⚠️ replace the kube-rbac-proxy config with NetworkPolicy

.github/workflows/test-sample-go.yml

@@ -25,8 +25,10 @@ jobs:
           KUSTOMIZATION_FILE_PATH="testdata/project-v4/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           sed -i '27s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '42s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '46,143s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '33s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '38s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '47s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '51,147s/^#//' $KUSTOMIZATION_FILE_PATH
       
       - name: Test
         run: |

docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml

@@ -25,12 +25,17 @@ resources:
 #- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
+# [NETWORK POLICY FOR METRICS] Protect the /metrics endpoint with NetworkPolicy. If you want your controller-manager to
+# expose the /metrics, it is recommended uncomment the following line. Therefore, only Pod(s) with the label
+# 'allow-metrics' which are running in a namespace which also has the same label will be able to gather the metrics. 
+# Be aware that NetworkPolicy alone does not ensure fully protection. Please, ensure that you check the Metrics 
+# documentation: https://kubebuilder.io/reference/metrics
+#- ../policy
 
 patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
+# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint.
+# If you want to expose the metric endpoint of your controller-manager uncomment the following line.
+#- path: manager_metrics_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type

docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml

@@ -0,0 +1,15 @@
+# This patch adds the args to allow expose the metrics endpoint
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=0.0.0.0:8080"
+        - "--leader-elect"

docs/book/src/component-config-tutorial/testdata/project/config/policy/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- policy.yaml

docs/book/src/component-config-tutorial/testdata/project/config/policy/policy.yaml

@@ -0,0 +1,28 @@
+# NetworkPolicy to protect metrics endpoint
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/name: project
+    app.kubernetes.io/managed-by: kustomize
+  name: manager-metrics-policy
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      allow: export-metrics
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            # Pods which will collect the metrics must have this label
+            role: allow-metrics
+      - namespaceSelector:
+          matchLabels:
+            # Only allow namespaces labeled with 'role: allow-metrics' to access metrics
+            role: allow-metrics 
+      ports:
+        - protocol: TCP
+          port: 8080 # HTTP port for metrics

docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml

@@ -11,11 +11,8 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https
-      scheme: https
-      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      tlsConfig:
-        insecureSkipVerify: true
+      port: http # Ensure this is the name of the port that exposes HTTP metrics
+      scheme: http
   selector:
     matchLabels:
       control-plane: controller-manager

docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml

@@ -10,15 +10,16 @@ resources:
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 # Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# the metrics
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- metrics_service.yaml
+- metrics_role.yaml
+- metrics_role_binding.yaml
+- metrics_client_cluster_role.yaml
 # For each CRD, "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
 - projectconfig_editor_role.yaml
 - projectconfig_viewer_role.yaml
+

docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml → docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role.yaml

@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
-  name: proxy-role
+  name: metrics-role
 rules:
 - apiGroups:
   - authentication.k8s.io

docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml → docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml

@@ -4,11 +4,11 @@ metadata:
   labels:
     app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
-  name: proxy-rolebinding
+  name: metrics-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: proxy-role
+  name: metrics-role
 subjects:
 - kind: ServiceAccount
   name: controller-manager

docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_service.yaml → docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml

@@ -9,9 +9,9 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
+  - name: http
+    port: 8080
     protocol: TCP
-    targetPort: https
+    targetPort: 8080
   selector:
     control-plane: controller-manager

docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml

@@ -25,12 +25,17 @@ resources:
 - ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 - ../prometheus
+# [NETWORK POLICY FOR METRICS] Protect the /metrics endpoint with NetworkPolicy. If you want your controller-manager to
+# expose the /metrics, it is recommended uncomment the following line. Therefore, only Pod(s) with the label
+# 'allow-metrics' which are running in a namespace which also has the same label will be able to gather the metrics. 
+# Be aware that NetworkPolicy alone does not ensure fully protection. Please, ensure that you check the Metrics 
+# documentation: https://kubebuilder.io/reference/metrics
+- ../policy
 
 patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
+# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint.
+# If you want to expose the metric endpoint of your controller-manager uncomment the following line.
+#- path: manager_metrics_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml

docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml

@@ -0,0 +1,15 @@
+# This patch adds the args to allow expose the metrics endpoint
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=0.0.0.0:8080"
+        - "--leader-elect"

docs/book/src/cronjob-tutorial/testdata/project/config/policy/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- policy.yaml

docs/book/src/cronjob-tutorial/testdata/project/config/policy/policy.yaml

@@ -0,0 +1,28 @@
+# NetworkPolicy to protect metrics endpoint
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/name: project
+    app.kubernetes.io/managed-by: kustomize
+  name: manager-metrics-policy
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      allow: export-metrics
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            # Pods which will collect the metrics must have this label
+            role: allow-metrics
+      - namespaceSelector:
+          matchLabels:
+            # Only allow namespaces labeled with 'role: allow-metrics' to access metrics
+            role: allow-metrics 
+      ports:
+        - protocol: TCP
+          port: 8080 # HTTP port for metrics

docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml

@@ -11,11 +11,8 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: https
-      scheme: https
-      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      tlsConfig:
-        insecureSkipVerify: true
+      port: http # Ensure this is the name of the port that exposes HTTP metrics
+      scheme: http
   selector:
     matchLabels:
       control-plane: controller-manager

docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml

@@ -10,15 +10,16 @@ resources:
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 # Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# the metrics
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- metrics_service.yaml
+- metrics_role.yaml
+- metrics_role_binding.yaml
+- metrics_client_cluster_role.yaml
 # For each CRD, "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
 - cronjob_editor_role.yaml
 - cronjob_viewer_role.yaml
+

docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml → docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role.yaml

@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
-  name: proxy-role
+  name: metrics-role
 rules:
 - apiGroups:
   - authentication.k8s.io

docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml → docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml

@@ -4,11 +4,11 @@ metadata:
   labels:
     app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
-  name: proxy-rolebinding
+  name: metrics-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: proxy-role
+  name: metrics-role
 subjects:
 - kind: ServiceAccount
   name: controller-manager

docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml → docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml

@@ -9,9 +9,9 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
+  - name: http
+    port: 8080
     protocol: TCP
-    targetPort: https
+    targetPort: 8080
   selector:
     control-plane: controller-manager