From fc5f9751cc12633d57c8b46de38a3e641dde72bb Mon Sep 17 00:00:00 2001 From: Micah Hausler Date: Wed, 19 May 2021 14:07:08 -0400 Subject: [PATCH] Removed kube-rbac-proxy from cluster-api --- .../kubeadm/config/default/kustomization.yaml | 4 ---- .../default/manager_auth_proxy_patch.yaml | 21 ------------------- .../kubeadm/config/rbac/auth_proxy_role.yaml | 13 ------------ .../config/rbac/auth_proxy_role_binding.yaml | 12 ----------- .../config/rbac/auth_proxy_service.yaml | 14 ------------- .../kubeadm/config/rbac/kustomization.yaml | 3 --- cmd/clusterctl/client/init_test.go | 3 --- cmd/clusterctl/internal/util/objs_test.go | 6 +----- config/default/kustomization.yaml | 4 ---- config/default/manager_auth_proxy_patch.yaml | 21 ------------------- config/rbac/auth_proxy_role.yaml | 13 ------------ config/rbac/auth_proxy_role_binding.yaml | 12 ----------- config/rbac/auth_proxy_service.yaml | 14 ------------- config/rbac/kustomization.yaml | 3 --- .../kubeadm/config/default/kustomization.yaml | 4 ---- .../default/manager_auth_proxy_patch.yaml | 21 ------------------- .../kubeadm/config/rbac/auth_proxy_role.yaml | 13 ------------ .../config/rbac/auth_proxy_role_binding.yaml | 12 ----------- .../config/rbac/auth_proxy_service.yaml | 14 ------------- .../kubeadm/config/rbac/kustomization.yaml | 6 ------ .../providers/implementers-guide/configure.md | 9 -------- .../docker/config/default/kustomization.yaml | 4 ---- .../default/manager_auth_proxy_patch.yaml | 21 ------------------- .../docker/config/rbac/auth_proxy_role.yaml | 13 ------------ .../config/rbac/auth_proxy_role_binding.yaml | 12 ----------- .../config/rbac/auth_proxy_service.yaml | 18 ---------------- .../docker/config/rbac/kustomization.yaml | 6 ------ 27 files changed, 1 insertion(+), 295 deletions(-) delete mode 100644 bootstrap/kubeadm/config/default/manager_auth_proxy_patch.yaml delete mode 100644 bootstrap/kubeadm/config/rbac/auth_proxy_role.yaml delete mode 100644 bootstrap/kubeadm/config/rbac/auth_proxy_role_binding.yaml delete mode 100644 bootstrap/kubeadm/config/rbac/auth_proxy_service.yaml delete mode 100644 config/default/manager_auth_proxy_patch.yaml delete mode 100644 config/rbac/auth_proxy_role.yaml delete mode 100644 config/rbac/auth_proxy_role_binding.yaml delete mode 100644 config/rbac/auth_proxy_service.yaml delete mode 100644 controlplane/kubeadm/config/default/manager_auth_proxy_patch.yaml delete mode 100644 controlplane/kubeadm/config/rbac/auth_proxy_role.yaml delete mode 100644 controlplane/kubeadm/config/rbac/auth_proxy_role_binding.yaml delete mode 100644 controlplane/kubeadm/config/rbac/auth_proxy_service.yaml delete mode 100644 test/infrastructure/docker/config/default/manager_auth_proxy_patch.yaml delete mode 100644 test/infrastructure/docker/config/rbac/auth_proxy_role.yaml delete mode 100644 test/infrastructure/docker/config/rbac/auth_proxy_role_binding.yaml delete mode 100644 test/infrastructure/docker/config/rbac/auth_proxy_service.yaml diff --git a/bootstrap/kubeadm/config/default/kustomization.yaml b/bootstrap/kubeadm/config/default/kustomization.yaml index 31fa595c7cba..340ed757c040 100644 --- a/bootstrap/kubeadm/config/default/kustomization.yaml +++ b/bootstrap/kubeadm/config/default/kustomization.yaml @@ -20,10 +20,6 @@ patchesStrategicMerge: # Provide customizable hook for make targets. - manager_image_patch.yaml - manager_pull_policy.yaml - # Protect the /metrics endpoint by putting it behind auth. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. - - manager_auth_proxy_patch.yaml # Enable webhook. - manager_webhook_patch.yaml # Inject certificate in the webhook definition. diff --git a/bootstrap/kubeadm/config/default/manager_auth_proxy_patch.yaml b/bootstrap/kubeadm/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index a7987a993f99..000000000000 --- a/bootstrap/kubeadm/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https diff --git a/bootstrap/kubeadm/config/rbac/auth_proxy_role.yaml b/bootstrap/kubeadm/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 618f5e4177cb..000000000000 --- a/bootstrap/kubeadm/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/bootstrap/kubeadm/config/rbac/auth_proxy_role_binding.yaml b/bootstrap/kubeadm/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 136c0b390fc5..000000000000 --- a/bootstrap/kubeadm/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: manager - namespace: system diff --git a/bootstrap/kubeadm/config/rbac/auth_proxy_service.yaml b/bootstrap/kubeadm/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 6cf656be1491..000000000000 --- a/bootstrap/kubeadm/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager diff --git a/bootstrap/kubeadm/config/rbac/kustomization.yaml b/bootstrap/kubeadm/config/rbac/kustomization.yaml index 9762908c118c..7f7f4de35744 100644 --- a/bootstrap/kubeadm/config/rbac/kustomization.yaml +++ b/bootstrap/kubeadm/config/rbac/kustomization.yaml @@ -4,6 +4,3 @@ resources: - service_account.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml diff --git a/cmd/clusterctl/client/init_test.go b/cmd/clusterctl/client/init_test.go index 41ff5c8da242..6cbccb444bab 100644 --- a/cmd/clusterctl/client/init_test.go +++ b/cmd/clusterctl/client/init_test.go @@ -80,7 +80,6 @@ func Test_clusterctlClient_InitImages(t *testing.T) { kubeconfigContext: "mgmt-context", }, expectedImages: []string{ - "gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0", "k8s.gcr.io/cluster-api-aws/cluster-api-aws-controller:v0.5.3", }, wantErr: false, @@ -828,8 +827,6 @@ spec: template: spec: containers: - - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - image: k8s.gcr.io/cluster-api-aws/cluster-api-aws-controller:v0.5.3 name: manager volumeMounts: diff --git a/cmd/clusterctl/internal/util/objs_test.go b/cmd/clusterctl/internal/util/objs_test.go index 2352f446418e..736032b839b7 100644 --- a/cmd/clusterctl/internal/util/objs_test.go +++ b/cmd/clusterctl/internal/util/objs_test.go @@ -78,10 +78,6 @@ func Test_inspectImages(t *testing.T) { "name": controllerContainerName, "image": "gcr.io/k8s-staging-cluster-api/cluster-api-controller:master", }, - { - "name": "kube-rbac-proxy", - "image": "gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0", - }, }, }, }, @@ -90,7 +86,7 @@ func Test_inspectImages(t *testing.T) { }, }, }, - want: []string{"gcr.io/k8s-staging-cluster-api/cluster-api-controller:master", "gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0"}, + want: []string{"gcr.io/k8s-staging-cluster-api/cluster-api-controller:master"}, wantErr: false, }, { diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index bcefced271a8..18aeca81afe9 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -19,10 +19,6 @@ patchesStrategicMerge: # Provide customizable hook for make targets. - manager_image_patch.yaml - manager_pull_policy.yaml -# Protect the /metrics endpoint by putting it behind auth. -# Only one of manager_auth_proxy_patch.yaml and -# manager_prometheus_metrics_patch.yaml should be enabled. -- manager_auth_proxy_patch.yaml # Enable webhook. - manager_webhook_patch.yaml # Inject certificate in the webhook definition. diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 65d23b91ef27..000000000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 618f5e4177cb..000000000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 136c0b390fc5..000000000000 --- a/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: manager - namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 6cf656be1491..000000000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index b9936eeb366d..31d288e076a7 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -7,6 +7,3 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml - aggregated_role.yaml -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml diff --git a/controlplane/kubeadm/config/default/kustomization.yaml b/controlplane/kubeadm/config/default/kustomization.yaml index 7faa765c38ef..63451faca036 100644 --- a/controlplane/kubeadm/config/default/kustomization.yaml +++ b/controlplane/kubeadm/config/default/kustomization.yaml @@ -19,10 +19,6 @@ patchesStrategicMerge: # Provide customizable hook for make targets. - manager_image_patch.yaml - manager_pull_policy.yaml - # Protect the /metrics endpoint by putting it behind auth. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. - - manager_auth_proxy_patch.yaml # Enable webhook. - manager_webhook_patch.yaml # Inject certificate in the webhook definition. diff --git a/controlplane/kubeadm/config/default/manager_auth_proxy_patch.yaml b/controlplane/kubeadm/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index a7987a993f99..000000000000 --- a/controlplane/kubeadm/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https diff --git a/controlplane/kubeadm/config/rbac/auth_proxy_role.yaml b/controlplane/kubeadm/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 618f5e4177cb..000000000000 --- a/controlplane/kubeadm/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/controlplane/kubeadm/config/rbac/auth_proxy_role_binding.yaml b/controlplane/kubeadm/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 136c0b390fc5..000000000000 --- a/controlplane/kubeadm/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: manager - namespace: system diff --git a/controlplane/kubeadm/config/rbac/auth_proxy_service.yaml b/controlplane/kubeadm/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 6cf656be1491..000000000000 --- a/controlplane/kubeadm/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager diff --git a/controlplane/kubeadm/config/rbac/kustomization.yaml b/controlplane/kubeadm/config/rbac/kustomization.yaml index 7b91babe1f87..bb9816adf637 100644 --- a/controlplane/kubeadm/config/rbac/kustomization.yaml +++ b/controlplane/kubeadm/config/rbac/kustomization.yaml @@ -4,10 +4,4 @@ resources: - service_account.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 3 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml - aggregated_role.yaml diff --git a/docs/book/src/developer/providers/implementers-guide/configure.md b/docs/book/src/developer/providers/implementers-guide/configure.md index e53cf991b229..5b8d03e77510 100644 --- a/docs/book/src/developer/providers/implementers-guide/configure.md +++ b/docs/book/src/developer/providers/implementers-guide/configure.md @@ -43,15 +43,6 @@ And then, we have to add that patch to [`config/kustomization.yaml`][kustomizeya ```yaml patchesStrategicMerge - manager_image_patch.yaml -# Protect the /metrics endpoint by putting it behind auth. -# Only one of manager_auth_proxy_patch.yaml and -# manager_prometheus_metrics_patch.yaml should be enabled. -- manager_auth_proxy_patch.yaml -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, uncomment the following line and -# comment manager_auth_proxy_patch.yaml. -# Only one of manager_auth_proxy_patch.yaml and -# manager_prometheus_metrics_patch.yaml should be enabled. - manager_config.yaml ``` diff --git a/test/infrastructure/docker/config/default/kustomization.yaml b/test/infrastructure/docker/config/default/kustomization.yaml index 7da0b2c77035..11cae275faf7 100644 --- a/test/infrastructure/docker/config/default/kustomization.yaml +++ b/test/infrastructure/docker/config/default/kustomization.yaml @@ -19,10 +19,6 @@ patchesStrategicMerge: # Provide customizable hook for make targets. - manager_image_patch.yaml - manager_pull_policy.yaml - # Protect the /metrics endpoint by putting it behind auth. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. - - manager_auth_proxy_patch.yaml # Enable webhook. - manager_webhook_patch.yaml # Inject certificate in the webhook definition. diff --git a/test/infrastructure/docker/config/default/manager_auth_proxy_patch.yaml b/test/infrastructure/docker/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index a7987a993f99..000000000000 --- a/test/infrastructure/docker/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https diff --git a/test/infrastructure/docker/config/rbac/auth_proxy_role.yaml b/test/infrastructure/docker/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 618f5e4177cb..000000000000 --- a/test/infrastructure/docker/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/test/infrastructure/docker/config/rbac/auth_proxy_role_binding.yaml b/test/infrastructure/docker/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 136c0b390fc5..000000000000 --- a/test/infrastructure/docker/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: manager - namespace: system diff --git a/test/infrastructure/docker/config/rbac/auth_proxy_service.yaml b/test/infrastructure/docker/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index d61e5469fb5d..000000000000 --- a/test/infrastructure/docker/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - annotations: - prometheus.io/port: "8443" - prometheus.io/scheme: https - prometheus.io/scrape: "true" - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager diff --git a/test/infrastructure/docker/config/rbac/kustomization.yaml b/test/infrastructure/docker/config/rbac/kustomization.yaml index 0497b1d4efb0..e82521ffdcc3 100644 --- a/test/infrastructure/docker/config/rbac/kustomization.yaml +++ b/test/infrastructure/docker/config/rbac/kustomization.yaml @@ -6,9 +6,3 @@ resources: - service_account.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 3 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml