Replace kube-rbac-proxy YAML configurations

Updates: - Remove kube-rbac-proxy sidecar - Remove kube-rbac-proxy cluster role and cluster role binding - Remove references to kube-rbac-proxy - Add auth cluster role and cluster role binding to enable authentication and authorization using controller-runtime ref: https://issues.redhat.com/browse/ACM-8346 Signed-off-by: Jason Zhang <jaszhang@redhat.com>
open-cluster-management-io · Jun 6, 2024 · 769a3f8 · 769a3f8
1 parent 428213d
commit 769a3f8
Show file tree

Hide file tree

Showing 12 changed files with 7 additions and 70 deletions.
diff --git a/Makefile b/Makefile
@@ -265,7 +265,6 @@ LOG_REDIRECT ?= &>build/_output/controller.log
 e2e-run-instrumented: e2e-build-instrumented
 	-KUBECONFIG=$(KIND_KUBECONFIG) kubectl create ns $(CONTROLLER_NAMESPACE)
 	CONFIG_POLICY_CONTROLLER_IMAGE="$(REGISTRY)/config-policy-controller:$(TAG)" \
-	  KUBE_RBAC_PROXY_IMAGE="registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.10" \
 	  GOVERNANCE_POLICY_FRAMEWORK_ADDON_IMAGE="$(REGISTRY)/governance-policy-framework-addon:$(TAG)" \
 	  ./build/_output/bin/$(IMG)-instrumented -test.v -test.run="^TestRunMain$$" -test.coverprofile=$(COVERAGE_E2E_OUT) \
 	  --kubeconfig="$(KIND_KUBECONFIG_SA)" $(LOG_REDIRECT) &

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -40,8 +40,6 @@ spec:
               fieldPath: metadata.name
         - name: CONFIG_POLICY_CONTROLLER_IMAGE
           value: quay.io/open-cluster-management/config-policy-controller:latest
-        - name: KUBE_RBAC_PROXY_IMAGE
-          value: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.10
         - name: GOVERNANCE_POLICY_FRAMEWORK_ADDON_IMAGE
           value: quay.io/open-cluster-management/governance-policy-framework-addon:latest
         name: manager

diff --git a/pkg/addon/configpolicy/agent_addon.go b/pkg/addon/configpolicy/agent_addon.go
@@ -69,7 +69,6 @@ func getValues(cluster *clusterv1.ManagedCluster,
 			ImagePullSecret: "open-cluster-management-image-pull-credentials",
 			ImageOverrides: map[string]string{
 				"config_policy_controller": os.Getenv("CONFIG_POLICY_CONTROLLER_IMAGE"),
-				"kube_rbac_proxy":          os.Getenv("KUBE_RBAC_PROXY_IMAGE"),
 			},
 			ProxyConfig: map[string]string{
 				"HTTP_PROXY":  "",

diff --git a/...chart/templates/kube_rbac_proxy_role.yaml → ...terchart/templates/auth_cluster_role.yaml b/...chart/templates/kube_rbac_proxy_role.yaml → ...terchart/templates/auth_cluster_role.yaml
@@ -6,7 +6,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: open-cluster-management:{{ include "controller.fullname" . }}-kube-rbac-proxy
+  name: open-cluster-management:{{ include "controller.fullname" . }}-auth
   labels:
       app: {{ include "controller.fullname" . }}
       chart: {{ include "controller.chart" . }}

diff --git a/...mplates/kube_rbac_proxy_role_binding.yaml → .../templates/auth_cluster_role_binding.yaml b/...mplates/kube_rbac_proxy_role_binding.yaml → .../templates/auth_cluster_role_binding.yaml
@@ -6,7 +6,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: ocm-{{ .Release.Namespace }}:{{ include "controller.fullname" . }}-kube-rbac-proxy
+  name: ocm-{{ .Release.Namespace }}:{{ include "controller.fullname" . }}-auth
   labels:
       app: {{ include "controller.fullname" . }}
       chart: {{ include "controller.chart" . }}
@@ -16,7 +16,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: open-cluster-management:{{ include "controller.fullname" . }}-kube-rbac-proxy
+  name: open-cluster-management:{{ include "controller.fullname" . }}-auth
 subjects:
 - kind: ServiceAccount
   name: {{ include "controller.serviceAccountName" . }}

diff --git a/pkg/addon/configpolicy/manifests/managedclusterchart/templates/deployment.yaml b/pkg/addon/configpolicy/manifests/managedclusterchart/templates/deployment.yaml
@@ -33,34 +33,6 @@ spec:
         heritage: {{ .Release.Service }}
     spec:
       containers:
-      {{- if and .Values.prometheus.enabled (eq .Values.kubernetesDistribution "OpenShift") }}
-      - name: kube-rbac-proxy
-        image: "{{ .Values.global.imageOverrides.kube_rbac_proxy  }}"
-        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
-        args:
-        - --upstream=http://127.0.0.1:8383/
-        - --logtostderr=true
-        - --v=6
-        - --secure-listen-address=0.0.0.0:8443
-        - "--tls-cert-file=/var/run/metrics-cert/tls.crt"
-        - "--tls-private-key-file=/var/run/metrics-cert/tls.key"
-        - "--tls-min-version=VersionTLS12"
-        ports:
-        - name: metrics
-          protocol: TCP
-          containerPort: 8443
-        volumeMounts:
-        - mountPath: "/var/run/metrics-cert"
-          name: metrics-cert
-          readOnly: true
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
-          privileged: false
-          readOnlyRootFilesystem: true
-      {{- end }}
       - name: {{ .Chart.Name }}
         image: "{{ .Values.global.imageOverrides.config_policy_controller }}"
         imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"

diff --git a/pkg/addon/configpolicy/manifests/managedclusterchart/values.yaml b/pkg/addon/configpolicy/manifests/managedclusterchart/values.yaml
@@ -56,7 +56,6 @@ global:
   imagePullSecret: open-cluster-management-image-pull-credentials
   imageOverrides: 
     config_policy_controller: quay.io/open-cluster-management/config-policy-controller:latest
-    kube_rbac_proxy: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.10
   nodeSelector: {}
   proxyConfig:
     HTTP_PROXY: null

diff --git a/pkg/addon/policyframework/agent_addon.go b/pkg/addon/policyframework/agent_addon.go
@@ -79,7 +79,6 @@ func getValues(cluster *clusterv1.ManagedCluster,
 			ImagePullSecret: "open-cluster-management-image-pull-credentials",
 			ImageOverrides: map[string]string{
 				"governance_policy_framework_addon": os.Getenv("GOVERNANCE_POLICY_FRAMEWORK_ADDON_IMAGE"),
-				"kube_rbac_proxy":                   os.Getenv("KUBE_RBAC_PROXY_IMAGE"),
 			},
 			ProxyConfig: map[string]string{
 				"HTTP_PROXY":  "",

diff --git a/...mplates/kube_rbac_proxy_role_binding.yaml → ...t/templates/auth_cluste_role_binding.yaml b/...mplates/kube_rbac_proxy_role_binding.yaml → ...t/templates/auth_cluste_role_binding.yaml
@@ -5,9 +5,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   {{- if eq .Values.installMode "Hosted" }}
-  name: ocm-{{ .Release.Namespace }}:{{ include "controller.fullname" . }}-kube-rbac-proxy
+  name: ocm-{{ .Release.Namespace }}:{{ include "controller.fullname" . }}-auth
   {{- else }}
-  name: open-cluster-management:{{ include "controller.fullname" . }}-kube-rbac-proxy
+  name: open-cluster-management:{{ include "controller.fullname" . }}-auth
   {{- end }}
   labels:
       app: {{ include "controller.fullname" . }}
@@ -18,7 +18,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: open-cluster-management:{{ include "controller.fullname" . }}-kube-rbac-proxy
+  name: open-cluster-management:{{ include "controller.fullname" . }}-auth
 subjects:
 - kind: ServiceAccount
   name: {{ include "controller.serviceAccountName" . }}

diff --git a/...chart/templates/kube_rbac_proxy_role.yaml → ...terchart/templates/auth_cluster_role.yaml b/...chart/templates/kube_rbac_proxy_role.yaml → ...terchart/templates/auth_cluster_role.yaml
@@ -4,7 +4,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: open-cluster-management:{{ include "controller.fullname" . }}-kube-rbac-proxy
+  name: open-cluster-management:{{ include "controller.fullname" . }}-auth
   labels:
       app: {{ include "controller.fullname" . }}
       chart: {{ include "controller.chart" . }}

diff --git a/pkg/addon/policyframework/manifests/managedclusterchart/templates/deployment.yaml b/pkg/addon/policyframework/manifests/managedclusterchart/templates/deployment.yaml
@@ -33,34 +33,6 @@ spec:
         heritage: {{ .Release.Service }}
     spec:
       containers:
-      {{- if and .Values.prometheus.enabled (eq .Values.kubernetesDistribution "OpenShift") }}
-      - name: kube-rbac-proxy
-        image: "{{ .Values.global.imageOverrides.kube_rbac_proxy  }}"
-        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
-        args:
-        - --upstream=http://127.0.0.1:8383/
-        - --logtostderr=true
-        - --v=6
-        - --secure-listen-address=0.0.0.0:8443
-        - "--tls-cert-file=/var/run/metrics-cert/tls.crt"
-        - "--tls-private-key-file=/var/run/metrics-cert/tls.key"
-        - "--tls-min-version=VersionTLS12"
-        ports:
-        - name: metrics
-          protocol: TCP
-          containerPort: 8443
-        volumeMounts:
-        - mountPath: "/var/run/metrics-cert"
-          name: metrics-cert
-          readOnly: true
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
-          privileged: false
-          readOnlyRootFilesystem: true
-      {{- end }}
       - name: governance-policy-framework-addon
         image: "{{ .Values.global.imageOverrides.governance_policy_framework_addon }}"
         imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"

diff --git a/pkg/addon/policyframework/manifests/managedclusterchart/values.yaml b/pkg/addon/policyframework/manifests/managedclusterchart/values.yaml
@@ -56,7 +56,6 @@ global:
   imagePullSecret: open-cluster-management-image-pull-credentials
   imageOverrides: 
     governance_policy_framework_addon: quay.io/open-cluster-management/governance-policy-framework-addon:latest
-    kube_rbac_proxy: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.10
   nodeSelector: {}
   proxyConfig:
     HTTP_PROXY: null