If your project uses gcr.io/kubebuilder/kube-rbac-proxy it will be affected. Your project may fail to work if the image cannot be pulled. You must move as soon as possible, sometime from early 2025, the GCR will go away.
Key UpdateUnfortunately, we're unable to provide any guarantees regarding timelines or potential extensions at this time. Images provided under GRC will be unavailable from March 18, 2025, as per announcement. However,
gcr.io/kubebuilder/may be unavailable before this date due to efforts to deprecate infrastructure.
kube-rbac-proxy was historically used to protect the metrics endpoint. However, its usage has been discontinued in Kubebuilder.
The default scaffold now leverages the WithAuthenticationAndAuthorization feature provided by Controller-Runtime.
This feature provides integrated support for securing metrics endpoints by embedding authentication (authn) and authorization (authz) mechanisms directly into the controller manager's metrics server, replacing the need for (https://github.com/brancz/kube-rbac-proxy) to secure metrics endpoints.
Why This MattersFollow some options.
Option 1 - Upgrade the Project to the Latest Release (Recommended)Upgrade your project to the latest release by re-scaffolding it and reintegrating your custom code.
PROJECT config.kube-rbac-proxy) with options to improve production readiness, such as configuring certificates securely. This approach also allows you to take advantage of other improvements, bug fixes, and the latest updates.If you prefer not to fully upgrade, modify your project to use the built-in authn/authz protection via Controller-Runtime.
kube-rbac-proxy Image (Not adopt or promoted by Kubebuilder)
If you want to continue using kube-rbac-proxy, source the image from an alternative location, at your own risk. Examples include:
FAQ Why does the metrics endpoint need to be protected?To mitigate risks, we manually mirror the images to registry.k8s.io/kubebuilder/kube-rbac-proxy. This registry is managed by the #sig-k8s-infra. However, we cannot promote the kube-rbac-proxy images on this registry or recommend their usage since they have been discontinued from the project.
Unprotected metrics endpoints can expose sensitive data, such as system performance and application behavior, to unauthorized users. This can lead to security vulnerabilities where attackers gain insights into the system's operation and exploit weaknesses.
How can the metrics endpoint be protected?The following are some options with details and info for those who were introduced to support and helpers in Kubebuilder.
(Protection enabled by default from release v4.1.0)
Use Controller-Runtime's feature WithAuthenticationAndAuthorization to enable authn/authz for metrics endpoints. For reference, see the code from the release 4.3.1
(Optional helper introduced from release v4.2.0)
Use NetworkPolicies to secure metrics endpoints.
Example configuration: NetworkPolicy Example
Also, feel free to check the (external code example)
Integrate cert-manager:
Secure the metrics endpoint using TLS encryption with cert-manager. For example, ensure that you use valid certficates such as:
ServiceMonitor to integrate it with Prometheus:Note that we plan add a feature/helper for it in the next release, see the PR: ✨ (go/v4): feat/fix: enhance cert-manager integration for metrics endpoints (follow-up to PR #4243) #4400
NetworkPolicy acts as a firewall for pods, controlling traffic flow at the IP or port level. However, it doesn’t handle authentication (authn), authorization (authz), or encryption like kube-rbac-proxy does.
Following these steps should help you resolve the issue. However, there may be a few caveats depending on how old the version used to create the project is, especially if it has never been upgraded to the latest versions by re-creating the project and adding your code changes on top.
Remove kube-rbac-proxy configurations:
Ensure that you remove the container with the name: kube-rbac-proxy. Example from an old version
Ensure that your manager will have the args for the metrics service and binding at the same port
For example, see the metrics service:
name: controller-manager-metrics-service namespace: system spec: ports: - name: https port: 8443 protocol: TCP targetPort: 8443 selector: control-plane: controller-managerFor example, see the arg to be patch to binding the metrics service:
- op: add path: /spec/template/spec/containers/0/args/0 value: --metrics-bind-address=:8443main.go:Update your main.go to implement WithAuthenticationAndAuthorization. Here’s an example:
// if the enable-http2 flag is false (the default), http/2 should be disabled
// due to its vulnerabilities. More specifically, disabling http/2 will
// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
// Rapid Reset CVEs. For more information see:
// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
// - https://github.com/advisories/GHSA-4374-p667-p6c8
disableHTTP2 := func(c *tls.Config) {
setupLog.Info("disabling http/2")
c.NextProtos = []string{"http/1.1"}
}
if !enableHTTP2 {
tlsOpts = append(tlsOpts, disableHTTP2)
}
metricsServerOptions := metricsserver.Options{
BindAddress: metricsAddr,
SecureServing: secureMetrics,
TLSOpts: tlsOpts,
FilterProvider: filters.WithAuthenticationAndAuthorization,
}For a full implementation example, see the samples under testdata. For reference, see the code from the release 4.3.1:
Note: Please ensure that you disable HTTP/2 by default, as you see in the above example. Disable HTTP/2 still required: kubernetes/kubernetes#121197
5 - Add e2e tests to validate the metrics endpoint.
Projects created with the latest versions are scaffolded with comprehensive E2E tests, including code to validate the metrics endpoint. Example. See: https://github.com/kubernetes-sigs/kubebuilder/blob/master/testdata/project-v4/test/e2e/e2e_test.go#L166-L235
Note that you can remove the Prometheus block if you are not providing this integration.
Build your project and ensure the metrics endpoint is working and protected with RBAC as expected. The RBAC permissions scaffolded under config/rbac should provide the required permissions. However, if you face issues, you might want to look at the last scaffolds to generate them properly. See that under testdata; we have examples.
Steps to Verify Metrics with curl manually
kubectl create clusterrolebinding <project-name>-metrics-binding \ --clusterrole=<project-name>-metrics-reader \ --serviceaccount=<project-name>-system:<project-name>-controller-manager
export TOKEN=$(kubectl create token operator-controller-controller-manager -n olmv1-system) echo $TOKEN
kubectl run curl-metrics --rm -it --restart=Never \ --image=curlimages/curl:7.87.0 -n <project>-system -- /bin/sh
curl -v -k -H "Authorization: Bearer $TOKEN" https://<my-project-name>-controller-manager-metrics-service.<my-project-name>-system.svc.cluster.local:8443/metrics❓ Why is this happening?
The kube-rbac-proxy images have been rebuilt and re-tagged by Kubebuilder for an extended period. However, due to infrastructure changes within the Kubernetes ecosystem and the deprecation of Google Cloud Platform’s Container Registry (details here), continuing to maintain these images is no longer feasible.
Additionally, the project has been in the process of being donated to SIG-Auth for an extended period. Despite these efforts, significant requirements still need to be addressed before SIG-Auth can consider adopting the project. The latest review outlined several tasks being tracked here: kube-rbac-proxy issue #238.
For more details, refer to:
The following are some key reasons.
Please update your configurations accordingly to avoid disruptions. If you have any questions or need further assistance, feel free to ask in this discussion thread or the Kubebuilder Slack channel.
For further information, check the metrics section in the documentation: https://book.kubebuilder.io/reference/metrics.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4