Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC: The kube-rbac-proxy is too opinionated to be opt-out. #3482

Closed
hsyed-dojo opened this issue Jun 30, 2023 · 7 comments · Fixed by #3899
Closed

RFC: The kube-rbac-proxy is too opinionated to be opt-out. #3482

hsyed-dojo opened this issue Jun 30, 2023 · 7 comments · Fixed by #3899
Labels
kind/feature Categorizes issue or PR as related to a new feature. triage/blocked
Milestone
priority

Comments

@hsyed-dojo
Copy link

hsyed-dojo commented Jun 30, 2023
edited

What do you want to happen?

The kube-rbac-proxy is too opinionated to be an opt-out component.

Issues:

  • This solution doesn’t fit into a generalised strategy of how metrics scraping might be done cluster wide, this tends to be either leaving the endpoint unsecured or relying on a mesh. It will in most cases end up introducing a new scraping strategy.
  • This approach assumes the average user is OK with an additional sidecar and that they wouldn't have other ways of mitigating the risks of leaving this endpoint unsecured.
  • The approach results in an operator install process that is not self-contained and we need to give the prom scraper SA additional privileges.

I’d like to advocate to make this opt-in and that the additional manifests are only generated if a CI flag is provided during the init.

Extra Labels

No response
@hsyed-dojo hsyed-dojo added the kind/feature Categorizes issue or PR as related to a new feature. label Jun 30, 2023
@camilamacedo86
Copy link
Member

HI @hsyed-dojo,

That is a very interesting RFE.

Regards to make it optional (opt-in) then, I think we would need to have an plugin such as we have grafana/v1alpha1 and deployImage/v1alpha1 instead of use flags. More info: https://book.kubebuilder.io/plugins/plugins.html

However, note that we have a issue to replace the kube-rbac-proxy see: #1885. Would the approach described in this issue sorted out your concerns?

@hsyed-dojo
Copy link
Author

Hi @camilamacedo86, TIL: RFE (Request for Enhancement) 🙏 + NetworkPolicy.

Closing ticket, a NetworkPolicy based approach gets my vote, even opt-in 👍.

@camilamacedo86
Copy link
Member

Reopen this one since it is something that must be discussed.

@camilamacedo86 camilamacedo86 mentioned this issue Aug 31, 2023
Closed
@camilamacedo86 camilamacedo86 added this to the priority milestone Nov 14, 2023
@camilamacedo86 camilamacedo86 added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. and removed help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Nov 14, 2023
@camilamacedo86
Copy link
Member

Next Steps:

The progress on this issue appears to be blocked by the discussion at this GitHub comment.

Once the assessment mentioned above is completed, we will be in a better position to decide between the following options:

a) Replacement of kube-rbac-proxy with NetworkPolicy:
Depending on the assessment's findings, we may choose to replace kube-rbac-proxy with NetworkPolicy if it aligns with project goals and requirements.

AND/OR

b) Create a Plugin for Opt-In/Opt-Out Usage of rbac-proxy:
Alternatively, we can consider creating a plugin that allows users to opt-in or opt-out of using rbac-proxy. It's worth noting that in the long term, we might decide to donate the plugin to the respective project instead of maintaining it here. This option offers flexibility and user choice.

OR
c) Keep the kube-rbac-proxy in the default scaffold and also make mandatory the usage of cert-manager by default

We will proceed based on the assessment's results, taking into consideration the best approach for the project's needs.

Thank you for all your understanding.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 12, 2024
@camilamacedo86
Copy link
Member

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 12, 2024
This was referenced Apr 7, 2024
Open
Merged
@camilamacedo86
Copy link
Member

HI @hsyed-dojo

I’d like to advocate to make this opt-in and that the additional manifests are only generated if a CI flag is provided during the init.

I need to let you know that you can opt-out by commenting the following line in the config/default//kustomization.yaml

patches:
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
- path: manager_auth_proxy_patch.yaml

@camilamacedo86 camilamacedo86 mentioned this issue May 6, 2024
Merged
@camilamacedo86 camilamacedo86 mentioned this issue Jun 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. triage/blocked
Projects
None yet
Milestone
priority
Development

Successfully merging a pull request may close this issue.

⚠️ Discontinue Kube RBAC Proxy in Default Kubebuilder Scaffolding camilamacedo86/kubebuilder
4 participants
@camilamacedo86 @k8s-ci-robot @k8s-triage-robot @hsyed-dojo