Remove dependency for kube-rbac-proxy and add secure-metrics feature #3833
Conversation
super-harsh
requested review from
davefellows,
theunrepentantgeek,
matthchr and
babbageclunk
as code owners
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3833 +/- ##
==========================================
- Coverage 53.42% 53.40% -0.03%
==========================================
Files 1521 1521
Lines 546189 546189
==========================================
- Hits 291781 291665 -116
- Misses 209457 209573 +116
Partials 44951 44951 ☔ View full report in Codecov by Sentry. |
| @@ -7,7 +7,7 @@ The metrics exposed fall into two groups: Azure based metrics, and reconciler me | |||
|
|
|||
| ## Toggling the metrics | |||
|
|
|||
| By default, metrics for ASOv2 are turned on and can be toggled by the following options: | |||
| By default, secure metrics for ASOv2 are turned on and can be toggled by the following options: | |||
There was a problem hiding this comment.
Are they really turned on, given the option below says default: false ?
docs/hugo/content/guide/metrics.md
Outdated
|
|
||
| - Use the settings below in your deployment: | ||
|
|
||
| - #### ASOv2 Helm Chart |
There was a problem hiding this comment.
I don't think this bullet point needs to be a heading - and if it were a heading, it would be 3rd level, not 4th.
Suggest changing to plain text.
scripts/v2/generate-helm-manifest.sh
Outdated
| #grep -E $KUBE_RBAC_PROXY "$GEN_FILES_DIR"/*_deployment_* > /dev/null # Ensure that what we're about to try to replace actually exists (if it doesn't we want to fail) | ||
| #sed -i "s@$KUBE_RBAC_PROXY.*@{{.Values.image.kubeRBACProxy}}@g" "$GEN_FILES_DIR"/*_deployment_* |
There was a problem hiding this comment.
Commented out - either restore or delete.
| @@ -92,6 +92,9 @@ image: | |||
| # 'address' field defines the metrics binding address on which metrics | |||
| metrics: | |||
| enable: true | |||
| # secureMetrics controls whether metrics should be served via 'http' or 'https'. | |||
| # Flagging secureMetrics as true would use https | |||
| secureMetrics: false | |||
There was a problem hiding this comment.
The comment in this yaml file reinforces my earlier question about whether secure metrics are turned on by default.
v2/cmd/controller/app/setup.go
Outdated
| SecureServing: true, | ||
| FilterProvider: filters.WithAuthenticationAndAuthorization, | ||
| // Note that pprof endpoints are meant to be sensitive and shouldn't be exposed publicly. | ||
| ExtraHandlers: map[string]http.Handler{ |
There was a problem hiding this comment.
We probably should have a specific cmdline flag that enables this and it should default to off.
This is what apiserver does via the --profiling argument, though it defaults it to true.
I'd argue we should have both metrics.secure and metrics.profiling flags in Helm, and two cmdline args in ASO to control these two bits.
Secure metrics shouldn't (IMO) require that you expose pprof.
v2/cmd/controller/app/setup.go
Outdated
| func getMetricsOpts(flags Flags) server.Options { | ||
| var metricsOptions server.Options | ||
|
|
||
| if !flags.SecureMetrics { |
There was a problem hiding this comment.
This code doesn't seem right, because it doesn't return here, it falls through and then overwrites the metricsOptions below?
I think you want something like:
var metricsOptions
if secure {
// secure
} else {
// insecure
}
if profiling {
// profiling
}
return
There was a problem hiding this comment.
Or if you want to only enable profiling if secure, put that bit into the secure bit, and/or (maybe better) add a check that secure is not off with profiling on and if so return an error and crash the pod.
There was a problem hiding this comment.
Ah good catch. I missed return there. I'll update
| # Flagging secure as 'true' would use https | ||
| # Refer to https://azure.github.io/azure-service-operator/guide/metrics/ for more information | ||
| secure: true | ||
| # profiling endpoints are only enabled when serving metrics securely |
There was a problem hiding this comment.
minor: Say what profiling is (it enables /pprof endpoints), in addition to its restrictions. Though, see below about this restriction because I am not sure it is needed?
v2/cmd/controller/app/flags.go
Outdated
| @@ -54,6 +60,9 @@ func ParseFlags(args []string) (Flags, error) { | |||
|
|
|||
| // default here for 'MetricsAddr' is set to "0", which sets metrics to be disabled if 'metrics-addr' flag is omitted. | |||
| flagSet.StringVar(&metricsAddr, "metrics-addr", "0", "The address the metric endpoint binds to.") | |||
| flagSet.BoolVar(&secureMetrics, "secure-metrics", true, "Enable secure metrics. This secures the pprof and metrics endpoints via Kubernetes RBAC and HTTPS") | |||
| flagSet.BoolVar(&profilingMetrics, "profiling-metrics", true, "Enable pprof metrics, only enabled in conjunction with secure-metrics. This will enable serving pprof metrics endpoints") | |||
There was a problem hiding this comment.
Default should probably be false
docs/hugo/content/guide/metrics.md
Outdated
|
|
||
| Follow the steps below to scrape metrics securely. | ||
|
|
||
| ### ASOv2 Helm Chart |
There was a problem hiding this comment.
very minor: Could use one of the table-selector thingies here, like we do for Windows versus Linux in the installation instructions?
Closes #3741
What this PR does / why we need it:
This PR removes dependency for
kube-rbac-proxyfor securely serving metrics.Instead, we have a
secure-metricsfeature flag in ASO using which users can toggle to enable metrics via HTTPs.Bonus: Have added
pprofhandlers as well.If applicable: