Skip to content

Remove dependency on kube-rbac-proxy by adopting controller-runtime's native authn/authz for metrics #1226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 25, 2025
Merged

Remove dependency on kube-rbac-proxy by adopting controller-runtime's native authn/authz for metrics #1226

merged 2 commits into from
Mar 25, 2025

Conversation

@sujeet01
Copy link
Contributor

@sujeet01 sujeet01 commented Feb 3, 2025
edited
Loading

Overview

This PR removes the soon-to-be deprecated kube-rbac-proxy dependency and replaces it with Controller-Runtime's built-in authentication and authorization for securing the metrics endpoint. This simplifies setup, enhances security, and follows the latest Kubebuilder best practices.

Key Changes

  • Removed kube-rbac-proxy dependency.
  • Enabled Controller-Runtime's built-in authentication & authorization for metrics.
  • Enhanced cert-manager integration to secure metrics with TLS encryption.

Fixes #1203

Ref:
kubernetes-sigs/kubebuilder#3907
kubernetes-sigs/controller-runtime#2407
kubernetes-sigs/kubebuilder#4400
kubernetes-sigs/kubebuilder#4558
kubernetes-sigs/kubebuilder/docs/reference/metrics (v4.5.0)

@sujeet01 sujeet01 self-assigned this Feb 3, 2025
@github-actions github-actions bot added size/L enhancement New feature or request labels Feb 3, 2025
@lukas016 lukas016 force-pushed the osc/enh/replace-kube-rbac-proxy branch from 8ee3622 to cbe1faa Compare February 3, 2025 07:52
@lukas016 lukas016 force-pushed the osc/enh/replace-kube-rbac-proxy branch from cbe1faa to 2e4d763 Compare February 4, 2025 21:43
@github-actions github-actions bot added size/XL and removed size/L labels Feb 4, 2025
@lukas016 lukas016 force-pushed the osc/enh/replace-kube-rbac-proxy branch 4 times, most recently from aece9f2 to 3e5c218 Compare February 7, 2025 08:09
@sujeet01 sujeet01 marked this pull request as ready for review February 7, 2025 08:15
@sujeet01 sujeet01 requested a review from a team as a code owner February 7, 2025 08:15
@lukas016 lukas016 force-pushed the osc/enh/replace-kube-rbac-proxy branch 3 times, most recently from 5c3d7cf to 752cb0a Compare February 17, 2025 09:10
@lukas016 lukas016 force-pushed the osc/enh/replace-kube-rbac-proxy branch from 752cb0a to 2b5375c Compare February 19, 2025 08:26
afritzler
afritzler requested changes Mar 6, 2025
View reviewed changes
Copy link
Member

@afritzler afritzler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor cleanup left overs. We should use this PR to remove all webhook related configuration (even if commented out) to keep the kustomizations clean.

@sujeet01
Copy link
Contributor Author

sujeet01 commented Mar 7, 2025

Some minor cleanup left overs. We should use this PR to remove all webhook related configuration (even if commented out) to keep the kustomizations clean.

As discussed offline, can we remove all webhook components in a separate PR? This PR is mainly focused on replacing kube-rbac-proxy and already has many changes.

@afritzler afritzler merged commit 4b72602 into ironcore-dev:main Mar 25, 2025
9 checks passed
@sujeet01 sujeet01 mentioned this pull request Mar 26, 2025
Merged
balpert89 pushed a commit that referenced this pull request Apr 23, 2025
@sujeet01 @balpert89
Remove dependency on kube-rbac-proxy by adopting controller-runtime…
c35803b 
…'s native authn/authz for metrics (#1226)

* Remove dependency on `kube-rbac-proxy` by adopting controller-runtime's native authn/authz for metrics

* Enhance `cert-manager` integration for metrics endpoints
@hardikdr hardikdr added the area/iaas Issues related to IronCore IaaS development. label Jun 26, 2025
@hardikdr hardikdr added this to Roadmap Jun 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@afritzler afritzler afritzler approved these changes

Assignees

@sujeet01 sujeet01

Labels

area/iaas Issues related to IronCore IaaS development. enhancement New feature or request size/XL

Projects

Roadmap
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Drop the usage of kube-rbac-proxy

3 participants

@sujeet01 @afritzler @hardikdr