Add RBAC proxy to metrics #424

saschagrunert · 2021-04-28T12:06:30Z

What type of PR is this?

/kind feature

What this PR does / why we need it:

We now use the kube-rbac-proxy to provide two metrics endpoints. Those
get exposed through the metrics-spod and metrics-controller-runtime
services, serving an authorized self-signed TLS connection.

To be able to retrieve the metrics, it is now required to deploy a
ClusterRole and ClusterRoleBinding for a ServiceAccount. For
example:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: spo-metrics-client
rules:
- nonResourceURLs:
  - /metrics
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: spo-metrics-client
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: spo-metrics-client
subjects:
- kind: ServiceAccount
  name: default
  namespace: security-profiles-operator

The above example is also part of the default deployment, and can be
tested via kubectl run within the security-profiles-operator
namespace by running:

> kubectl run --rm -it pod --image=alpine -- sh -c \
    'apk update && apk add bash curl &&
     curl -vsk -H "Authorization: Bearer `cat /var/run/secrets/kubernetes.io/serviceaccount/token`"
     https://metrics-spod/metrics'
…
*   Trying 10.0.0.222:443...
* Connected to metrics-spod (10.0.0.222) port 443 (#0)
…
> authorization: Bearer xxx
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< content-type: text/plain; version=0.0.4; charset=utf-8
< date: Wed, 28 Apr 2021 12:00:46 GMT
…
security_profiles_operator_seccomp_profile{operation="update"} 1

Documentation and e2e testing will follow in further patches.

Which issue(s) this PR fixes:

Refers to #422

Does this PR have test?

None

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

Deploying kube-rbac-proxy sidecar in SPOD for exposing metrics via the new `metrics-spod` and `metrics-controller-runtime` services.

k8s-ci-robot · 2021-04-28T12:06:37Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

JAORMX

the rbac-proxy isn't using TLS, is it?

internal/pkg/manager/spod/bindata/spod.go

saschagrunert · 2021-04-28T12:48:01Z

the rbac-proxy isn't using TLS, is it?

It is using a self-signed one right now and we also can provide an external one.

saschagrunert · 2021-04-28T14:02:44Z

/retest

We now use the kube-rbac-proxy to provide two metrics endpoints. Those get exposed through the `metrics-spod` and `metrics-controller-runtime` services, serving an authorized self-signed TLS connection. To be able to retrieve the metrics, it is now required to deploy a `ClusterRole` and `ClusterRoleBinding` for a `ServiceAccount`. For example: ```yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: spo-metrics-client rules: - nonResourceURLs: - /metrics verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: spo-metrics-client roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: spo-metrics-client subjects: - kind: ServiceAccount name: default namespace: security-profiles-operator ``` The above example is also part of the default deployment, and can be tested via `kubectl run` within the `security-profiles-operator` namespace by running: ``` > kubectl run --rm -it pod --image=alpine -- sh -c \ 'apk update && apk add bash curl && curl -vsk -H "Authorization: Bearer `cat /var/run/secrets/kubernetes.io/serviceaccount/token`" https://metrics-spod/metrics' … * Trying 10.0.0.222:443... * Connected to metrics-spod (10.0.0.222) port 443 (#0) … > authorization: Bearer xxx > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * Connection state changed (MAX_CONCURRENT_STREAMS == 250)! < HTTP/2 200 < content-type: text/plain; version=0.0.4; charset=utf-8 < date: Wed, 28 Apr 2021 12:00:46 GMT … security_profiles_operator_seccomp_profile{operation="update"} 1 ``` Documentation and e2e testing will follow in further patches. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>

deploy/base/service.yaml

JAORMX

/lgtm

k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 28, 2021

k8s-ci-robot requested review from cmurphy and jhrozek April 28, 2021 12:06

k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 28, 2021

saschagrunert force-pushed the rbac-proxy branch from 005be98 to a760727 Compare April 28, 2021 12:39

JAORMX requested changes Apr 28, 2021

View reviewed changes

internal/pkg/manager/spod/bindata/spod.go Outdated Show resolved Hide resolved

k8s-ci-robot assigned JAORMX Apr 28, 2021

saschagrunert force-pushed the rbac-proxy branch 3 times, most recently from d3702b4 to f22692d Compare April 28, 2021 13:05

saschagrunert changed the title ~~Add RBAC proxy to metrics~~ WIP: Add RBAC proxy to metrics Apr 28, 2021

k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 28, 2021

saschagrunert force-pushed the rbac-proxy branch from 149bb94 to 6e718bb Compare April 28, 2021 14:18

saschagrunert changed the title ~~WIP: Add RBAC proxy to metrics~~ Add RBAC proxy to metrics Apr 28, 2021

k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 28, 2021

saschagrunert mentioned this pull request Apr 28, 2021

Introduce metrics for the operator #276

Closed

JAORMX requested changes Apr 29, 2021

View reviewed changes

deploy/base/service.yaml Show resolved Hide resolved

JAORMX reviewed Apr 29, 2021

View reviewed changes

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 29, 2021

k8s-ci-robot merged commit a157bda into kubernetes-sigs:master Apr 29, 2021

saschagrunert deleted the rbac-proxy branch April 29, 2021 10:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add RBAC proxy to metrics #424

Add RBAC proxy to metrics #424

saschagrunert commented Apr 28, 2021

k8s-ci-robot commented Apr 28, 2021

JAORMX left a comment

saschagrunert commented Apr 28, 2021

saschagrunert commented Apr 28, 2021

JAORMX left a comment

Add RBAC proxy to metrics #424

Add RBAC proxy to metrics #424

Conversation

saschagrunert commented Apr 28, 2021

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Does this PR have test?

Special notes for your reviewer:

Does this PR introduce a user-facing change?

k8s-ci-robot commented Apr 28, 2021

JAORMX left a comment

Choose a reason for hiding this comment

saschagrunert commented Apr 28, 2021

saschagrunert commented Apr 28, 2021

JAORMX left a comment

Choose a reason for hiding this comment