From f53402695eea7b6d485bf76371385a473b14c44f Mon Sep 17 00:00:00 2001 From: Leela Venkaiah G <lgangava@ibm.com> Date: Tue, 15 Oct 2024 05:07:01 +0000 Subject: [PATCH] remove kube-rbac-proxy container from deployment csi-operator is not exporting any metrics exclusively and orchestrated csi already exports metrics on it's own which isn't tunneled through the operator. kube-rbac-proxy prominently used to authenticate api access to metrics endpoint available on operator (manager) which isn't mandatory for us and this commit removes the same. note that controller-runtime itself exports some metrics and this commit doesn't bind any port for controller-runtime which disables inbuilt metrics being available. https://book.kubebuilder.io/reference/metrics-reference Signed-off-by: Leela Venkaiah G <lgangava@ibm.com> --- Makefile | 4 +- cmd/main.go | 36 +------ config/manager/kustomization.yaml | 5 - config/manager/manager_auth_proxy_patch.yaml | 40 -------- .../rbac/auth_proxy_client_clusterrole.yaml | 12 --- config/rbac/auth_proxy_role.yaml | 20 ---- config/rbac/auth_proxy_role_binding.yaml | 15 --- config/rbac/auth_proxy_service.yaml | 17 ---- config/rbac/kustomization.yaml | 7 -- deploy/all-in-one/install.yaml | 93 ------------------- deploy/multifile/operator.yaml | 93 ------------------- 11 files changed, 3 insertions(+), 339 deletions(-) delete mode 100644 config/manager/manager_auth_proxy_patch.yaml delete mode 100644 config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 config/rbac/auth_proxy_role.yaml delete mode 100644 config/rbac/auth_proxy_role_binding.yaml delete mode 100644 config/rbac/auth_proxy_service.yaml diff --git a/Makefile b/Makefile index 352de97d..5ba4b60b 100644 --- a/Makefile +++ b/Makefile @@ -43,7 +43,7 @@ namePrefix: $(NAME_PREFIX) patches: - patch: |- - op: add - path: /spec/template/spec/containers/1/env/- + path: /spec/template/spec/containers/0/env/- value: name: CSI_SERVICE_ACCOUNT_PREFIX value: $(NAME_PREFIX) @@ -53,8 +53,6 @@ patches: images: - name: controller newName: ${IMG} -- name: kube-rbac-proxy - newName: ${KUBE_RBAC_PROXY_IMG} endef export BUILD_INSTALLER_OVERLAY diff --git a/cmd/main.go b/cmd/main.go index 97228a5e..98d38bb7 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -17,7 +17,6 @@ limitations under the License. package main import ( - "crypto/tls" "flag" "os" @@ -32,7 +31,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" - "sigs.k8s.io/controller-runtime/pkg/webhook" csiv1alpha1 "github.com/ceph/ceph-csi-operator/api/v1alpha1" "github.com/ceph/ceph-csi-operator/internal/controller" @@ -52,20 +50,12 @@ func init() { } func main() { - var metricsAddr string var enableLeaderElection bool var probeAddr string - var secureMetrics bool - var enableHTTP2 bool - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") - flag.BoolVar(&secureMetrics, "metrics-secure", false, - "If set the metrics endpoint is served securely") - flag.BoolVar(&enableHTTP2, "enable-http2", false, - "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -74,34 +64,12 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) - // if the enable-http2 flag is false (the default), http/2 should be disabled - // due to its vulnerabilities. More specifically, disabling http/2 will - // prevent from being vulnerable to the HTTP/2 Stream Cancellation and - // Rapid Reset CVEs. For more information see: - // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 - // - https://github.com/advisories/GHSA-4374-p667-p6c8 - disableHTTP2 := func(c *tls.Config) { - setupLog.Info("disabling http/2") - c.NextProtos = []string{"http/1.1"} - } - - tlsOpts := []func(*tls.Config){} - if !enableHTTP2 { - tlsOpts = append(tlsOpts, disableHTTP2) - } - - webhookServer := webhook.NewServer(webhook.Options{ - TLSOpts: tlsOpts, - }) - mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, Metrics: metricsserver.Options{ - BindAddress: metricsAddr, - SecureServing: secureMetrics, - TLSOpts: tlsOpts, + // disable metrics + BindAddress: "0", }, - WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "0a62cc8a.ceph.io", diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index d60de3bc..0af84fcb 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -2,8 +2,3 @@ resources: - manager.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml diff --git a/config/manager/manager_auth_proxy_patch.yaml b/config/manager/manager_auth_proxy_patch.yaml deleted file mode 100644 index a812d0a2..00000000 --- a/config/manager/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# This file was originally located in config/default, but it has been moved here to Kustomize exclusively for deployment. -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - "ALL" - image: kube-rbac-proxy - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index bad23599..00000000 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: ceph-csi-operator - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index dd3a6959..00000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: ceph-csi-operator - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 43684c6c..00000000 --- a/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: ceph-csi-operator - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 1dbc604d..00000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: ceph-csi-operator - app.kubernetes.io/managed-by: kustomize - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index daa11a4c..017a3b85 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -9,13 +9,6 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines diff --git a/deploy/all-in-one/install.yaml b/deploy/all-in-one/install.yaml index 0e58d129..1b083158 100644 --- a/deploy/all-in-one/install.yaml +++ b/deploy/all-in-one/install.yaml @@ -14579,19 +14579,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: ceph-csi-operator - name: ceph-csi-operator-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: name: ceph-csi-operator-nfs-ctrlplugin-cr rules: @@ -14787,27 +14774,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: ceph-csi-operator - name: ceph-csi-operator-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: name: ceph-csi-operator-rbd-ctrlplugin-cr rules: @@ -15142,22 +15108,6 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: ceph-csi-operator - name: ceph-csi-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ceph-csi-operator-proxy-role -subjects: -- kind: ServiceAccount - name: ceph-csi-operator-controller-manager - namespace: ceph-csi-operator-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding metadata: name: ceph-csi-operator-rbd-ctrlplugin-crb roleRef: @@ -15182,24 +15132,6 @@ subjects: name: ceph-csi-operator-rbd-nodeplugin-sa namespace: ceph-csi-operator-system --- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: ceph-csi-operator - control-plane: controller-manager - name: ceph-csi-operator-controller-manager-metrics-service - namespace: ceph-csi-operator-system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -15223,31 +15155,6 @@ spec: spec: containers: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager diff --git a/deploy/multifile/operator.yaml b/deploy/multifile/operator.yaml index d9da73c0..ad3d4cf2 100644 --- a/deploy/multifile/operator.yaml +++ b/deploy/multifile/operator.yaml @@ -421,19 +421,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: ceph-csi-operator - name: ceph-csi-operator-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -483,27 +470,6 @@ rules: - get --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: ceph-csi-operator - name: ceph-csi-operator-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: @@ -536,40 +502,6 @@ subjects: name: ceph-csi-operator-controller-manager namespace: ceph-csi-operator-system --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: ceph-csi-operator - name: ceph-csi-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ceph-csi-operator-proxy-role -subjects: -- kind: ServiceAccount - name: ceph-csi-operator-controller-manager - namespace: ceph-csi-operator-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: ceph-csi-operator - control-plane: controller-manager - name: ceph-csi-operator-controller-manager-metrics-service - namespace: ceph-csi-operator-system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -593,31 +525,6 @@ spec: spec: containers: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager