-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add RBAC proxy to metrics #424
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
005be98
to
a760727
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the rbac-proxy isn't using TLS, is it?
It is using a self-signed one right now and we also can provide an external one. |
d3702b4
to
f22692d
Compare
/retest |
We now use the kube-rbac-proxy to provide two metrics endpoints. Those get exposed through the `metrics-spod` and `metrics-controller-runtime` services, serving an authorized self-signed TLS connection. To be able to retrieve the metrics, it is now required to deploy a `ClusterRole` and `ClusterRoleBinding` for a `ServiceAccount`. For example: ```yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: spo-metrics-client rules: - nonResourceURLs: - /metrics verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: spo-metrics-client roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: spo-metrics-client subjects: - kind: ServiceAccount name: default namespace: security-profiles-operator ``` The above example is also part of the default deployment, and can be tested via `kubectl run` within the `security-profiles-operator` namespace by running: ``` > kubectl run --rm -it pod --image=alpine -- sh -c \ 'apk update && apk add bash curl && curl -vsk -H "Authorization: Bearer `cat /var/run/secrets/kubernetes.io/serviceaccount/token`" https://metrics-spod/metrics' … * Trying 10.0.0.222:443... * Connected to metrics-spod (10.0.0.222) port 443 (#0) … > authorization: Bearer xxx > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * Connection state changed (MAX_CONCURRENT_STREAMS == 250)! < HTTP/2 200 < content-type: text/plain; version=0.0.4; charset=utf-8 < date: Wed, 28 Apr 2021 12:00:46 GMT … security_profiles_operator_seccomp_profile{operation="update"} 1 ``` Documentation and e2e testing will follow in further patches. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
149bb94
to
6e718bb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
What type of PR is this?
/kind feature
What this PR does / why we need it:
We now use the kube-rbac-proxy to provide two metrics endpoints. Those
get exposed through the
metrics-spod
andmetrics-controller-runtime
services, serving an authorized self-signed TLS connection.
To be able to retrieve the metrics, it is now required to deploy a
ClusterRole
andClusterRoleBinding
for aServiceAccount
. Forexample:
The above example is also part of the default deployment, and can be
tested via
kubectl run
within thesecurity-profiles-operator
namespace by running:
Documentation and e2e testing will follow in further patches.
Which issue(s) this PR fixes:
Refers to #422
Does this PR have test?
None
Special notes for your reviewer:
None
Does this PR introduce a user-facing change?