diff --git a/bootstrap/kubeadm/config/default/kustomization.yaml b/bootstrap/kubeadm/config/default/kustomization.yaml index 31fa595c7cba..340ed757c040 100644 --- a/bootstrap/kubeadm/config/default/kustomization.yaml +++ b/bootstrap/kubeadm/config/default/kustomization.yaml @@ -20,10 +20,6 @@ patchesStrategicMerge: # Provide customizable hook for make targets. - manager_image_patch.yaml - manager_pull_policy.yaml - # Protect the /metrics endpoint by putting it behind auth. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. - - manager_auth_proxy_patch.yaml # Enable webhook. - manager_webhook_patch.yaml # Inject certificate in the webhook definition. diff --git a/bootstrap/kubeadm/config/default/manager_auth_proxy_patch.yaml b/bootstrap/kubeadm/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index a7987a993f99..000000000000 --- a/bootstrap/kubeadm/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https diff --git a/bootstrap/kubeadm/config/manager/manager.yaml b/bootstrap/kubeadm/config/manager/manager.yaml index e5313ed4d2d2..7f3e1296f260 100644 --- a/bootstrap/kubeadm/config/manager/manager.yaml +++ b/bootstrap/kubeadm/config/manager/manager.yaml @@ -20,7 +20,7 @@ spec: - /manager args: - "--leader-elect" - - "--metrics-bind-addr=127.0.0.1:8080" + - "--metrics-bind-addr=:8080" - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false}" image: controller:latest name: manager @@ -28,6 +28,9 @@ spec: - containerPort: 9440 name: healthz protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz diff --git a/bootstrap/kubeadm/config/rbac/auth_proxy_role.yaml b/bootstrap/kubeadm/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 618f5e4177cb..000000000000 --- a/bootstrap/kubeadm/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/bootstrap/kubeadm/config/rbac/auth_proxy_role_binding.yaml b/bootstrap/kubeadm/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 136c0b390fc5..000000000000 --- a/bootstrap/kubeadm/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: manager - namespace: system diff --git a/bootstrap/kubeadm/config/rbac/auth_proxy_service.yaml b/bootstrap/kubeadm/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 6cf656be1491..000000000000 --- a/bootstrap/kubeadm/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager diff --git a/bootstrap/kubeadm/config/rbac/kustomization.yaml b/bootstrap/kubeadm/config/rbac/kustomization.yaml index 9762908c118c..7f7f4de35744 100644 --- a/bootstrap/kubeadm/config/rbac/kustomization.yaml +++ b/bootstrap/kubeadm/config/rbac/kustomization.yaml @@ -4,6 +4,3 @@ resources: - service_account.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml diff --git a/cmd/clusterctl/client/init_test.go b/cmd/clusterctl/client/init_test.go index 41ff5c8da242..6cbccb444bab 100644 --- a/cmd/clusterctl/client/init_test.go +++ b/cmd/clusterctl/client/init_test.go @@ -80,7 +80,6 @@ func Test_clusterctlClient_InitImages(t *testing.T) { kubeconfigContext: "mgmt-context", }, expectedImages: []string{ - "gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0", "k8s.gcr.io/cluster-api-aws/cluster-api-aws-controller:v0.5.3", }, wantErr: false, @@ -828,8 +827,6 @@ spec: template: spec: containers: - - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - image: k8s.gcr.io/cluster-api-aws/cluster-api-aws-controller:v0.5.3 name: manager volumeMounts: diff --git a/cmd/clusterctl/internal/util/objs_test.go b/cmd/clusterctl/internal/util/objs_test.go index 2352f446418e..736032b839b7 100644 --- a/cmd/clusterctl/internal/util/objs_test.go +++ b/cmd/clusterctl/internal/util/objs_test.go @@ -78,10 +78,6 @@ func Test_inspectImages(t *testing.T) { "name": controllerContainerName, "image": "gcr.io/k8s-staging-cluster-api/cluster-api-controller:master", }, - { - "name": "kube-rbac-proxy", - "image": "gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0", - }, }, }, }, @@ -90,7 +86,7 @@ func Test_inspectImages(t *testing.T) { }, }, }, - want: []string{"gcr.io/k8s-staging-cluster-api/cluster-api-controller:master", "gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0"}, + want: []string{"gcr.io/k8s-staging-cluster-api/cluster-api-controller:master"}, wantErr: false, }, { diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index bcefced271a8..18aeca81afe9 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -19,10 +19,6 @@ patchesStrategicMerge: # Provide customizable hook for make targets. - manager_image_patch.yaml - manager_pull_policy.yaml -# Protect the /metrics endpoint by putting it behind auth. -# Only one of manager_auth_proxy_patch.yaml and -# manager_prometheus_metrics_patch.yaml should be enabled. -- manager_auth_proxy_patch.yaml # Enable webhook. - manager_webhook_patch.yaml # Inject certificate in the webhook definition. diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 65d23b91ef27..000000000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 225c88a7e848..08c9d070d997 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -21,7 +21,7 @@ spec: - /manager args: - "--leader-elect" - - "--metrics-bind-addr=127.0.0.1:8080" + - "--metrics-bind-addr=:8080" - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false}" image: controller:latest name: manager @@ -29,6 +29,9 @@ spec: - containerPort: 9440 name: healthz protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 618f5e4177cb..000000000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 136c0b390fc5..000000000000 --- a/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: manager - namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 6cf656be1491..000000000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index b9936eeb366d..31d288e076a7 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -7,6 +7,3 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml - aggregated_role.yaml -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml diff --git a/controlplane/kubeadm/config/default/kustomization.yaml b/controlplane/kubeadm/config/default/kustomization.yaml index 7faa765c38ef..63451faca036 100644 --- a/controlplane/kubeadm/config/default/kustomization.yaml +++ b/controlplane/kubeadm/config/default/kustomization.yaml @@ -19,10 +19,6 @@ patchesStrategicMerge: # Provide customizable hook for make targets. - manager_image_patch.yaml - manager_pull_policy.yaml - # Protect the /metrics endpoint by putting it behind auth. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. - - manager_auth_proxy_patch.yaml # Enable webhook. - manager_webhook_patch.yaml # Inject certificate in the webhook definition. diff --git a/controlplane/kubeadm/config/default/manager_auth_proxy_patch.yaml b/controlplane/kubeadm/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index a7987a993f99..000000000000 --- a/controlplane/kubeadm/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https diff --git a/controlplane/kubeadm/config/manager/manager.yaml b/controlplane/kubeadm/config/manager/manager.yaml index 42276200fa9f..9ba0f5e1a2fe 100644 --- a/controlplane/kubeadm/config/manager/manager.yaml +++ b/controlplane/kubeadm/config/manager/manager.yaml @@ -20,13 +20,16 @@ spec: - /manager args: - "--leader-elect" - - "--metrics-bind-addr=127.0.0.1:8080" + - "--metrics-bind-addr=:8080" image: controller:latest name: manager ports: - containerPort: 9440 name: healthz protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz diff --git a/controlplane/kubeadm/config/rbac/auth_proxy_role.yaml b/controlplane/kubeadm/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 618f5e4177cb..000000000000 --- a/controlplane/kubeadm/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/controlplane/kubeadm/config/rbac/auth_proxy_role_binding.yaml b/controlplane/kubeadm/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 136c0b390fc5..000000000000 --- a/controlplane/kubeadm/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: manager - namespace: system diff --git a/controlplane/kubeadm/config/rbac/auth_proxy_service.yaml b/controlplane/kubeadm/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 6cf656be1491..000000000000 --- a/controlplane/kubeadm/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager diff --git a/controlplane/kubeadm/config/rbac/kustomization.yaml b/controlplane/kubeadm/config/rbac/kustomization.yaml index 7b91babe1f87..bb9816adf637 100644 --- a/controlplane/kubeadm/config/rbac/kustomization.yaml +++ b/controlplane/kubeadm/config/rbac/kustomization.yaml @@ -4,10 +4,4 @@ resources: - service_account.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 3 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml - aggregated_role.yaml diff --git a/docs/book/src/developer/providers/implementers-guide/configure.md b/docs/book/src/developer/providers/implementers-guide/configure.md index e53cf991b229..5b8d03e77510 100644 --- a/docs/book/src/developer/providers/implementers-guide/configure.md +++ b/docs/book/src/developer/providers/implementers-guide/configure.md @@ -43,15 +43,6 @@ And then, we have to add that patch to [`config/kustomization.yaml`][kustomizeya ```yaml patchesStrategicMerge - manager_image_patch.yaml -# Protect the /metrics endpoint by putting it behind auth. -# Only one of manager_auth_proxy_patch.yaml and -# manager_prometheus_metrics_patch.yaml should be enabled. -- manager_auth_proxy_patch.yaml -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, uncomment the following line and -# comment manager_auth_proxy_patch.yaml. -# Only one of manager_auth_proxy_patch.yaml and -# manager_prometheus_metrics_patch.yaml should be enabled. - manager_config.yaml ``` diff --git a/docs/book/src/developer/providers/v1alpha3-to-v1alpha4.md b/docs/book/src/developer/providers/v1alpha3-to-v1alpha4.md index 5d88fc2be372..0a9edc001b22 100644 --- a/docs/book/src/developer/providers/v1alpha3-to-v1alpha4.md +++ b/docs/book/src/developer/providers/v1alpha3-to-v1alpha4.md @@ -14,10 +14,6 @@ - The KIND version used for this release is v0.9.x -## Upgrade kube-rbac-proxy to v0.8.0 - -- Find and replace the `kube-rbac-proxy` version (usually the image is `gcr.io/kubebuilder/kube-rbac-proxy`) and update it to `v0.8.0`. - ## Klog version - The klog package used has been upgraded to v2.5.x. It is recommended that @@ -41,6 +37,28 @@ - Rename `--metrics-addr` to `--metrics-bind-addr` - Rename `--leader-election` to `--leader-elect` +## kube-rbac-proxy has been removed + +- Find and remove the `kube-rbac-proxy` sidecar +- Modify the `--metrics-bind-addr` value + +```diff + - args: + - "--leader-elect" +- - "--metrics-bind-addr=127.0.0.1:8080" ++ - "--metrics-bind-addr=:8080" +``` + +```diff + ports: + - containerPort: 9440 + name: healthz + protocol: TCP ++ - containerPort: 8080 ++ name: metrics ++ protocol: TCP +``` + ## util.ManagerDelegatingClientFunc has been removed This function was originally used to generate a delegating client when creating a new manager. @@ -115,12 +133,9 @@ Provider's `/config` folder has the same structure of `/config` folder in CAPI ``` - "--metrics-bind-addr=127.0.0.1:8080" ``` - - Verify that fetaure flags required by your container are properly set + - Verify that feature flags required by your container are properly set (as it was in `/config/webhook/manager_webhook_patch.yaml`). -1. Edit the `/config/manager/manager_auth_proxy_patch.yaml` file: - - Remove the patch for the container with name `manager` 1. Move the following files to the `/config/default` folder - - `/config/manager/manager_auth_proxy_patch.yaml` - `/config/manager/manager_image_patch.yaml` - `/config/manager/manager_pull_policy.yaml` @@ -142,7 +157,6 @@ Provider's `/config` folder has the same structure of `/config` folder in CAPI ``` - Add the `patchesStrategicMerge:` list, with the following items: ``` - - manager_auth_proxy_patch.yaml - manager_image_patch.yaml - manager_pull_policy.yaml - manager_webhook_patch.yaml diff --git a/test/e2e/config/docker.yaml b/test/e2e/config/docker.yaml index 7c3c9f65cf9d..553c5ba789c3 100644 --- a/test/e2e/config/docker.yaml +++ b/test/e2e/config/docker.yaml @@ -37,9 +37,6 @@ providers: new: --metrics-addr=:8080 - name: v0.4.99 # next; use manifest from source files value: ../../../config/default - replacements: - - old: --metrics-bind-addr=127.0.0.1:8080 - new: --metrics-bind-addr=:8080 files: - sourcePath: "../data/shared/v1alpha4/metadata.yaml" @@ -54,9 +51,6 @@ providers: new: --metrics-addr=:8080 - name: v0.4.99 # next; use manifest from source files value: ../../../bootstrap/kubeadm/config/default - replacements: - - old: --metrics-bind-addr=127.0.0.1:8080 - new: --metrics-bind-addr=:8080 files: - sourcePath: "../data/shared/v1alpha4/metadata.yaml" @@ -71,9 +65,6 @@ providers: new: --metrics-addr=:8080 - name: v0.4.99 # next; use manifest from source files value: ../../../controlplane/kubeadm/config/default - replacements: - - old: --metrics-bind-addr=127.0.0.1:8080 - new: --metrics-bind-addr=:8080 files: - sourcePath: "../data/shared/v1alpha4/metadata.yaml" diff --git a/test/framework/deployment_helpers.go b/test/framework/deployment_helpers.go index 88361a395ade..ad03b903be21 100644 --- a/test/framework/deployment_helpers.go +++ b/test/framework/deployment_helpers.go @@ -160,9 +160,6 @@ type WatchPodMetricsInput struct { } // WatchPodMetrics captures metrics from all pods every 5s. It expects to find port 8080 open on the controller. -// Use replacements in an e2econfig to enable metrics scraping without kube-rbac-proxy, e.g: -// - new: --metrics-bind-addr=:8080 -// old: --metrics-addr=127.0.0.1:8080 func WatchPodMetrics(ctx context.Context, input WatchPodMetricsInput) { // Dump machine metrics every 5 seconds ticker := time.NewTicker(time.Second * 5) @@ -194,9 +191,6 @@ func WatchPodMetrics(ctx context.Context, input WatchPodMetricsInput) { } // dumpPodMetrics captures metrics from all pods. It expects to find port 8080 open on the controller. -// Use replacements in an e2econfig to enable metrics scraping without kube-rbac-proxy, e.g: -// - new: --metrics-addr=:8080 -// old: --metrics-addr=127.0.0.1:8080 func dumpPodMetrics(ctx context.Context, client *kubernetes.Clientset, metricsPath string, deploymentName string, pods *corev1.PodList) { for _, pod := range pods.Items { metricsDir := path.Join(metricsPath, deploymentName, pod.Name) diff --git a/test/infrastructure/docker/config/default/kustomization.yaml b/test/infrastructure/docker/config/default/kustomization.yaml index 7da0b2c77035..11cae275faf7 100644 --- a/test/infrastructure/docker/config/default/kustomization.yaml +++ b/test/infrastructure/docker/config/default/kustomization.yaml @@ -19,10 +19,6 @@ patchesStrategicMerge: # Provide customizable hook for make targets. - manager_image_patch.yaml - manager_pull_policy.yaml - # Protect the /metrics endpoint by putting it behind auth. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. - - manager_auth_proxy_patch.yaml # Enable webhook. - manager_webhook_patch.yaml # Inject certificate in the webhook definition. diff --git a/test/infrastructure/docker/config/default/manager_auth_proxy_patch.yaml b/test/infrastructure/docker/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index a7987a993f99..000000000000 --- a/test/infrastructure/docker/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https diff --git a/test/infrastructure/docker/config/manager/manager.yaml b/test/infrastructure/docker/config/manager/manager.yaml index 2f77d2e4d204..35a300f4888f 100644 --- a/test/infrastructure/docker/config/manager/manager.yaml +++ b/test/infrastructure/docker/config/manager/manager.yaml @@ -18,7 +18,7 @@ spec: containers: - args: - "--leader-elect" - - "--metrics-bind-addr=127.0.0.1:8080" + - "--metrics-bind-addr=:8080" - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false}" image: controller:latest name: manager @@ -26,6 +26,9 @@ spec: - containerPort: 9440 name: healthz protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz diff --git a/test/infrastructure/docker/config/rbac/auth_proxy_role.yaml b/test/infrastructure/docker/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 618f5e4177cb..000000000000 --- a/test/infrastructure/docker/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/test/infrastructure/docker/config/rbac/auth_proxy_role_binding.yaml b/test/infrastructure/docker/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 136c0b390fc5..000000000000 --- a/test/infrastructure/docker/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: manager - namespace: system diff --git a/test/infrastructure/docker/config/rbac/auth_proxy_service.yaml b/test/infrastructure/docker/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index d61e5469fb5d..000000000000 --- a/test/infrastructure/docker/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - annotations: - prometheus.io/port: "8443" - prometheus.io/scheme: https - prometheus.io/scrape: "true" - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager diff --git a/test/infrastructure/docker/config/rbac/kustomization.yaml b/test/infrastructure/docker/config/rbac/kustomization.yaml index 0497b1d4efb0..e82521ffdcc3 100644 --- a/test/infrastructure/docker/config/rbac/kustomization.yaml +++ b/test/infrastructure/docker/config/rbac/kustomization.yaml @@ -6,9 +6,3 @@ resources: - service_account.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 3 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml