From e8770a50ea7cfbf14dfb416c0fd5770d7a2884b1 Mon Sep 17 00:00:00 2001 From: Camila Macedo Date: Sun, 7 Apr 2024 12:03:54 +0100 Subject: [PATCH] Update the samples due the change: replace the kube-rbac-proxy usage with NetworkPolicy --- .../project/config/default/kustomization.yaml | 11 ++- .../default/manager_auth_proxy_patch.yaml | 34 --------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../project/config/policy/kustomization.yaml | 2 + .../project/config/policy/policy.yaml | 27 +++++++ .../project/config/prometheus/monitor.yaml | 7 +- .../project/config/rbac/kustomization.yaml | 11 +-- .../rbac/metrics_client_cluster_role.yaml} | 2 +- .../project/config/rbac/metrics_role.yaml} | 6 +- .../config/rbac/metrics_role_binding.yaml} | 8 +- ...roxy_service.yaml => metrics_service.yaml} | 8 +- .../project/config/default/kustomization.yaml | 11 ++- .../default/manager_auth_proxy_patch.yaml | 55 -------------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../project/config/policy/kustomization.yaml | 2 + .../project/config/policy/policy.yaml | 27 +++++++ .../project/config/prometheus/monitor.yaml | 7 +- .../project/config/rbac/kustomization.yaml | 11 +-- .../rbac/metrics_client_cluster_role.yaml} | 2 +- .../project/config/rbac/metrics_role.yaml} | 6 +- .../config/rbac/metrics_role_binding.yaml} | 8 +- .../project/config/rbac/metrics_service.yaml} | 8 +- .../project/config/default/kustomization.yaml | 11 ++- .../default/manager_auth_proxy_patch.yaml | 39 ---------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../project/config/policy/kustomization.yaml | 2 + .../project/config/policy/policy.yaml | 27 +++++++ .../project/config/prometheus/monitor.yaml | 7 +- .../project/config/rbac/kustomization.yaml | 11 +-- ....yaml => metrics_client_cluster_role.yaml} | 2 +- .../project/config/rbac/metrics_role.yaml} | 6 +- .../config/rbac/metrics_role_binding.yaml} | 8 +- .../project/config/rbac/metrics_service.yaml} | 8 +- .../config/default/kustomization.yaml | 11 ++- .../default/manager_auth_proxy_patch.yaml | 39 ---------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../config/policy/kustomization.yaml | 2 + .../config/policy/policy.yaml | 27 +++++++ .../config/prometheus/monitor.yaml | 7 +- .../config/rbac/kustomization.yaml | 11 +-- ....yaml => metrics_client_cluster_role.yaml} | 2 +- ...auth_proxy_role.yaml => metrics_role.yaml} | 6 +- ...binding.yaml => metrics_role_binding.yaml} | 8 +- ...roxy_service.yaml => metrics_service.yaml} | 8 +- .../dist/install.yaml | 76 ++++++++++--------- .../config/default/kustomization.yaml | 11 ++- .../default/manager_auth_proxy_patch.yaml | 39 ---------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../config/policy/kustomization.yaml | 2 + .../config/policy/policy.yaml | 27 +++++++ .../config/prometheus/monitor.yaml | 7 +- .../config/rbac/kustomization.yaml | 11 +-- ....yaml => metrics_client_cluster_role.yaml} | 2 +- ...auth_proxy_role.yaml => metrics_role.yaml} | 6 +- ...binding.yaml => metrics_role_binding.yaml} | 8 +- ...roxy_service.yaml => metrics_service.yaml} | 8 +- .../project-v4-multigroup/dist/install.yaml | 76 ++++++++++--------- .../config/default/kustomization.yaml | 11 ++- .../default/manager_auth_proxy_patch.yaml | 39 ---------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../config/policy/kustomization.yaml | 2 + .../config/policy/policy.yaml | 27 +++++++ .../config/prometheus/monitor.yaml | 7 +- .../config/rbac/kustomization.yaml | 11 +-- ....yaml => metrics_client_cluster_role.yaml} | 2 +- ...auth_proxy_role.yaml => metrics_role.yaml} | 6 +- ...binding.yaml => metrics_role_binding.yaml} | 8 +- ...roxy_service.yaml => metrics_service.yaml} | 8 +- .../dist/install.yaml | 76 ++++++++++--------- .../config/default/kustomization.yaml | 11 ++- .../default/manager_auth_proxy_patch.yaml | 39 ---------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../config/policy/kustomization.yaml | 2 + .../config/policy/policy.yaml | 27 +++++++ .../config/prometheus/monitor.yaml | 7 +- .../config/rbac/kustomization.yaml | 10 +-- ....yaml => metrics_client_cluster_role.yaml} | 2 +- ...auth_proxy_role.yaml => metrics_role.yaml} | 6 +- ...binding.yaml => metrics_role_binding.yaml} | 8 +- ...roxy_service.yaml => metrics_service.yaml} | 8 +- .../project-v4-with-grafana/dist/install.yaml | 76 ++++++++++--------- .../config/default/kustomization.yaml | 11 ++- .../default/manager_auth_proxy_patch.yaml | 39 ---------- .../config/default/manager_metrics_patch.yaml | 15 ++++ .../config/policy/kustomization.yaml | 2 + testdata/project-v4/config/policy/policy.yaml | 27 +++++++ .../project-v4/config/prometheus/monitor.yaml | 7 +- .../project-v4/config/rbac/kustomization.yaml | 11 +-- ....yaml => metrics_client_cluster_role.yaml} | 2 +- ...auth_proxy_role.yaml => metrics_role.yaml} | 6 +- ...binding.yaml => metrics_role_binding.yaml} | 8 +- ...roxy_service.yaml => metrics_service.yaml} | 8 +- testdata/project-v4/dist/install.yaml | 76 ++++++++++--------- 93 files changed, 762 insertions(+), 716 deletions(-) delete mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml create mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml create mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/policy/kustomization.yaml create mode 100644 docs/book/src/component-config-tutorial/testdata/project/config/policy/policy.yaml rename docs/book/src/{cronjob-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml => component-config-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml} (88%) rename docs/book/src/{getting-started/testdata/project/config/rbac/auth_proxy_role.yaml => component-config-tutorial/testdata/project/config/rbac/metrics_role.yaml} (79%) rename docs/book/src/{cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml => component-config-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml} (73%) rename docs/book/src/component-config-tutorial/testdata/project/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (81%) delete mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml create mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml create mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/policy/kustomization.yaml create mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/policy/policy.yaml rename docs/book/src/{component-config-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml => cronjob-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml} (88%) rename docs/book/src/{component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml => cronjob-tutorial/testdata/project/config/rbac/metrics_role.yaml} (79%) rename docs/book/src/{getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml => cronjob-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml} (73%) rename docs/book/src/{getting-started/testdata/project/config/rbac/auth_proxy_service.yaml => cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml} (81%) delete mode 100644 docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml create mode 100644 docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml create mode 100644 docs/book/src/getting-started/testdata/project/config/policy/kustomization.yaml create mode 100644 docs/book/src/getting-started/testdata/project/config/policy/policy.yaml rename docs/book/src/getting-started/testdata/project/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (88%) rename docs/book/src/{cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml => getting-started/testdata/project/config/rbac/metrics_role.yaml} (79%) rename docs/book/src/{component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml => getting-started/testdata/project/config/rbac/metrics_role_binding.yaml} (73%) rename docs/book/src/{cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml => getting-started/testdata/project/config/rbac/metrics_service.yaml} (81%) delete mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml create mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/policy/kustomization.yaml create mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/policy/policy.yaml rename testdata/project-v4-multigroup-with-deploy-image/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (89%) rename testdata/project-v4-multigroup-with-deploy-image/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (81%) rename testdata/project-v4-multigroup-with-deploy-image/config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (76%) rename testdata/project-v4-multigroup-with-deploy-image/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (83%) delete mode 100644 testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml create mode 100644 testdata/project-v4-multigroup/config/policy/kustomization.yaml create mode 100644 testdata/project-v4-multigroup/config/policy/policy.yaml rename testdata/project-v4-multigroup/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (89%) rename testdata/project-v4-multigroup/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (80%) rename testdata/project-v4-multigroup/config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (75%) rename testdata/project-v4-multigroup/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (82%) delete mode 100644 testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml create mode 100644 testdata/project-v4-with-deploy-image/config/policy/kustomization.yaml create mode 100644 testdata/project-v4-with-deploy-image/config/policy/policy.yaml rename testdata/project-v4-with-deploy-image/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (89%) rename testdata/project-v4-with-deploy-image/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (81%) rename testdata/project-v4-with-deploy-image/config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (75%) rename testdata/project-v4-with-deploy-image/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (83%) delete mode 100644 testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml create mode 100644 testdata/project-v4-with-grafana/config/policy/kustomization.yaml create mode 100644 testdata/project-v4-with-grafana/config/policy/policy.yaml rename testdata/project-v4-with-grafana/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (89%) rename testdata/project-v4-with-grafana/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (80%) rename testdata/project-v4-with-grafana/config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (75%) rename testdata/project-v4-with-grafana/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (82%) delete mode 100644 testdata/project-v4/config/default/manager_auth_proxy_patch.yaml create mode 100644 testdata/project-v4/config/default/manager_metrics_patch.yaml create mode 100644 testdata/project-v4/config/policy/kustomization.yaml create mode 100644 testdata/project-v4/config/policy/policy.yaml rename testdata/project-v4/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_client_cluster_role.yaml} (88%) rename testdata/project-v4/config/rbac/{auth_proxy_role.yaml => metrics_role.yaml} (79%) rename testdata/project-v4/config/rbac/{auth_proxy_role_binding.yaml => metrics_role_binding.yaml} (74%) rename testdata/project-v4/config/rbac/{auth_proxy_service.yaml => metrics_service.yaml} (82%) diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml index e0e588792cf..75b39fb2553 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/default/kustomization.yaml @@ -25,12 +25,15 @@ resources: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [NETWORK POLICY] Protect the /metrics endpoint. If you want your controller-manager to expose +# the /metrics w/o any authn/z, please comment the following line. +- ../policy patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# The /metrics endpoint is protected by the NetworkPolicy +# If you want to expose the metric endpoint of your controller-manager +# uncomment the following line. +#- path: manager_metrics_patch.yaml # Mount the controller config file for loading manager configurations # through a ComponentConfig type diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 74c49152afb..00000000000 --- a/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/docs/book/src/component-config-tutorial/testdata/project/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/policy/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/policy/kustomization.yaml new file mode 100644 index 00000000000..dc4571ccb16 --- /dev/null +++ b/docs/book/src/component-config-tutorial/testdata/project/config/policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- policy.yaml diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/policy/policy.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/policy/policy.yaml new file mode 100644 index 00000000000..33325d2a0e3 --- /dev/null +++ b/docs/book/src/component-config-tutorial/testdata/project/config/policy/policy.yaml @@ -0,0 +1,27 @@ +# NetworkPolicy to protected metrics endpoint +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/part-of: project-v4 + app.kubernetes.io/managed-by: kustomize + name: manager-metrics-policy + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + role: metrics # Pod(s) which will collect the metrics must have this label + ports: + - protocol: TCP + port: 8080 # HTTP port for metrics diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml index d67c6106f87..fdaef9a1c30 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/prometheus/monitor.yaml @@ -15,11 +15,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml index 9f6506d4c5b..2f863bdfdf8 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml @@ -10,15 +10,16 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# the metrics network policy # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines # if you do not want those helpers be installed with your Project. - projectconfig_editor_role.yaml - projectconfig_viewer_role.yaml + diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml similarity index 88% rename from docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml rename to docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml index 500386b28f0..710646aa414 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role.yaml similarity index 79% rename from docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role.yaml rename to docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role.yaml index 85e39513cc1..fe6a2a6f2e0 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-role + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml similarity index 73% rename from docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml rename to docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml index 8b5ff114fa1..714fbbc1aa6 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml @@ -3,16 +3,16 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-rolebinding + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml similarity index 81% rename from docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml rename to docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml index f40b3d2c0bd..a172c8c0f2a 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/metrics_service.yaml @@ -5,7 +5,7 @@ metadata: control-plane: controller-manager app.kubernetes.io/name: service app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize @@ -13,9 +13,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml index e445fec445d..5f6a19f6668 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml @@ -25,12 +25,15 @@ resources: - ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. - ../prometheus +# [NETWORK POLICY] Protect the /metrics endpoint. If you want your controller-manager to expose +# the /metrics w/o any authn/z, please comment the following line. +- ../policy patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# The /metrics endpoint is protected by the NetworkPolicy +# If you want to expose the metric endpoint of your controller-manager +# uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 1064aa49c80..00000000000 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/policy/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/policy/kustomization.yaml new file mode 100644 index 00000000000..dc4571ccb16 --- /dev/null +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- policy.yaml diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/policy/policy.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/policy/policy.yaml new file mode 100644 index 00000000000..33325d2a0e3 --- /dev/null +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/policy/policy.yaml @@ -0,0 +1,27 @@ +# NetworkPolicy to protected metrics endpoint +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/part-of: project-v4 + app.kubernetes.io/managed-by: kustomize + name: manager-metrics-policy + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + role: metrics # Pod(s) which will collect the metrics must have this label + ports: + - protocol: TCP + port: 8080 # HTTP port for metrics diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml index d67c6106f87..fdaef9a1c30 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor.yaml @@ -15,11 +15,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml index 8db606e9e72..6c042b4ff98 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml @@ -10,15 +10,16 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# the metrics network policy # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines # if you do not want those helpers be installed with your Project. - cronjob_editor_role.yaml - cronjob_viewer_role.yaml + diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml similarity index 88% rename from docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml rename to docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml index 500386b28f0..710646aa414 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_client_cluster_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role.yaml similarity index 79% rename from docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml rename to docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role.yaml index 85e39513cc1..fe6a2a6f2e0 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-role + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml similarity index 73% rename from docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml rename to docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml index 8b5ff114fa1..714fbbc1aa6 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_role_binding.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_role_binding.yaml @@ -3,16 +3,16 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-rolebinding + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_service.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml similarity index 81% rename from docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_service.yaml rename to docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml index f40b3d2c0bd..a172c8c0f2a 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_service.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/metrics_service.yaml @@ -5,7 +5,7 @@ metadata: control-plane: controller-manager app.kubernetes.io/name: service app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize @@ -13,9 +13,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml index d851be9cae7..e1f1658df40 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml @@ -25,12 +25,15 @@ resources: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [NETWORK POLICY] Protect the /metrics endpoint. If you want your controller-manager to expose +# the /metrics w/o any authn/z, please comment the following line. +- ../policy patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# The /metrics endpoint is protected by the NetworkPolicy +# If you want to expose the metric endpoint of your controller-manager +# uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/docs/book/src/getting-started/testdata/project/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml b/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/docs/book/src/getting-started/testdata/project/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/docs/book/src/getting-started/testdata/project/config/policy/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/policy/kustomization.yaml new file mode 100644 index 00000000000..dc4571ccb16 --- /dev/null +++ b/docs/book/src/getting-started/testdata/project/config/policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- policy.yaml diff --git a/docs/book/src/getting-started/testdata/project/config/policy/policy.yaml b/docs/book/src/getting-started/testdata/project/config/policy/policy.yaml new file mode 100644 index 00000000000..33325d2a0e3 --- /dev/null +++ b/docs/book/src/getting-started/testdata/project/config/policy/policy.yaml @@ -0,0 +1,27 @@ +# NetworkPolicy to protected metrics endpoint +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/part-of: project-v4 + app.kubernetes.io/managed-by: kustomize + name: manager-metrics-policy + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + role: metrics # Pod(s) which will collect the metrics must have this label + ports: + - protocol: TCP + port: 8080 # HTTP port for metrics diff --git a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml index d67c6106f87..fdaef9a1c30 100644 --- a/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml +++ b/docs/book/src/getting-started/testdata/project/config/prometheus/monitor.yaml @@ -15,11 +15,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml index 3dc289427b8..e5fbbeb20f0 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml @@ -10,15 +10,16 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# the metrics network policy # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines # if you do not want those helpers be installed with your Project. - memcached_editor_role.yaml - memcached_viewer_role.yaml + diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_client_cluster_role.yaml similarity index 88% rename from docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml rename to docs/book/src/getting-started/testdata/project/config/rbac/metrics_client_cluster_role.yaml index 500386b28f0..710646aa414 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_client_cluster_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_role.yaml similarity index 79% rename from docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml rename to docs/book/src/getting-started/testdata/project/config/rbac/metrics_role.yaml index 85e39513cc1..fe6a2a6f2e0 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_role.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_role.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-role + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_role_binding.yaml similarity index 73% rename from docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml rename to docs/book/src/getting-started/testdata/project/config/rbac/metrics_role_binding.yaml index 8b5ff114fa1..714fbbc1aa6 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/auth_proxy_role_binding.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_role_binding.yaml @@ -3,16 +3,16 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-rolebinding + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_service.yaml similarity index 81% rename from docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml rename to docs/book/src/getting-started/testdata/project/config/rbac/metrics_service.yaml index f40b3d2c0bd..a172c8c0f2a 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/auth_proxy_service.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/metrics_service.yaml @@ -5,7 +5,7 @@ metadata: control-plane: controller-manager app.kubernetes.io/name: service app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project app.kubernetes.io/part-of: project app.kubernetes.io/managed-by: kustomize @@ -13,9 +13,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml index 2f78dfb54aa..5446b0ea50a 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml @@ -25,12 +25,15 @@ resources: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [NETWORK POLICY] Protect the /metrics endpoint. If you want your controller-manager to expose +# the /metrics w/o any authn/z, please comment the following line. +- ../policy patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# The /metrics endpoint is protected by the NetworkPolicy +# If you want to expose the metric endpoint of your controller-manager +# uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/testdata/project-v4-multigroup-with-deploy-image/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/policy/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/policy/kustomization.yaml new file mode 100644 index 00000000000..dc4571ccb16 --- /dev/null +++ b/testdata/project-v4-multigroup-with-deploy-image/config/policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- policy.yaml diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/policy/policy.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/policy/policy.yaml new file mode 100644 index 00000000000..33325d2a0e3 --- /dev/null +++ b/testdata/project-v4-multigroup-with-deploy-image/config/policy/policy.yaml @@ -0,0 +1,27 @@ +# NetworkPolicy to protected metrics endpoint +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/part-of: project-v4 + app.kubernetes.io/managed-by: kustomize + name: manager-metrics-policy + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + role: metrics # Pod(s) which will collect the metrics must have this label + ports: + - protocol: TCP + port: 8080 # HTTP port for metrics diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml index bf55d64ae3a..595c4ed87c3 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/prometheus/monitor.yaml @@ -15,11 +15,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml index 08b359e46b5..f730eb57442 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml @@ -10,12 +10,12 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# the metrics network policy # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -40,3 +40,4 @@ resources: - ship_frigate_viewer_role.yaml - crew_captain_editor_role.yaml - crew_captain_viewer_role.yaml + diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_client_cluster_role.yaml similarity index 89% rename from testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml rename to testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_client_cluster_role.yaml index 3c9ad11fc52..63c38954077 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_client_cluster_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image app.kubernetes.io/managed-by: kustomize diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role.yaml similarity index 81% rename from testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role.yaml rename to testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role.yaml index 0050db22e36..db8b4f1eec8 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-role + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role_binding.yaml similarity index 76% rename from testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml rename to testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role_binding.yaml index 2865bf6007b..6dd925789d3 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_role_binding.yaml @@ -3,16 +3,16 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-rolebinding + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_service.yaml similarity index 83% rename from testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_service.yaml index eaa3581887a..f6c31b3d478 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/auth_proxy_service.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/metrics_service.yaml @@ -5,7 +5,7 @@ metadata: control-plane: controller-manager app.kubernetes.io/name: service app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image app.kubernetes.io/managed-by: kustomize @@ -13,9 +13,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml b/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml index de7ab9a9859..b84f849ec07 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml @@ -1241,7 +1241,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image app.kubernetes.io/instance: metrics-reader app.kubernetes.io/managed-by: kustomize @@ -1258,13 +1258,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image - app.kubernetes.io/instance: proxy-role + app.kubernetes.io/instance: metrics-role app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrole app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image - name: project-v4-multigroup-with-deploy-image-proxy-role + name: project-v4-multigroup-with-deploy-image-metrics-role rules: - apiGroups: - authentication.k8s.io @@ -1614,17 +1614,17 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image - app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/instance: metrics-rolebinding app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrolebinding app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image - name: project-v4-multigroup-with-deploy-image-proxy-rolebinding + name: project-v4-multigroup-with-deploy-image-metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: project-v4-multigroup-with-deploy-image-proxy-role + name: project-v4-multigroup-with-deploy-image-metrics-role subjects: - kind: ServiceAccount name: project-v4-multigroup-with-deploy-image-controller-manager @@ -1634,7 +1634,7 @@ apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image app.kubernetes.io/instance: controller-manager-metrics-service app.kubernetes.io/managed-by: kustomize @@ -1645,10 +1645,10 @@ metadata: namespace: project-v4-multigroup-with-deploy-image-system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager --- @@ -1695,8 +1695,6 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager @@ -1734,29 +1732,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-multigroup-with-deploy-image-controller-manager @@ -1767,6 +1742,33 @@ spec: defaultMode: 420 secretName: webhook-server-cert --- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/part-of: project-v4 + control-plane: controller-manager + name: project-v4-multigroup-with-deploy-image-manager-metrics-policy + namespace: project-v4-multigroup-with-deploy-image-system +spec: + ingress: + - from: + - podSelector: + matchLabels: + role: metrics + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress +--- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: diff --git a/testdata/project-v4-multigroup/config/default/kustomization.yaml b/testdata/project-v4-multigroup/config/default/kustomization.yaml index 9fe6e3630df..e0ad8325605 100644 --- a/testdata/project-v4-multigroup/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/default/kustomization.yaml @@ -25,12 +25,15 @@ resources: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [NETWORK POLICY] Protect the /metrics endpoint. If you want your controller-manager to expose +# the /metrics w/o any authn/z, please comment the following line. +- ../policy patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# The /metrics endpoint is protected by the NetworkPolicy +# If you want to expose the metric endpoint of your controller-manager +# uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-multigroup/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml b/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/testdata/project-v4-multigroup/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/testdata/project-v4-multigroup/config/policy/kustomization.yaml b/testdata/project-v4-multigroup/config/policy/kustomization.yaml new file mode 100644 index 00000000000..dc4571ccb16 --- /dev/null +++ b/testdata/project-v4-multigroup/config/policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- policy.yaml diff --git a/testdata/project-v4-multigroup/config/policy/policy.yaml b/testdata/project-v4-multigroup/config/policy/policy.yaml new file mode 100644 index 00000000000..33325d2a0e3 --- /dev/null +++ b/testdata/project-v4-multigroup/config/policy/policy.yaml @@ -0,0 +1,27 @@ +# NetworkPolicy to protected metrics endpoint +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/part-of: project-v4 + app.kubernetes.io/managed-by: kustomize + name: manager-metrics-policy + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + role: metrics # Pod(s) which will collect the metrics must have this label + ports: + - protocol: TCP + port: 8080 # HTTP port for metrics diff --git a/testdata/project-v4-multigroup/config/prometheus/monitor.yaml b/testdata/project-v4-multigroup/config/prometheus/monitor.yaml index b4435aa9aaa..10c4becaedb 100644 --- a/testdata/project-v4-multigroup/config/prometheus/monitor.yaml +++ b/testdata/project-v4-multigroup/config/prometheus/monitor.yaml @@ -15,11 +15,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml index 08b359e46b5..f730eb57442 100644 --- a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml @@ -10,12 +10,12 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# the metrics network policy # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -40,3 +40,4 @@ resources: - ship_frigate_viewer_role.yaml - crew_captain_editor_role.yaml - crew_captain_viewer_role.yaml + diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-multigroup/config/rbac/metrics_client_cluster_role.yaml similarity index 89% rename from testdata/project-v4-multigroup/config/rbac/auth_proxy_client_clusterrole.yaml rename to testdata/project-v4-multigroup/config/rbac/metrics_client_cluster_role.yaml index bc61e75af6b..03fa98baae5 100644 --- a/testdata/project-v4-multigroup/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/testdata/project-v4-multigroup/config/rbac/metrics_client_cluster_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup app.kubernetes.io/part-of: project-v4-multigroup app.kubernetes.io/managed-by: kustomize diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-multigroup/config/rbac/metrics_role.yaml similarity index 80% rename from testdata/project-v4-multigroup/config/rbac/auth_proxy_role.yaml rename to testdata/project-v4-multigroup/config/rbac/metrics_role.yaml index fa5805cf8a5..4af8d2e2deb 100644 --- a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/metrics_role.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-role + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup app.kubernetes.io/part-of: project-v4-multigroup app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-multigroup/config/rbac/metrics_role_binding.yaml similarity index 75% rename from testdata/project-v4-multigroup/config/rbac/auth_proxy_role_binding.yaml rename to testdata/project-v4-multigroup/config/rbac/metrics_role_binding.yaml index 0bb48978f41..415039c9a69 100644 --- a/testdata/project-v4-multigroup/config/rbac/auth_proxy_role_binding.yaml +++ b/testdata/project-v4-multigroup/config/rbac/metrics_role_binding.yaml @@ -3,16 +3,16 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-rolebinding + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup app.kubernetes.io/part-of: project-v4-multigroup app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/testdata/project-v4-multigroup/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-multigroup/config/rbac/metrics_service.yaml similarity index 82% rename from testdata/project-v4-multigroup/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-multigroup/config/rbac/metrics_service.yaml index 88321dc14d5..274c9389286 100644 --- a/testdata/project-v4-multigroup/config/rbac/auth_proxy_service.yaml +++ b/testdata/project-v4-multigroup/config/rbac/metrics_service.yaml @@ -5,7 +5,7 @@ metadata: control-plane: controller-manager app.kubernetes.io/name: service app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup app.kubernetes.io/part-of: project-v4-multigroup app.kubernetes.io/managed-by: kustomize @@ -13,9 +13,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4-multigroup/dist/install.yaml b/testdata/project-v4-multigroup/dist/install.yaml index 28c4aca2293..dd95d6f2ec1 100644 --- a/testdata/project-v4-multigroup/dist/install.yaml +++ b/testdata/project-v4-multigroup/dist/install.yaml @@ -1241,7 +1241,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup app.kubernetes.io/instance: metrics-reader app.kubernetes.io/managed-by: kustomize @@ -1258,13 +1258,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup - app.kubernetes.io/instance: proxy-role + app.kubernetes.io/instance: metrics-role app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrole app.kubernetes.io/part-of: project-v4-multigroup - name: project-v4-multigroup-proxy-role + name: project-v4-multigroup-metrics-role rules: - apiGroups: - authentication.k8s.io @@ -1614,17 +1614,17 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup - app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/instance: metrics-rolebinding app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrolebinding app.kubernetes.io/part-of: project-v4-multigroup - name: project-v4-multigroup-proxy-rolebinding + name: project-v4-multigroup-metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: project-v4-multigroup-proxy-role + name: project-v4-multigroup-metrics-role subjects: - kind: ServiceAccount name: project-v4-multigroup-controller-manager @@ -1634,7 +1634,7 @@ apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-multigroup app.kubernetes.io/instance: controller-manager-metrics-service app.kubernetes.io/managed-by: kustomize @@ -1645,10 +1645,10 @@ metadata: namespace: project-v4-multigroup-system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager --- @@ -1695,8 +1695,6 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager @@ -1734,29 +1732,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-multigroup-controller-manager @@ -1767,6 +1742,33 @@ spec: defaultMode: 420 secretName: webhook-server-cert --- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/part-of: project-v4 + control-plane: controller-manager + name: project-v4-multigroup-manager-metrics-policy + namespace: project-v4-multigroup-system +spec: + ingress: + - from: + - podSelector: + matchLabels: + role: metrics + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress +--- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: diff --git a/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml index 62e78ccdbbe..438122f138f 100644 --- a/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml +++ b/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml @@ -25,12 +25,15 @@ resources: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [NETWORK POLICY] Protect the /metrics endpoint. If you want your controller-manager to expose +# the /metrics w/o any authn/z, please comment the following line. +- ../policy patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# The /metrics endpoint is protected by the NetworkPolicy +# If you want to expose the metric endpoint of your controller-manager +# uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-with-deploy-image/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml b/testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/testdata/project-v4-with-deploy-image/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/testdata/project-v4-with-deploy-image/config/policy/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/policy/kustomization.yaml new file mode 100644 index 00000000000..dc4571ccb16 --- /dev/null +++ b/testdata/project-v4-with-deploy-image/config/policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- policy.yaml diff --git a/testdata/project-v4-with-deploy-image/config/policy/policy.yaml b/testdata/project-v4-with-deploy-image/config/policy/policy.yaml new file mode 100644 index 00000000000..33325d2a0e3 --- /dev/null +++ b/testdata/project-v4-with-deploy-image/config/policy/policy.yaml @@ -0,0 +1,27 @@ +# NetworkPolicy to protected metrics endpoint +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/part-of: project-v4 + app.kubernetes.io/managed-by: kustomize + name: manager-metrics-policy + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + role: metrics # Pod(s) which will collect the metrics must have this label + ports: + - protocol: TCP + port: 8080 # HTTP port for metrics diff --git a/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml b/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml index 7f52a66ad36..693106e3547 100644 --- a/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml +++ b/testdata/project-v4-with-deploy-image/config/prometheus/monitor.yaml @@ -15,11 +15,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml index 67076dab990..d91779cd011 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml @@ -10,12 +10,12 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# the metrics network policy # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -24,3 +24,4 @@ resources: - busybox_viewer_role.yaml - memcached_editor_role.yaml - memcached_viewer_role.yaml + diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-with-deploy-image/config/rbac/metrics_client_cluster_role.yaml similarity index 89% rename from testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml rename to testdata/project-v4-with-deploy-image/config/rbac/metrics_client_cluster_role.yaml index 3b930da4bb1..5708a38d8ad 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/metrics_client_cluster_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-deploy-image app.kubernetes.io/part-of: project-v4-with-deploy-image app.kubernetes.io/managed-by: kustomize diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-with-deploy-image/config/rbac/metrics_role.yaml similarity index 81% rename from testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role.yaml rename to testdata/project-v4-with-deploy-image/config/rbac/metrics_role.yaml index 149a84a43c5..297f68398e6 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/metrics_role.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-role + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-deploy-image app.kubernetes.io/part-of: project-v4-with-deploy-image app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-with-deploy-image/config/rbac/metrics_role_binding.yaml similarity index 75% rename from testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml rename to testdata/project-v4-with-deploy-image/config/rbac/metrics_role_binding.yaml index 450754625d0..aaa8ebb2844 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_role_binding.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/metrics_role_binding.yaml @@ -3,16 +3,16 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-rolebinding + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-deploy-image app.kubernetes.io/part-of: project-v4-with-deploy-image app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-with-deploy-image/config/rbac/metrics_service.yaml similarity index 83% rename from testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-with-deploy-image/config/rbac/metrics_service.yaml index ac5f66d3182..d8721d9ea76 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/auth_proxy_service.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/metrics_service.yaml @@ -5,7 +5,7 @@ metadata: control-plane: controller-manager app.kubernetes.io/name: service app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-deploy-image app.kubernetes.io/part-of: project-v4-with-deploy-image app.kubernetes.io/managed-by: kustomize @@ -13,9 +13,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4-with-deploy-image/dist/install.yaml b/testdata/project-v4-with-deploy-image/dist/install.yaml index a6b113e4fe1..f56029a99d3 100644 --- a/testdata/project-v4-with-deploy-image/dist/install.yaml +++ b/testdata/project-v4-with-deploy-image/dist/install.yaml @@ -543,7 +543,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-deploy-image app.kubernetes.io/instance: metrics-reader app.kubernetes.io/managed-by: kustomize @@ -560,13 +560,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-deploy-image - app.kubernetes.io/instance: proxy-role + app.kubernetes.io/instance: metrics-role app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrole app.kubernetes.io/part-of: project-v4-with-deploy-image - name: project-v4-with-deploy-image-proxy-role + name: project-v4-with-deploy-image-metrics-role rules: - apiGroups: - authentication.k8s.io @@ -626,17 +626,17 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-deploy-image - app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/instance: metrics-rolebinding app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrolebinding app.kubernetes.io/part-of: project-v4-with-deploy-image - name: project-v4-with-deploy-image-proxy-rolebinding + name: project-v4-with-deploy-image-metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: project-v4-with-deploy-image-proxy-role + name: project-v4-with-deploy-image-metrics-role subjects: - kind: ServiceAccount name: project-v4-with-deploy-image-controller-manager @@ -646,7 +646,7 @@ apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-deploy-image app.kubernetes.io/instance: controller-manager-metrics-service app.kubernetes.io/managed-by: kustomize @@ -657,10 +657,10 @@ metadata: namespace: project-v4-with-deploy-image-system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager --- @@ -707,8 +707,6 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager @@ -751,29 +749,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-with-deploy-image-controller-manager @@ -784,6 +759,33 @@ spec: defaultMode: 420 secretName: webhook-server-cert --- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/part-of: project-v4 + control-plane: controller-manager + name: project-v4-with-deploy-image-manager-metrics-policy + namespace: project-v4-with-deploy-image-system +spec: + ingress: + - from: + - podSelector: + matchLabels: + role: metrics + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress +--- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: diff --git a/testdata/project-v4-with-grafana/config/default/kustomization.yaml b/testdata/project-v4-with-grafana/config/default/kustomization.yaml index 7fca0820b0c..dedf5f924b1 100644 --- a/testdata/project-v4-with-grafana/config/default/kustomization.yaml +++ b/testdata/project-v4-with-grafana/config/default/kustomization.yaml @@ -25,12 +25,15 @@ resources: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [NETWORK POLICY] Protect the /metrics endpoint. If you want your controller-manager to expose +# the /metrics w/o any authn/z, please comment the following line. +- ../policy patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# The /metrics endpoint is protected by the NetworkPolicy +# If you want to expose the metric endpoint of your controller-manager +# uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4-with-grafana/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml b/testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/testdata/project-v4-with-grafana/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/testdata/project-v4-with-grafana/config/policy/kustomization.yaml b/testdata/project-v4-with-grafana/config/policy/kustomization.yaml new file mode 100644 index 00000000000..dc4571ccb16 --- /dev/null +++ b/testdata/project-v4-with-grafana/config/policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- policy.yaml diff --git a/testdata/project-v4-with-grafana/config/policy/policy.yaml b/testdata/project-v4-with-grafana/config/policy/policy.yaml new file mode 100644 index 00000000000..33325d2a0e3 --- /dev/null +++ b/testdata/project-v4-with-grafana/config/policy/policy.yaml @@ -0,0 +1,27 @@ +# NetworkPolicy to protected metrics endpoint +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/part-of: project-v4 + app.kubernetes.io/managed-by: kustomize + name: manager-metrics-policy + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + role: metrics # Pod(s) which will collect the metrics must have this label + ports: + - protocol: TCP + port: 8080 # HTTP port for metrics diff --git a/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml b/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml index 910e297d3bb..0eda59d0524 100644 --- a/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml +++ b/testdata/project-v4-with-grafana/config/prometheus/monitor.yaml @@ -15,11 +15,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml b/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml index 731832a6ac3..a4438519005 100644 --- a/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml +++ b/testdata/project-v4-with-grafana/config/rbac/kustomization.yaml @@ -10,9 +10,9 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# the metrics network policy # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4-with-grafana/config/rbac/metrics_client_cluster_role.yaml similarity index 89% rename from testdata/project-v4-with-grafana/config/rbac/auth_proxy_client_clusterrole.yaml rename to testdata/project-v4-with-grafana/config/rbac/metrics_client_cluster_role.yaml index 1a349448805..3b58c36c1b7 100644 --- a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/testdata/project-v4-with-grafana/config/rbac/metrics_client_cluster_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-grafana app.kubernetes.io/part-of: project-v4-with-grafana app.kubernetes.io/managed-by: kustomize diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role.yaml b/testdata/project-v4-with-grafana/config/rbac/metrics_role.yaml similarity index 80% rename from testdata/project-v4-with-grafana/config/rbac/auth_proxy_role.yaml rename to testdata/project-v4-with-grafana/config/rbac/metrics_role.yaml index 78751f31b46..9dedbbfab9f 100644 --- a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role.yaml +++ b/testdata/project-v4-with-grafana/config/rbac/metrics_role.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-role + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-grafana app.kubernetes.io/part-of: project-v4-with-grafana app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4-with-grafana/config/rbac/metrics_role_binding.yaml similarity index 75% rename from testdata/project-v4-with-grafana/config/rbac/auth_proxy_role_binding.yaml rename to testdata/project-v4-with-grafana/config/rbac/metrics_role_binding.yaml index 65e551ad032..16a79feb907 100644 --- a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_role_binding.yaml +++ b/testdata/project-v4-with-grafana/config/rbac/metrics_role_binding.yaml @@ -3,16 +3,16 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-rolebinding + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-grafana app.kubernetes.io/part-of: project-v4-with-grafana app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_service.yaml b/testdata/project-v4-with-grafana/config/rbac/metrics_service.yaml similarity index 82% rename from testdata/project-v4-with-grafana/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4-with-grafana/config/rbac/metrics_service.yaml index 55993935fab..daaaaf8b618 100644 --- a/testdata/project-v4-with-grafana/config/rbac/auth_proxy_service.yaml +++ b/testdata/project-v4-with-grafana/config/rbac/metrics_service.yaml @@ -5,7 +5,7 @@ metadata: control-plane: controller-manager app.kubernetes.io/name: service app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-grafana app.kubernetes.io/part-of: project-v4-with-grafana app.kubernetes.io/managed-by: kustomize @@ -13,9 +13,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4-with-grafana/dist/install.yaml b/testdata/project-v4-with-grafana/dist/install.yaml index 4432c399bc2..4b4412c003a 100644 --- a/testdata/project-v4-with-grafana/dist/install.yaml +++ b/testdata/project-v4-with-grafana/dist/install.yaml @@ -90,7 +90,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-grafana app.kubernetes.io/instance: metrics-reader app.kubernetes.io/managed-by: kustomize @@ -107,13 +107,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-grafana - app.kubernetes.io/instance: proxy-role + app.kubernetes.io/instance: metrics-role app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrole app.kubernetes.io/part-of: project-v4-with-grafana - name: project-v4-with-grafana-proxy-role + name: project-v4-with-grafana-metrics-role rules: - apiGroups: - authentication.k8s.io @@ -173,17 +173,17 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-grafana - app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/instance: metrics-rolebinding app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrolebinding app.kubernetes.io/part-of: project-v4-with-grafana - name: project-v4-with-grafana-proxy-rolebinding + name: project-v4-with-grafana-metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: project-v4-with-grafana-proxy-role + name: project-v4-with-grafana-metrics-role subjects: - kind: ServiceAccount name: project-v4-with-grafana-controller-manager @@ -193,7 +193,7 @@ apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4-with-grafana app.kubernetes.io/instance: controller-manager-metrics-service app.kubernetes.io/managed-by: kustomize @@ -204,10 +204,10 @@ metadata: namespace: project-v4-with-grafana-system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager --- @@ -238,31 +238,6 @@ spec: spec: containers: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager @@ -296,3 +271,30 @@ spec: runAsNonRoot: true serviceAccountName: project-v4-with-grafana-controller-manager terminationGracePeriodSeconds: 10 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/part-of: project-v4 + control-plane: controller-manager + name: project-v4-with-grafana-manager-metrics-policy + namespace: project-v4-with-grafana-system +spec: + ingress: + - from: + - podSelector: + matchLabels: + role: metrics + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress diff --git a/testdata/project-v4/config/default/kustomization.yaml b/testdata/project-v4/config/default/kustomization.yaml index ae7fc170730..aea1e3ecc90 100644 --- a/testdata/project-v4/config/default/kustomization.yaml +++ b/testdata/project-v4/config/default/kustomization.yaml @@ -25,12 +25,15 @@ resources: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [NETWORK POLICY] Protect the /metrics endpoint. If you want your controller-manager to expose +# the /metrics w/o any authn/z, please comment the following line. +- ../policy patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# The /metrics endpoint is protected by the NetworkPolicy +# If you want to expose the metric endpoint of your controller-manager +# uncomment the following line. +#- path: manager_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml diff --git a/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml b/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4c3c27602f5..00000000000 --- a/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/testdata/project-v4/config/default/manager_metrics_patch.yaml b/testdata/project-v4/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000000..c23d8d9268f --- /dev/null +++ b/testdata/project-v4/config/default/manager_metrics_patch.yaml @@ -0,0 +1,15 @@ +# This patch adds the args to allow expose the metrics endpoint +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0.0.0.0:8080" + - "--leader-elect" diff --git a/testdata/project-v4/config/policy/kustomization.yaml b/testdata/project-v4/config/policy/kustomization.yaml new file mode 100644 index 00000000000..dc4571ccb16 --- /dev/null +++ b/testdata/project-v4/config/policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- policy.yaml diff --git a/testdata/project-v4/config/policy/policy.yaml b/testdata/project-v4/config/policy/policy.yaml new file mode 100644 index 00000000000..33325d2a0e3 --- /dev/null +++ b/testdata/project-v4/config/policy/policy.yaml @@ -0,0 +1,27 @@ +# NetworkPolicy to protected metrics endpoint +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/part-of: project-v4 + app.kubernetes.io/managed-by: kustomize + name: manager-metrics-policy + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + role: metrics # Pod(s) which will collect the metrics must have this label + ports: + - protocol: TCP + port: 8080 # HTTP port for metrics diff --git a/testdata/project-v4/config/prometheus/monitor.yaml b/testdata/project-v4/config/prometheus/monitor.yaml index 905e15b285c..0d22b7258a9 100644 --- a/testdata/project-v4/config/prometheus/monitor.yaml +++ b/testdata/project-v4/config/prometheus/monitor.yaml @@ -15,11 +15,8 @@ metadata: spec: endpoints: - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http selector: matchLabels: control-plane: controller-manager diff --git a/testdata/project-v4/config/rbac/kustomization.yaml b/testdata/project-v4/config/rbac/kustomization.yaml index 8518bf9e24d..4ac4e50ee4f 100644 --- a/testdata/project-v4/config/rbac/kustomization.yaml +++ b/testdata/project-v4/config/rbac/kustomization.yaml @@ -10,12 +10,12 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml # Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# the metrics network policy # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_service.yaml +- metrics_role.yaml +- metrics_role_binding.yaml +- metrics_client_cluster_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines @@ -26,3 +26,4 @@ resources: - firstmate_viewer_role.yaml - captain_editor_role.yaml - captain_viewer_role.yaml + diff --git a/testdata/project-v4/config/rbac/auth_proxy_client_clusterrole.yaml b/testdata/project-v4/config/rbac/metrics_client_cluster_role.yaml similarity index 88% rename from testdata/project-v4/config/rbac/auth_proxy_client_clusterrole.yaml rename to testdata/project-v4/config/rbac/metrics_client_cluster_role.yaml index 6eb655532e8..22ce8caa874 100644 --- a/testdata/project-v4/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/testdata/project-v4/config/rbac/metrics_client_cluster_role.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4 app.kubernetes.io/part-of: project-v4 app.kubernetes.io/managed-by: kustomize diff --git a/testdata/project-v4/config/rbac/auth_proxy_role.yaml b/testdata/project-v4/config/rbac/metrics_role.yaml similarity index 79% rename from testdata/project-v4/config/rbac/auth_proxy_role.yaml rename to testdata/project-v4/config/rbac/metrics_role.yaml index 28de66c7882..17865e2a097 100644 --- a/testdata/project-v4/config/rbac/auth_proxy_role.yaml +++ b/testdata/project-v4/config/rbac/metrics_role.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-role + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4 app.kubernetes.io/part-of: project-v4 app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-role rules: - apiGroups: - authentication.k8s.io diff --git a/testdata/project-v4/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v4/config/rbac/metrics_role_binding.yaml similarity index 74% rename from testdata/project-v4/config/rbac/auth_proxy_role_binding.yaml rename to testdata/project-v4/config/rbac/metrics_role_binding.yaml index 609d1c5e0e0..0e7d5298bce 100644 --- a/testdata/project-v4/config/rbac/auth_proxy_role_binding.yaml +++ b/testdata/project-v4/config/rbac/metrics_role_binding.yaml @@ -3,16 +3,16 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: metrics-rolebinding + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4 app.kubernetes.io/part-of: project-v4 app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/testdata/project-v4/config/rbac/auth_proxy_service.yaml b/testdata/project-v4/config/rbac/metrics_service.yaml similarity index 82% rename from testdata/project-v4/config/rbac/auth_proxy_service.yaml rename to testdata/project-v4/config/rbac/metrics_service.yaml index 81fb97cbe94..1a6cf8a6562 100644 --- a/testdata/project-v4/config/rbac/auth_proxy_service.yaml +++ b/testdata/project-v4/config/rbac/metrics_service.yaml @@ -5,7 +5,7 @@ metadata: control-plane: controller-manager app.kubernetes.io/name: service app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4 app.kubernetes.io/part-of: project-v4 app.kubernetes.io/managed-by: kustomize @@ -13,9 +13,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager diff --git a/testdata/project-v4/dist/install.yaml b/testdata/project-v4/dist/install.yaml index adc1f4bb4e5..c0cda58b826 100644 --- a/testdata/project-v4/dist/install.yaml +++ b/testdata/project-v4/dist/install.yaml @@ -545,7 +545,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4 app.kubernetes.io/instance: metrics-reader app.kubernetes.io/managed-by: kustomize @@ -562,13 +562,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4 - app.kubernetes.io/instance: proxy-role + app.kubernetes.io/instance: metrics-role app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrole app.kubernetes.io/part-of: project-v4 - name: project-v4-proxy-role + name: project-v4-metrics-role rules: - apiGroups: - authentication.k8s.io @@ -628,17 +628,17 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4 - app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/instance: metrics-rolebinding app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrolebinding app.kubernetes.io/part-of: project-v4 - name: project-v4-proxy-rolebinding + name: project-v4-metrics-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: project-v4-proxy-role + name: project-v4-metrics-role subjects: - kind: ServiceAccount name: project-v4-controller-manager @@ -648,7 +648,7 @@ apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/component: metrics app.kubernetes.io/created-by: project-v4 app.kubernetes.io/instance: controller-manager-metrics-service app.kubernetes.io/managed-by: kustomize @@ -659,10 +659,10 @@ metadata: namespace: project-v4-system spec: ports: - - name: https - port: 8443 + - name: http + port: 8080 protocol: TCP - targetPort: https + targetPort: 8080 selector: control-plane: controller-manager --- @@ -709,8 +709,6 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager @@ -748,29 +746,6 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: project-v4-controller-manager @@ -781,6 +756,33 @@ spec: defaultMode: 420 secretName: webhook-server-cert --- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-network-policy + app.kubernetes.io/part-of: project-v4 + control-plane: controller-manager + name: project-v4-manager-metrics-policy + namespace: project-v4-system +spec: + ingress: + - from: + - podSelector: + matchLabels: + role: metrics + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress +--- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: