started/testdata/project/config/rbac/metrics_client_cluster_role.yaml diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_role.yaml similarity index 94% rename from docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role.yaml rename to docs/book/src/getting-started/testdata/project/config/rbac/metrics_role.yaml index 17e0a11d32b..2265a70613e 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: project app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_role_binding.yaml similarity index 86% rename from docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml rename to docs/book/src/getting-started/testdata/project/config/rbac/metrics_role_binding.yaml index e1f50c3178a..e94f3a89e4c 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_role_binding.yaml @@ -4,11 +4,11 @@ metadata: labels: app.kubernetes.io/name: project app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_service.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_service.yaml similarity index 100% rename from docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_service.yaml rename to docs/book/src/getting-started/testdata/project/config/rbac/metrics_service.yaml diff --git a/docs/book/src/reference/metrics.md b/docs/book/src/reference/metrics.md index 33e7e3b0a13..31c8bea5b18 100644 --- a/docs/book/src/reference/metrics.md +++ b/docs/book/src/reference/metrics.md @@ -3,13 +3,66 @@ By default, controller-runtime builds a global prometheus registry and publishes [a collection of performance metrics](/reference/metrics-reference.md) for each controller. + + +## Enabling the Metrics + +First, you will need enable the Metrics by uncommenting the following line +in the file `config/default/kustomization.yaml`, see: + +```sh +# [Metrics] The following patch will enable the metrics endpoint. +# Ensure that you also protect this endpoint. +#- path: manager_metrics_patch.yaml +``` + ## Protecting the Metrics -These metrics are protected by [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) -by default if using kubebuilder. Kubebuilder v2.2.0+ scaffold a clusterrole which -can be found at `config/rbac/auth_proxy_client_clusterrole.yaml`. +Unprotected metrics endpoints can expose valuable data to unauthorized users, +such as system performance, application behavior, and potentially confidential +operational metrics. This exposure can lead to security vulnerabilities +where an attacker could gain insights into the system's operation +and exploit weaknesses. + +## RBAC Permissions for Metrics -You will need to grant permissions to your Prometheus server so that it can +Kubebuilder scaffold a clusterrole which +can be found at `config/rbac/metrics_client_cluster_role.yaml`. + +Then, you will need to grant permissions to your Prometheus server so that it can scrape the protected metrics. To achieve that, you can create a `clusterRoleBinding` to bind the `clusterRole` to the service account that your Prometheus server uses. If you are using [kube-prometheus](https://github.com/prometheus-operator/kube-prometheus), @@ -91,6 +144,14 @@ for the metrics exported from the namespace where the project is running Screenshot 2019-10-02 at 13 07 13 +## Consuming the Metrics from other Pods. + +Then, see an example to create a Pod using Curl to reach out the metrics: + +```sh +kubectl run curl --restart=Never -n --image=curlimages/curl:7.78.0 -- /bin/sh -c "curl -v http://-controller-manager-metrics-service..svc.cluster.local:8080/metrics" +``` + ## Publishing Additional Metrics If you wish to publish additional metrics from your controllers, this @@ -141,4 +202,4 @@ In order to publish metrics and view them on the Prometheus UI, the Prometheus i Those metrics will be available for prometheus or other openmetrics systems to scrape. -![Screen Shot 2021-06-14 at 10 15 59 AM](https://user-images.githubusercontent.com/37827279/121932262-8843cd80-ccf9-11eb-9c8e-98d0eda80169.png) +![Screen Shot 2021-06-14 at 10 15 59 AM](https://user-images.githubusercontent.com/37827279/121932262-8843cd80-ccf9-11eb-9c8e-98d0eda80169.png) \ No newline at end of file diff --git a/hack/docs/internal/cronjob-tutorial/generate_cronjob.go b/hack/docs/internal/cronjob-tutorial/generate_cronjob.go index 97258ee47aa..3de1859c668 100644 --- a/hack/docs/internal/cronjob-tutorial/generate_cronjob.go +++ b/hack/docs/internal/cronjob-tutorial/generate_cronjob.go @@ -583,13 +583,6 @@ func updateExample(sp *Sample) { filepath.Join(sp.ctx.Dir, "config/samples/batch_v1_cronjob.yaml"), `# TODO(user): Add fields here`, "") CheckError("fixing samples/batch_v1_cronjob.yaml", err) - - // update default/manager_auth_proxy_patch.yaml - err = pluginutil.InsertCode( - filepath.Join(sp.ctx.Dir, "config/default/manager_auth_proxy_patch.yaml"), - ` template: - spec:`, ManagerAuthProxySample) - CheckError("fixing default/manager_auth_proxy_patch.yaml", err) } func addControllerTest(sp *Sample) { diff --git a/hack/docs/internal/cronjob-tutorial/sample.go b/hack/docs/internal/cronjob-tutorial/sample.go index baebb4cfa4b..7e413af1065 100644 --- a/hack/docs/internal/cronjob-tutorial/sample.go +++ b/hack/docs/internal/cronjob-tutorial/sample.go @@ -130,21 +130,3 @@ const DefaultKustomization = `#replacements: # delimiter: '.' # index: 1 # create: true` - -const ManagerAuthProxySample = ` - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux` diff --git a/pkg/plugin/util/util.go b/pkg/plugin/util/util.go index ebf5418adda..bae4e76f47f 100644 --- a/pkg/plugin/util/util.go +++ b/pkg/plugin/util/util.go @@ -97,6 +97,36 @@ func InsertCodeIfNotExist(filename, target, code string) error { return InsertCode(filename, target, code) } +// AppendCodeIfNotExist checks if the code does not already exist in the file, and if not, appends it to the end. +func AppendCodeIfNotExist(filename, code string) error { + contents, err := os.ReadFile(filename) + if err != nil { + return err + } + + if strings.Contains(string(contents), code) { + return nil // Code already exists, no need to append. + } + + return AppendCodeAtTheEnd(filename, code) +} + +// AppendCodeAtTheEnd appends the given code at the end of the file. +func AppendCodeAtTheEnd(filename, code string) error { + f, err := os.OpenFile(filename, os.O_APPEND|os.O_WRONLY, 0644) + if err != nil { + return err + } + defer func() { + if err := f.Close(); err != nil { + return + } + }() + + _, err = f.WriteString(code) + return err +} + // UncommentCode searches for target in the file and remove the comment prefix // of the target content. The target content may span multiple lines. func UncommentCode(filename, target, prefix string) error { diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/api.go b/pkg/plugins/common/kustomize/v2/scaffolds/api.go index dc875d01235..03e3ec2b8e6 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/api.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/api.go @@ -102,28 +102,37 @@ func (s *apiScaffolder) Scaffold() error { // Add scaffolded CRD Editor and Viewer roles in config/rbac/kustomization.yaml rbacKustomizeFilePath := "config/rbac/kustomization.yaml" - comment := ` -# For each CRD, "Editor" and "Viewer" roles are scaffolded by -# default, aiding admins in cluster management. Those roles are -# not used by the Project itself. You can comment the following lines -# if you do not want those helpers be installed with your Project.` - err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, - "- auth_proxy_client_clusterrole.yaml", comment) + err = pluginutil.AppendCodeIfNotExist(rbacKustomizeFilePath, + editViewRulesCommentFragment) if err != nil { - log.Errorf("Unable to add a comment in the file "+ + log.Errorf("Unable to append the edit/view roles editViewRulesCommentFragment in the file "+ "%s.", rbacKustomizeFilePath) } crdName := strings.ToLower(s.resource.Kind) if s.config.IsMultiGroup() && s.resource.Group != "" { crdName = strings.ToLower(s.resource.Group) + "_" + crdName } - err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, comment, + err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, editViewRulesCommentFragment, fmt.Sprintf("\n- %[1]s_editor_role.yaml\n- %[1]s_viewer_role.yaml", crdName)) if err != nil { log.Errorf("Unable to add Editor and Viewer roles in the file "+ "%s.", rbacKustomizeFilePath) } + // Add an empty line at the end of the file + err = pluginutil.AppendCodeIfNotExist(rbacKustomizeFilePath, + ` + +`) + if err != nil { + log.Errorf("Unable to append empty line at the end of the file"+ + "%s.", rbacKustomizeFilePath) + } } return nil } + +const editViewRulesCommentFragment = `# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. Those roles are +# not used by the Project itself. You can comment the following lines +# if you do not want those helpers be installed with your Project.` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/init.go b/pkg/plugins/common/kustomize/v2/scaffolds/init.go index baea4bb55c6..9111e1efcfc 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/init.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/init.go @@ -64,10 +64,10 @@ func (s *initScaffolder) Scaffold() error { templates := []machinery.Builder{ &rbac.Kustomization{}, - &rbac.AuthProxyRole{}, - &rbac.AuthProxyRoleBinding{}, - &rbac.AuthProxyService{}, - &rbac.AuthProxyClientRole{}, + &rbac.MetricsRole{}, + &rbac.MonitoringBinding{}, + &rbac.MetricsClientRole{}, + &rbac.MetricsService{}, &rbac.RoleBinding{}, // We need to create a Role because if the project // has not CRD define the controller-gen will not generate this file @@ -76,9 +76,9 @@ func (s *initScaffolder) Scaffold() error { &rbac.LeaderElectionRoleBinding{}, &rbac.ServiceAccount{}, &manager.Kustomization{}, + &kdefault.ManagerMetricsPatch{}, &manager.Config{Image: imageName}, &kdefault.Kustomization{}, - &kdefault.ManagerAuthProxyPatch{}, &kdefault.ManagerConfigPatch{}, &prometheus.Kustomization{}, &prometheus.Monitor{}, diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/enable_matrics_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/enable_matrics_patch.go new file mode 100644 index 00000000000..7a7a7e6a596 --- /dev/null +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/enable_matrics_patch.go @@ -0,0 +1,61 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kdefault + +import ( + "path/filepath" + + "sigs.k8s.io/kubebuilder/v3/pkg/machinery" +) + +var _ machinery.Template = &ManagerMetricsPatch{} + +// ManagerMetricsPatch scaffolds a file that defines the patch that enables prometheus metrics for the manager +type ManagerMetricsPatch struct { + machinery.TemplateMixin + machinery.ComponentConfigMixin +} + +// SetTemplateDefaults implements file.Template +func (f *ManagerMetricsPatch) SetTemplateDefaults() error { + if f.Path == "" { + f.Path = filepath.Join("config", "default", "manager_metrics_patch.yaml") + } + + f.TemplateBody = kustomizeMetricsPatchTemplate + + f.IfExistsAction = machinery.Error + + return nil +} + +const kustomizeMetricsPatchTemplate = `# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" +` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go index 319bcf1a6b3..5eccf772296 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go @@ -73,10 +73,9 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml {{ if .ComponentConfig -}} # Mount the controller config file for loading manager configurations diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go deleted file mode 100644 index d8d57261952..00000000000 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go +++ /dev/null @@ -1,87 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package kdefault - -import ( - "path/filepath" - - "sigs.k8s.io/kubebuilder/v3/pkg/machinery" -) - -var _ machinery.Template = &ManagerAuthProxyPatch{} - -// ManagerAuthProxyPatch scaffolds a file that defines the patch that enables prometheus metrics for the manager -type ManagerAuthProxyPatch struct { - machinery.TemplateMixin - machinery.ComponentConfigMixin -} - -// SetTemplateDefaults implements file.Template -func (f *ManagerAuthProxyPatch) SetTemplateDefaults() error { - if f.Path == "" { - f.Path = filepath.Join("config", "default", "manager_auth_proxy_patch.yaml") - } - - f.TemplateBody = kustomizeAuthProxyPatchTemplate - - f.IfExistsAction = machinery.Error - - return nil -} - -const kustomizeAuthProxyPatchTemplate = `# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi -{{- if not .ComponentConfig }} - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" -{{- end }} -` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go index 339ca03f072..68e599044f6 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus/monitor.go @@ -58,7 +58,7 @@ spec: scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: - insecureSkipVerify: true + insecureSkipVerify: true # TODO(user): Not use this configuration for production selector: matchLabels: control-plane: controller-manager diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/kustomization.go index d3ea9b22fd9..4133078507f 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/kustomization.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/kustomization.go @@ -54,10 +54,9 @@ const kustomizeRBACTemplate = `resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# the metrics which protects your /metrics endpoint. +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml ` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_client_role.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_client_role.go similarity index 70% rename from pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_client_role.go rename to pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_client_role.go index a348524ab4a..c178ab71ce7 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_client_role.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_client_role.go @@ -22,26 +22,26 @@ import ( "sigs.k8s.io/kubebuilder/v3/pkg/machinery" ) -var _ machinery.Template = &AuthProxyClientRole{} +var _ machinery.Template = &MetricsClientRole{} -// AuthProxyClientRole scaffolds a file that defines the role for the metrics reader -type AuthProxyClientRole struct { +// MetricsClientRole scaffolds a file that defines the role for the metrics reader +type MetricsClientRole struct { machinery.TemplateMixin machinery.ProjectNameMixin } // SetTemplateDefaults implements file.Template -func (f *AuthProxyClientRole) SetTemplateDefaults() error { +func (f *MetricsClientRole) SetTemplateDefaults() error { if f.Path == "" { - f.Path = filepath.Join("config", "rbac", "auth_proxy_client_clusterrole.yaml") + f.Path = filepath.Join("config", "rbac", "metrics_client_cluster_role.yaml") } - f.TemplateBody = clientClusterRoleTemplate + f.TemplateBody = metricsClientClusterRoleTemplate return nil } -const clientClusterRoleTemplate = `apiVersion: rbac.authorization.k8s.io/v1 +const metricsClientClusterRoleTemplate = `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_role.go similarity index 74% rename from pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role.go rename to pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_role.go index d1b639c0ee3..f45a39855d2 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_role.go @@ -22,32 +22,32 @@ import ( "sigs.k8s.io/kubebuilder/v3/pkg/machinery" ) -var _ machinery.Template = &AuthProxyRole{} +var _ machinery.Template = &MetricsRole{} -// AuthProxyRole scaffolds a file that defines the role for the auth proxy -type AuthProxyRole struct { +// MetricsRole scaffolds a file that defines the role for the auth proxy +type MetricsRole struct { machinery.TemplateMixin machinery.ProjectNameMixin } // SetTemplateDefaults implements file.Template -func (f *AuthProxyRole) SetTemplateDefaults() error { +func (f *MetricsRole) SetTemplateDefaults() error { if f.Path == "" { - f.Path = filepath.Join("config", "rbac", "auth_proxy_role.yaml") + f.Path = filepath.Join("config", "rbac", "metrics_role.yaml") } - f.TemplateBody = proxyRoleTemplate + f.TemplateBody = metricsRoleTemplate return nil } -const proxyRoleTemplate = `apiVersion: rbac.authorization.k8s.io/v1 +const metricsRoleTemplate = `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: {{ .ProjectName }} app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role_binding.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_role_binding.go similarity index 69% rename from pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role_binding.go rename to pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_role_binding.go index 4ee86ed5c0f..9ea74c8679f 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_role_binding.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_role_binding.go @@ -22,36 +22,36 @@ import ( "sigs.k8s.io/kubebuilder/v3/pkg/machinery" ) -var _ machinery.Template = &AuthProxyRoleBinding{} +var _ machinery.Template = &MonitoringBinding{} -// AuthProxyRoleBinding scaffolds a file that defines the role binding for the auth proxy -type AuthProxyRoleBinding struct { +// MonitoringBinding scaffolds a file that defines the role binding for the auth proxy +type MonitoringBinding struct { machinery.TemplateMixin machinery.ProjectNameMixin } // SetTemplateDefaults implements file.Template -func (f *AuthProxyRoleBinding) SetTemplateDefaults() error { +func (f *MonitoringBinding) SetTemplateDefaults() error { if f.Path == "" { - f.Path = filepath.Join("config", "rbac", "auth_proxy_role_binding.yaml") + f.Path = filepath.Join("config", "rbac", "metrics_role_binding.yaml") } - f.TemplateBody = proxyRoleBindinggTemplate + f.TemplateBody = metricsRoleBindinggTemplate return nil } -const proxyRoleBindinggTemplate = `apiVersion: rbac.authorization.k8s.io/v1 +const metricsRoleBindinggTemplate = `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: {{ .ProjectName }} app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_service.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_service.go similarity index 75% rename from pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_service.go rename to pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_service.go index 219efc86ed7..c5e5da558ed 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/auth_proxy_service.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/metrics_service.go @@ -22,26 +22,26 @@ import ( "sigs.k8s.io/kubebuilder/v3/pkg/machinery" ) -var _ machinery.Template = &AuthProxyService{} +var _ machinery.Template = &MetricsService{} -// AuthProxyService scaffolds a file that defines the service for the auth proxy -type AuthProxyService struct { +// MetricsService scaffolds a file that defines the service for the auth proxy +type MetricsService struct { machinery.TemplateMixin machinery.ProjectNameMixin } // SetTemplateDefaults implements file.Template -func (f *AuthProxyService) SetTemplateDefaults() error { +func (f *MetricsService) SetTemplateDefaults() error { if f.Path == "" { - f.Path = filepath.Join("config", "rbac", "auth_proxy_service.yaml") + f.Path = filepath.Join("config", "rbac", "metrics_service.yaml") } - f.TemplateBody = authProxyServiceTemplate + f.TemplateBody = metricsServiceTemplate return nil } -const authProxyServiceTemplate = `apiVersion: v1 +const metricsServiceTemplate = `apiVersion: v1 kind: Service metadata: labels: diff --git a/test/e2e/v4/generate_test.go b/test/e2e/v4/generate_test.go index 02f72b01910..9a8155ca84d 100644 --- a/test/e2e/v4/generate_test.go +++ b/test/e2e/v4/generate_test.go @@ -63,6 +63,10 @@ func GenerateV4(kbc *utils.TestContext) { ExpectWithOffset(1, pluginutil.UncommentCode( filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), "#- path: webhookcainjection_patch.yaml", "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- path: manager_metrics_patch.yaml", "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode(filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), certManagerTarget, "#")).To(Succeed()) diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml index 2f78dfb54aa..b5f4c2a79b6 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml @@ -27,10 +27,9 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml index c7e880652bc..68b33ecd8b5 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml @@ -15,7 +15,7 @@ spec: scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: - insecureSkipVerify: true + insecureSkipVerify: true # TODO(user): Not use this configuration for production selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml index 08b359e46b5..5dc6fddec28 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml @@ -10,12 +10,11 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# the metrics which protects your /metrics endpoint. +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -40,3 +39,4 @@ resources: - ship_frigate_viewer_role.yaml - crew_captain_editor_role.yaml - crew_captain_viewer_role.yaml + diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_client_cluster_role.yaml similarity index 100% rename from testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml rename to testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_client_cluster_role.yaml diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role.yaml similarity index 94% rename from testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role.yaml rename to testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role.yaml index 13038ff7689..82404922028 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: project-v4-multigroup-with-deploy-image app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role_binding.yaml similarity index 87% rename from testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml rename to testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role_binding.yaml index aae73208a49..e90cead25f4 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role_binding.yaml @@ -4,11 +4,11 @@ metadata: labels: app.kubernetes.io/name: project-v4-multigroup-with-deploy-image app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_service.yaml similarity index 100% rename from testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_service.yaml diff --git a/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml b/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml index 26592d65d9a..46b43298a67 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml @@ -1208,7 +1208,7 @@ metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: project-v4-multigroup-with-deploy-image - name: project-v4-multigroup-with-deploy-image-proxy-role + name: project-v4-multigroup-with-deploy-image-metrics-role rules: - apiGroups: - authentication.k8s.io @@ -1512,11 +1512,11 @@ metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: project-v4-multigroup-with-deploy-image - name: project-v4-multigroup-with-deploy-image-proxy-rolebinding + name: project-v4-multigroup-with-deploy-image-metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: project-v4-multigroup-with-deploy-image-proxy-role + name: project-v4-multigroup-with-deploy-image-metrics-role subjects: - kind: ServiceAccount name: project-v4-multigroup-with-deploy-image-controller-manager @@ -1579,8 +1579,6 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager @@ -1618,29 +1616,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-multigroup-with-deploy-image-controller-manager diff --git a/testdata/project-v4-multigroup/config/default/kustomization.yaml b/testdata/project-v4-multigroup/config/default/kustomization.yaml index 9fe6e3630df..ac074b25f9c 100644 --- a/testdata/project-v4-multigroup/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/default/kustomization.yaml @@ -27,10 +27,9 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml b/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/testdata/project-v4-multigroup/config/prometheus/monitor.yaml b/testdata/project-v4-multigroup/config/prometheus/monitor.yaml index bb60c0d334a..443f65de517 100644 --- a/testdata/project-v4-multigroup/config/prometheus/monitor.yaml +++ b/testdata/project-v4-multigroup/config/prometheus/monitor.yaml @@ -15,7 +15,7 @@ spec: scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: - insecureSkipVerify: true + insecureSkipVerify: true # TODO(user): Not use this configuration for production selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml index 08b359e46b5..5dc6fddec28 100644 --- a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml @@ -10,12 +10,11 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# the metrics which protects your /metrics endpoint. +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -40,3 +39,4 @@ resources: - ship_frigate_viewer_role.yaml - crew_captain_editor_role.yaml - crew_captain_viewer_role.yaml + diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-multigroup/config/rbac/metrics_client_cluster_role.yaml similarity index 100% rename from testdata/project-v4-multigroup/config/rbac/auth_proxy_client_clusterrole.yaml rename to testdata/project-v4-multigroup/config/rbac/metrics_client_cluster_role.yaml diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-multigroup/config/rbac/metrics_role.yaml similarity index 94% rename from testdata/project-v4-multigroup/config/rbac/auth_proxy_role.yaml rename to testdata/project-v4-multigroup/config/rbac/metrics_role.yaml index 56c97ddca82..a7b19928c33 100644 --- a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/metrics_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: project-v4-multigroup app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-multigroup/config/rbac/metrics_role_binding.yaml similarity index 86% rename from testdata/project-v4-multigroup/config/rbac/auth_proxy_role_binding.yaml rename to testdata/project-v4-multigroup/config/rbac/metrics_role_binding.yaml index 10f89301cdb..3af6d2f11cc 100644 --- a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role_binding.yaml +++ b/testdata/project-v4-multigroup/config/rbac/metrics_role_binding.yaml @@ -4,11 +4,11 @@ metadata: labels: app.kubernetes.io/name: project-v4-multigroup app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-multigroup/config/rbac/metrics_service.yaml similarity index 100% rename from testdata/project-v4-multigroup/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-multigroup/config/rbac/metrics_service.yaml diff --git a/testdata/project-v4-multigroup/dist/install.yaml b/testdata/project-v4-multigroup/dist/install.yaml index e2584bdeac2..e0331e1d27f 100644 --- a/testdata/project-v4-multigroup/dist/install.yaml +++ b/testdata/project-v4-multigroup/dist/install.yaml @@ -1208,7 +1208,7 @@ metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: project-v4-multigroup - name: project-v4-multigroup-proxy-role + name: project-v4-multigroup-metrics-role rules: - apiGroups: - authentication.k8s.io @@ -1512,11 +1512,11 @@ metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: project-v4-multigroup - name: project-v4-multigroup-proxy-rolebinding + name: project-v4-multigroup-metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: project-v4-multigroup-proxy-role + name: project-v4-multigroup-metrics-role subjects: - kind: ServiceAccount name: project-v4-multigroup-controller-manager @@ -1579,8 +1579,6 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager @@ -1618,29 +1616,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-multigroup-controller-manager diff --git a/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml index 62e78ccdbbe..a81c828747b 100644 --- a/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml +++ b/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml @@ -27,10 +27,9 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml b/testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml b/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml index 0f805f2c2e7..51baef4b2e0 100644 --- a/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml +++ b/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml @@ -15,7 +15,7 @@ spec: scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: - insecureSkipVerify: true + insecureSkipVerify: true # TODO(user): Not use this configuration for production selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml index 67076dab990..3f08cb60620 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml @@ -10,12 +10,11 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# the metrics which protects your /metrics endpoint. +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -24,3 +23,4 @@ resources: - busybox_viewer_role.yaml - memcached_editor_role.yaml - memcached_viewer_role.yaml + diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-with-deploy-image/config/rbac/metrics_client_cluster_role.yaml similarity index 100% rename from testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml rename to testdata/project-v4-with-deploy-image/config/rbac/metrics_client_cluster_role.yaml diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-with-deploy-image/config/rbac/metrics_role.yaml similarity index 94% rename from testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role.yaml rename to testdata/project-v4-with-deploy-image/config/rbac/metrics_role.yaml index 438d9bd0702..690aba51194 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/metrics_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: project-v4-with-deploy-image app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-with-deploy-image/config/rbac/metrics_role_binding.yaml similarity index 87% rename from testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml rename to testdata/project-v4-with-deploy-image/config/rbac/metrics_role_binding.yaml index 3be0002395d..caba0e4981c 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/metrics_role_binding.yaml @@ -4,11 +4,11 @@ metadata: labels: app.kubernetes.io/name: project-v4-with-deploy-image app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-with-deploy-image/config/rbac/metrics_service.yaml similarity index 100% rename from testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-with-deploy-image/config/rbac/metrics_service.yaml diff --git a/testdata/project-v4-with-deploy-image/dist/install.yaml b/testdata/project-v4-with-deploy-image/dist/install.yaml index 70babe98cbe..8a820153db9 100644 --- a/testdata/project-v4-with-deploy-image/dist/install.yaml +++ b/testdata/project-v4-with-deploy-image/dist/install.yaml @@ -534,7 +534,7 @@ metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: project-v4-with-deploy-image - name: project-v4-with-deploy-image-proxy-role + name: project-v4-with-deploy-image-metrics-role rules: - apiGroups: - authentication.k8s.io @@ -588,11 +588,11 @@ metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: project-v4-with-deploy-image - name: project-v4-with-deploy-image-proxy-rolebinding + name: project-v4-with-deploy-image-metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: project-v4-with-deploy-image-proxy-role + name: project-v4-with-deploy-image-metrics-role subjects: - kind: ServiceAccount name: project-v4-with-deploy-image-controller-manager @@ -655,8 +655,6 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager @@ -699,29 +697,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-with-deploy-image-controller-manager diff --git a/testdata/project-v4-with-grafana/config/default/kustomization.yaml b/testdata/project-v4-with-grafana/config/default/kustomization.yaml index 7fca0820b0c..b6daeb7047d 100644 --- a/testdata/project-v4-with-grafana/config/default/kustomization.yaml +++ b/testdata/project-v4-with-grafana/config/default/kustomization.yaml @@ -27,10 +27,9 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml b/testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml b/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml index 8505bfa5bfc..47e4734ad4d 100644 --- a/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml +++ b/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml @@ -15,7 +15,7 @@ spec: scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: - insecureSkipVerify: true + insecureSkipVerify: true # TODO(user): Not use this configuration for production selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml b/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml index 731832a6ac3..9109783ed39 100644 --- a/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml +++ b/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml @@ -10,9 +10,8 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# the metrics which protects your /metrics endpoint. +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-with-grafana/config/rbac/metrics_client_cluster_role.yaml similarity index 100% rename from testdata/project-v4-with-grafana/config/rbac/auth_proxy_client_clusterrole.yaml rename to testdata/project-v4-with-grafana/config/rbac/metrics_client_cluster_role.yaml diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-with-grafana/config/rbac/metrics_role.yaml similarity index 94% rename from testdata/project-v4-with-grafana/config/rbac/auth_proxy_role.yaml rename to testdata/project-v4-with-grafana/config/rbac/metrics_role.yaml index 979bc272f7a..44a25d5fb06 100644 --- a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role.yaml +++ b/testdata/project-v4-with-grafana/config/rbac/metrics_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: project-v4-with-grafana app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-with-grafana/config/rbac/metrics_role_binding.yaml similarity index 87% rename from testdata/project-v4-with-grafana/config/rbac/auth_proxy_role_binding.yaml rename to testdata/project-v4-with-grafana/config/rbac/metrics_role_binding.yaml index b5302ea3805..cd500e72cf2 100644 --- a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role_binding.yaml +++ b/testdata/project-v4-with-grafana/config/rbac/metrics_role_binding.yaml @@ -4,11 +4,11 @@ metadata: labels: app.kubernetes.io/name: project-v4-with-grafana app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-with-grafana/config/rbac/metrics_service.yaml similarity index 100% rename from testdata/project-v4-with-grafana/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-with-grafana/config/rbac/metrics_service.yaml diff --git a/testdata/project-v4-with-grafana/dist/install.yaml b/testdata/project-v4-with-grafana/dist/install.yaml index 5877a647805..f832955adc9 100644 --- a/testdata/project-v4-with-grafana/dist/install.yaml +++ b/testdata/project-v4-with-grafana/dist/install.yaml @@ -93,7 +93,7 @@ metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: project-v4-with-grafana - name: project-v4-with-grafana-proxy-role + name: project-v4-with-grafana-metrics-role rules: - apiGroups: - authentication.k8s.io @@ -147,11 +147,11 @@ metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: project-v4-with-grafana - name: project-v4-with-grafana-proxy-rolebinding + name: project-v4-with-grafana-metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: project-v4-with-grafana-proxy-role + name: project-v4-with-grafana-metrics-role subjects: - kind: ServiceAccount name: project-v4-with-grafana-controller-manager @@ -198,31 +198,6 @@ spec: spec: containers: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager diff --git a/testdata/project-v4/config/default/kustomization.yaml b/testdata/project-v4/config/default/kustomization.yaml index ae7fc170730..45e22d821f0 100644 --- a/testdata/project-v4/config/default/kustomization.yaml +++ b/testdata/project-v4/config/default/kustomization.yaml @@ -27,10 +27,9 @@ resources: #- ../prometheus patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4/config/default/manager_metrics_patch.yaml b/testdata/project-v4/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/testdata/project-v4/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/testdata/project-v4/config/prometheus/monitor.yaml b/testdata/project-v4/config/prometheus/monitor.yaml index 767555588d4..508a47f266c 100644 --- a/testdata/project-v4/config/prometheus/monitor.yaml +++ b/testdata/project-v4/config/prometheus/monitor.yaml @@ -15,7 +15,7 @@ spec: scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: - insecureSkipVerify: true + insecureSkipVerify: true # TODO(user): Not use this configuration for production selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4/config/rbac/kustomization.yaml b/testdata/project-v4/config/rbac/kustomization.yaml index 8518bf9e24d..59b33241e4c 100644 --- a/testdata/project-v4/config/rbac/kustomization.yaml +++ b/testdata/project-v4/config/rbac/kustomization.yaml @@ -10,12 +10,11 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# the metrics which protects your /metrics endpoint. +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -26,3 +25,4 @@ resources: - firstmate_viewer_role.yaml - captain_editor_role.yaml - captain_viewer_role.yaml + diff --git a/testdata/project-v4/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4/config/rbac/metrics_client_cluster_role.yaml similarity index 100% rename from testdata/project-v4/config/rbac/auth_proxy_client_clusterrole.yaml rename to testdata/project-v4/config/rbac/metrics_client_cluster_role.yaml diff --git a/testdata/project-v4/config/rbac/auth_proxy_role.yaml b/testdata/project-v4/config/rbac/metrics_role.yaml similarity index 94% rename from testdata/project-v4/config/rbac/auth_proxy_role.yaml rename to testdata/project-v4/config/rbac/metrics_role.yaml index 43aa96480ad..22183eb2b2e 100644 --- a/testdata/project-v4/config/rbac/auth_proxy_role.yaml +++ b/testdata/project-v4/config/rbac/metrics_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: project-v4 app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/testdata/project-v4/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4/config/rbac/metrics_role_binding.yaml similarity index 86% rename from testdata/project-v4/config/rbac/auth_proxy_role_binding.yaml rename to testdata/project-v4/config/rbac/metrics_role_binding.yaml index e5bbe0214cd..a5d55acfa29 100644 --- a/testdata/project-v4/config/rbac/auth_proxy_role_binding.yaml +++ b/testdata/project-v4/config/rbac/metrics_role_binding.yaml @@ -4,11 +4,11 @@ metadata: labels: app.kubernetes.io/name: project-v4 app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/testdata/project-v4/config/rbac/auth_proxy_service.yaml b/testdata/project-v4/config/rbac/metrics_service.yaml similarity index 100% rename from testdata/project-v4/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4/config/rbac/metrics_service.yaml diff --git a/testdata/project-v4/dist/install.yaml b/testdata/project-v4/dist/install.yaml index 4466171f902..5601a85da95 100644 --- a/testdata/project-v4/dist/install.yaml +++ b/testdata/project-v4/dist/install.yaml @@ -528,7 +528,7 @@ metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: project-v4 - name: project-v4-proxy-role + name: project-v4-metrics-role rules: - apiGroups: - authentication.k8s.io @@ -582,11 +582,11 @@ metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: project-v4 - name: project-v4-proxy-rolebinding + name: project-v4-metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: project-v4-proxy-role + name: project-v4-metrics-role subjects: - kind: ServiceAccount name: project-v4-controller-manager @@ -649,8 +649,6 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager @@ -688,29 +686,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-controller-manager