⚠️ replace the kube-rbac-proxy usage with NetworkPolicy

kubernetes-sigs · Apr 7, 2024 · 234d7bb · 234d7bb
1 parent 32e0fdc
commit 234d7bb
Show file tree

Hide file tree

Showing 111 changed files with 1,035 additions and 899 deletions.
diff --git a/.github/workflows/test-sample-go.yml b/.github/workflows/test-sample-go.yml
@@ -39,8 +39,8 @@ jobs:
           KUSTOMIZATION_FILE_PATH="testdata/project-v4/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           sed -i '27s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '42s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '46,143s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '45s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '49,145s/^#//' $KUSTOMIZATION_FILE_PATH
       
       - name: Test
         run: |

diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml
@@ -25,12 +25,15 @@ resources:
 #- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
+# [NETWORK POLICY] Protect the /metrics endpoint. If you want your controller-manager to expose
+# the /metrics w/o any authn/z, please comment the following line.
+- ../policy
 
 patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
+# The /metrics endpoint is protected by the NetworkPolicy
+# If you want your controller-manager to not expose the /metrics
+# endpoint please comment the following line.
+- path: manager_metrics_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type

diff --git a/...c/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml b/...c/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml
diff --git a/.../src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/.../src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml
@@ -0,0 +1,10 @@
+# This patch adds the args to allow expose the metrics endpoint
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/policy/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/policy/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- policy.yaml
diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/policy/policy.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/policy/policy.yaml
@@ -0,0 +1,27 @@
+# NetworkPolicy to protected metrics endpoint
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: project-v4-network-policy
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/created-by: project-v4
+    app.kubernetes.io/part-of: project-v4
+    app.kubernetes.io/managed-by: kustomize
+  name: manager-metrics-policy
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            role: metrics # Pod(s) which will collect the metrics must have this label
+      ports:
+        - protocol: TCP
+          port: 8080 # HTTP port for metrics
diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml
@@ -15,11 +15,8 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https
-      scheme: https
-      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      tlsConfig:
-        insecureSkipVerify: true
+      port: http # Ensure this is the name of the port that exposes HTTP metrics
+      scheme: http
   selector:
     matchLabels:
       control-plane: controller-manager
diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml
@@ -10,15 +10,16 @@ resources:
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 # Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# the metrics network policy
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- metrics_service.yaml
+- metrics_role.yaml
+- metrics_role_binding.yaml
+- metrics_client_cluster_role.yaml
 # For each CRD, "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
 - projectconfig_editor_role.yaml
 - projectconfig_viewer_role.yaml
+
diff --git a/...g/rbac/auth_proxy_client_clusterrole.yaml → ...fig/rbac/metrics_client_cluster_role.yaml b/...g/rbac/auth_proxy_client_clusterrole.yaml → ...fig/rbac/metrics_client_cluster_role.yaml
@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrole
     app.kubernetes.io/instance: metrics-reader
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: project
     app.kubernetes.io/part-of: project
     app.kubernetes.io/managed-by: kustomize

diff --git a/.../project/config/rbac/auth_proxy_role.yaml → ...ata/project/config/rbac/metrics_role.yaml b/.../project/config/rbac/auth_proxy_role.yaml → ...ata/project/config/rbac/metrics_role.yaml
@@ -3,12 +3,12 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: proxy-role
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/instance: metrics-role
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: project
     app.kubernetes.io/part-of: project
     app.kubernetes.io/managed-by: kustomize
-  name: proxy-role
+  name: metrics-role
 rules:
 - apiGroups:
   - authentication.k8s.io

diff --git a/.../config/rbac/auth_proxy_role_binding.yaml → ...ect/config/rbac/metrics_role_binding.yaml b/.../config/rbac/auth_proxy_role_binding.yaml → ...ect/config/rbac/metrics_role_binding.yaml
@@ -3,16 +3,16 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/name: clusterrolebinding
-    app.kubernetes.io/instance: proxy-rolebinding
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/instance: metrics-rolebinding
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: project
     app.kubernetes.io/part-of: project
     app.kubernetes.io/managed-by: kustomize
-  name: proxy-rolebinding
+  name: metrics-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: proxy-role
+  name: metrics-role
 subjects:
 - kind: ServiceAccount
   name: controller-manager

diff --git a/...oject/config/rbac/auth_proxy_service.yaml → .../project/config/rbac/metrics_service.yaml b/...oject/config/rbac/auth_proxy_service.yaml → .../project/config/rbac/metrics_service.yaml
@@ -5,17 +5,17 @@ metadata:
     control-plane: controller-manager
     app.kubernetes.io/name: service
     app.kubernetes.io/instance: controller-manager-metrics-service
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: project
     app.kubernetes.io/part-of: project
     app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-service
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
+  - name: http
+    port: 8080
     protocol: TCP
-    targetPort: https
+    targetPort: 8080
   selector:
     control-plane: controller-manager
diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml
@@ -25,12 +25,15 @@ resources:
 - ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 - ../prometheus
+# [NETWORK POLICY] Protect the /metrics endpoint. If you want your controller-manager to expose
+# the /metrics w/o any authn/z, please comment the following line.
+- ../policy
 
 patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
+# The /metrics endpoint is protected by the NetworkPolicy
+# If you want your controller-manager to not expose the /metrics
+# endpoint please comment the following line.
+- path: manager_metrics_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml

diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml
diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml
@@ -0,0 +1,15 @@
+# This patch adds the args to allow expose the metrics endpoint
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=0.0.0.0:8080"
+        - "--leader-elect"
diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/policy/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/policy/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- policy.yaml
diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/policy/policy.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/policy/policy.yaml
@@ -0,0 +1,27 @@
+# NetworkPolicy to protected metrics endpoint
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: project-v4-network-policy
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/created-by: project-v4
+    app.kubernetes.io/part-of: project-v4
+    app.kubernetes.io/managed-by: kustomize
+  name: manager-metrics-policy
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            role: metrics # Pod(s) which will collect the metrics must have this label
+      ports:
+        - protocol: TCP
+          port: 8080 # HTTP port for metrics
diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml
@@ -15,11 +15,8 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https
-      scheme: https
-      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      tlsConfig:
-        insecureSkipVerify: true
+      port: http # Ensure this is the name of the port that exposes HTTP metrics
+      scheme: http
   selector:
     matchLabels:
       control-plane: controller-manager
diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml
@@ -10,15 +10,16 @@ resources:
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 # Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# the metrics network policy
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- metrics_service.yaml
+- metrics_role.yaml
+- metrics_role_binding.yaml
+- metrics_client_cluster_role.yaml
 # For each CRD, "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
 - cronjob_editor_role.yaml
 - cronjob_viewer_role.yaml
+
diff --git a/...g/rbac/auth_proxy_client_clusterrole.yaml → ...fig/rbac/metrics_client_cluster_role.yaml b/...g/rbac/auth_proxy_client_clusterrole.yaml → ...fig/rbac/metrics_client_cluster_role.yaml
@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrole
     app.kubernetes.io/instance: metrics-reader
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: project
     app.kubernetes.io/part-of: project
     app.kubernetes.io/managed-by: kustomize

diff --git a/.../project/config/rbac/auth_proxy_role.yaml → ...ata/project/config/rbac/metrics_role.yaml b/.../project/config/rbac/auth_proxy_role.yaml → ...ata/project/config/rbac/metrics_role.yaml
@@ -3,12 +3,12 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: proxy-role
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/instance: metrics-role
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: project
     app.kubernetes.io/part-of: project
     app.kubernetes.io/managed-by: kustomize
-  name: proxy-role
+  name: metrics-role
 rules:
 - apiGroups:
   - authentication.k8s.io