diff --git a/config/base/rbac/kustomization.yaml b/config/base/rbac/kustomization.yaml index 166fe79868..161e0f8630 100644 --- a/config/base/rbac/kustomization.yaml +++ b/config/base/rbac/kustomization.yaml @@ -9,3 +9,13 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml +- metrics_service.yaml diff --git a/config/base/rbac/metrics_auth_role.yaml b/config/base/rbac/metrics_auth_role.yaml new file mode 100644 index 0000000000..32d2e4ec6b --- /dev/null +++ b/config/base/rbac/metrics_auth_role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/config/base/rbac/metrics_auth_role_binding.yaml b/config/base/rbac/metrics_auth_role_binding.yaml new file mode 100644 index 0000000000..e775d67ff0 --- /dev/null +++ b/config/base/rbac/metrics_auth_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics-auth-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/base/rbac/metrics_reader_role.yaml b/config/base/rbac/metrics_reader_role.yaml new file mode 100644 index 0000000000..51a75db47a --- /dev/null +++ b/config/base/rbac/metrics_reader_role.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/config/base/rbac/metrics_service.yaml b/config/base/rbac/metrics_service.yaml new file mode 100644 index 0000000000..6cf656be14 --- /dev/null +++ b/config/base/rbac/metrics_service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager diff --git a/config/overlays/e2e/kustomization.yaml b/config/overlays/e2e/kustomization.yaml index 99c0f10336..1711876448 100644 --- a/config/overlays/e2e/kustomization.yaml +++ b/config/overlays/e2e/kustomization.yaml @@ -31,7 +31,7 @@ generatorOptions: # NOTE: These credentials are generated automatically in hack/ci-e2e.sh secretGenerator: - - name: ironic-credentials - files: - - username=ironic-username - - password=ironic-password +- name: ironic-credentials + files: + - username=ironic-username + - password=ironic-password diff --git a/config/render/capm3.yaml b/config/render/capm3.yaml index 4b093958a0..683a850280 100644 --- a/config/render/capm3.yaml +++ b/config/render/capm3.yaml @@ -2435,6 +2435,34 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: baremetal-operator-metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: baremetal-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: baremetal-operator-leader-election-rolebinding @@ -2461,6 +2489,19 @@ subjects: name: baremetal-operator-controller-manager namespace: baremetal-operator-system --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: baremetal-operator-metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: baremetal-operator-metrics-auth-role +subjects: +- kind: ServiceAccount + name: baremetal-operator-controller-manager + namespace: baremetal-operator-system +--- apiVersion: v1 data: CACHEURL: http://172.22.0.1/images @@ -2477,6 +2518,21 @@ metadata: --- apiVersion: v1 kind: Service +metadata: + labels: + control-plane: controller-manager + name: baremetal-operator-controller-manager-metrics-service + namespace: baremetal-operator-system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager +--- +apiVersion: v1 +kind: Service metadata: name: baremetal-operator-webhook-service namespace: baremetal-operator-system