From f53402695eea7b6d485bf76371385a473b14c44f Mon Sep 17 00:00:00 2001
From: Leela Venkaiah G <lgangava@ibm.com>
Date: Tue, 15 Oct 2024 05:07:01 +0000
Subject: [PATCH] remove kube-rbac-proxy container from deployment

csi-operator is not exporting any metrics exclusively and orchestrated
csi already exports metrics on it's own which isn't tunneled through
the operator.

kube-rbac-proxy prominently used to authenticate api access to metrics
endpoint available on operator (manager) which isn't mandatory for us
and this commit removes the same.

note that controller-runtime itself exports some metrics and this commit
doesn't bind any port for controller-runtime which disables inbuilt
metrics being available.

https://book.kubebuilder.io/reference/metrics-reference

Signed-off-by: Leela Venkaiah G <lgangava@ibm.com>
---
 Makefile                                      |  4 +-
 cmd/main.go                                   | 36 +------
 config/manager/kustomization.yaml             |  5 -
 config/manager/manager_auth_proxy_patch.yaml  | 40 --------
 .../rbac/auth_proxy_client_clusterrole.yaml   | 12 ---
 config/rbac/auth_proxy_role.yaml              | 20 ----
 config/rbac/auth_proxy_role_binding.yaml      | 15 ---
 config/rbac/auth_proxy_service.yaml           | 17 ----
 config/rbac/kustomization.yaml                |  7 --
 deploy/all-in-one/install.yaml                | 93 -------------------
 deploy/multifile/operator.yaml                | 93 -------------------
 11 files changed, 3 insertions(+), 339 deletions(-)
 delete mode 100644 config/manager/manager_auth_proxy_patch.yaml
 delete mode 100644 config/rbac/auth_proxy_client_clusterrole.yaml
 delete mode 100644 config/rbac/auth_proxy_role.yaml
 delete mode 100644 config/rbac/auth_proxy_role_binding.yaml
 delete mode 100644 config/rbac/auth_proxy_service.yaml

diff --git a/Makefile b/Makefile
index 352de97d..5ba4b60b 100644
--- a/Makefile
+++ b/Makefile
@@ -43,7 +43,7 @@ namePrefix: $(NAME_PREFIX)
 patches:
 - patch: |-
     - op: add
-      path: /spec/template/spec/containers/1/env/-
+      path: /spec/template/spec/containers/0/env/-
       value:
         name: CSI_SERVICE_ACCOUNT_PREFIX
         value: $(NAME_PREFIX)
@@ -53,8 +53,6 @@ patches:
 images:
 - name: controller
   newName: ${IMG}
-- name: kube-rbac-proxy
-  newName: ${KUBE_RBAC_PROXY_IMG}
 endef
 export BUILD_INSTALLER_OVERLAY
 
diff --git a/cmd/main.go b/cmd/main.go
index 97228a5e..98d38bb7 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -17,7 +17,6 @@ limitations under the License.
 package main
 
 import (
-	"crypto/tls"
 	"flag"
 	"os"
 
@@ -32,7 +31,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
-	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	csiv1alpha1 "github.com/ceph/ceph-csi-operator/api/v1alpha1"
 	"github.com/ceph/ceph-csi-operator/internal/controller"
@@ -52,20 +50,12 @@ func init() {
 }
 
 func main() {
-	var metricsAddr string
 	var enableLeaderElection bool
 	var probeAddr string
-	var secureMetrics bool
-	var enableHTTP2 bool
-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
-	flag.BoolVar(&secureMetrics, "metrics-secure", false,
-		"If set the metrics endpoint is served securely")
-	flag.BoolVar(&enableHTTP2, "enable-http2", false,
-		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	opts := zap.Options{
 		Development: true,
 	}
@@ -74,34 +64,12 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
-	// if the enable-http2 flag is false (the default), http/2 should be disabled
-	// due to its vulnerabilities. More specifically, disabling http/2 will
-	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
-	// Rapid Reset CVEs. For more information see:
-	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
-	// - https://github.com/advisories/GHSA-4374-p667-p6c8
-	disableHTTP2 := func(c *tls.Config) {
-		setupLog.Info("disabling http/2")
-		c.NextProtos = []string{"http/1.1"}
-	}
-
-	tlsOpts := []func(*tls.Config){}
-	if !enableHTTP2 {
-		tlsOpts = append(tlsOpts, disableHTTP2)
-	}
-
-	webhookServer := webhook.NewServer(webhook.Options{
-		TLSOpts: tlsOpts,
-	})
-
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
-			BindAddress:   metricsAddr,
-			SecureServing: secureMetrics,
-			TLSOpts:       tlsOpts,
+			// disable metrics
+			BindAddress: "0",
 		},
-		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "0a62cc8a.ceph.io",
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
index d60de3bc..0af84fcb 100644
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -2,8 +2,3 @@ resources:
 - manager.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-patches:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
diff --git a/config/manager/manager_auth_proxy_patch.yaml b/config/manager/manager_auth_proxy_patch.yaml
deleted file mode 100644
index a812d0a2..00000000
--- a/config/manager/manager_auth_proxy_patch.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-# This file was originally located in config/default, but it has been moved here to Kustomize exclusively for deployment.
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      - name: kube-rbac-proxy
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          capabilities:
-            drop:
-            - "ALL"
-        image: kube-rbac-proxy
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--v=0"
-        ports:
-        - containerPort: 8443
-          protocol: TCP
-          name: https
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
-      - name: manager
-        args:
-        - "--health-probe-bind-address=:8081"
-        - "--metrics-bind-address=127.0.0.1:8080"
-        - "--leader-elect"
diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
deleted file mode 100644
index bad23599..00000000
--- a/config/rbac/auth_proxy_client_clusterrole.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/name: ceph-csi-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: metrics-reader
-rules:
-- nonResourceURLs:
-  - "/metrics"
-  verbs:
-  - get
diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml
deleted file mode 100644
index dd3a6959..00000000
--- a/config/rbac/auth_proxy_role.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/name: ceph-csi-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: proxy-role
-rules:
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
deleted file mode 100644
index 43684c6c..00000000
--- a/config/rbac/auth_proxy_role_binding.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/name: ceph-csi-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: proxy-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: proxy-role
-subjects:
-- kind: ServiceAccount
-  name: controller-manager
-  namespace: system
diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml
deleted file mode 100644
index 1dbc604d..00000000
--- a/config/rbac/auth_proxy_service.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    control-plane: controller-manager
-    app.kubernetes.io/name: ceph-csi-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: controller-manager-metrics-service
-  namespace: system
-spec:
-  ports:
-  - name: https
-    port: 8443
-    protocol: TCP
-    targetPort: https
-  selector:
-    control-plane: controller-manager
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index daa11a4c..017a3b85 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -9,13 +9,6 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
 # For each CRD, "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
diff --git a/deploy/all-in-one/install.yaml b/deploy/all-in-one/install.yaml
index 0e58d129..1b083158 100644
--- a/deploy/all-in-one/install.yaml
+++ b/deploy/all-in-one/install.yaml
@@ -14579,19 +14579,6 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: ceph-csi-operator
-  name: ceph-csi-operator-metrics-reader
-rules:
-- nonResourceURLs:
-  - /metrics
-  verbs:
-  - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
 metadata:
   name: ceph-csi-operator-nfs-ctrlplugin-cr
 rules:
@@ -14787,27 +14774,6 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: ceph-csi-operator
-  name: ceph-csi-operator-proxy-role
-rules:
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
 metadata:
   name: ceph-csi-operator-rbd-ctrlplugin-cr
 rules:
@@ -15142,22 +15108,6 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: ceph-csi-operator
-  name: ceph-csi-operator-proxy-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ceph-csi-operator-proxy-role
-subjects:
-- kind: ServiceAccount
-  name: ceph-csi-operator-controller-manager
-  namespace: ceph-csi-operator-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
 metadata:
   name: ceph-csi-operator-rbd-ctrlplugin-crb
 roleRef:
@@ -15182,24 +15132,6 @@ subjects:
   name: ceph-csi-operator-rbd-nodeplugin-sa
   namespace: ceph-csi-operator-system
 ---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: ceph-csi-operator
-    control-plane: controller-manager
-  name: ceph-csi-operator-controller-manager-metrics-service
-  namespace: ceph-csi-operator-system
-spec:
-  ports:
-  - name: https
-    port: 8443
-    protocol: TCP
-    targetPort: https
-  selector:
-    control-plane: controller-manager
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -15223,31 +15155,6 @@ spec:
     spec:
       containers:
       - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --v=0
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-      - args:
-        - --health-probe-bind-address=:8081
-        - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
         command:
         - /manager
diff --git a/deploy/multifile/operator.yaml b/deploy/multifile/operator.yaml
index d9da73c0..ad3d4cf2 100644
--- a/deploy/multifile/operator.yaml
+++ b/deploy/multifile/operator.yaml
@@ -421,19 +421,6 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: ceph-csi-operator
-  name: ceph-csi-operator-metrics-reader
-rules:
-- nonResourceURLs:
-  - /metrics
-  verbs:
-  - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/managed-by: kustomize
@@ -483,27 +470,6 @@ rules:
   - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: ceph-csi-operator
-  name: ceph-csi-operator-proxy-role
-rules:
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
@@ -536,40 +502,6 @@ subjects:
   name: ceph-csi-operator-controller-manager
   namespace: ceph-csi-operator-system
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: ceph-csi-operator
-  name: ceph-csi-operator-proxy-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ceph-csi-operator-proxy-role
-subjects:
-- kind: ServiceAccount
-  name: ceph-csi-operator-controller-manager
-  namespace: ceph-csi-operator-system
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: ceph-csi-operator
-    control-plane: controller-manager
-  name: ceph-csi-operator-controller-manager-metrics-service
-  namespace: ceph-csi-operator-system
-spec:
-  ports:
-  - name: https
-    port: 8443
-    protocol: TCP
-    targetPort: https
-  selector:
-    control-plane: controller-manager
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -593,31 +525,6 @@ spec:
     spec:
       containers:
       - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --v=0
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-      - args:
-        - --health-probe-bind-address=:8081
-        - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
         command:
         - /manager