🚨 [Action Required] gcri.io/kubebuilder/kube-rbac-proxy Deprecation Notice

[Allda]

Hi Everyone,

This announcement is to inform you about an upcoming change to the upstream image gcr.io/kubebuilder/kube-rbac-proxy. (More information)

This upstream image is deprecated and will no longer be available for use. If your project is using this image, it may fail to install when the image can no longer be pulled. To avoid user disruption, you will need to provide a newer version of your operator that does not rely on this image.

Background

The kube-rbac-proxy project and its associated container image have been historically used to secure the exported metrics endpoints. Upstream projects like Kubebuilder and Operator-SDK have moved on from kube-rbac-proxy, adopting the WithAuthenticationAndAuthorization feature from controller-runtime. This feature provides integrated support for securing metrics endpoints by embedding authentication (authn) and authorization (authz) mechanisms directly into the controller manager's metrics server, replacing the need for kube-rbac-proxy.

Using gcr.io/kubebuilder/kube-rbac-proxy in your CSV? This is what to do:

You must replace the deprecated gcr.io/kubebuilder/kube-rbac-proxy image with an alternative approach. For example:

Option 1 - You can use an image from another trusted source (e.g., Red Hat Registry, if permitted by terms and conditions)

In this case, you will update your bundle (CSV) to replace gcr.io/kubebuilder/kube-rbac-proxy with an option in the Red Hat Catalog. We can’t specify a single image that will work perfectly for all scenarios, but we suggest exploring the openshift4/ose-kube-rbac-proxy-rhel9 image to see if a suitable version is available for your requirements. Changing over to this image may be possible following this example:

spec:
  containers:
  - name: kube-rbac-proxy
-   image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
+   image: openshift4/ose-kube-rbac-proxy-rhel9:v4.16.0

Option 2 - Update your project to use WithAuthenticationAndAuthorization

You can fully upgrade your project to use the latest scaffolding provided by the upstream versions of Operator-SDK or Kubebuilder tools or manually make the necessary changes. Refer to theFAQ and Discussion or migration guide for detailed instructions on how to manually update your project and test the changes.

💡 The section How can I manually change my project to switch to Controller-Runtime's built-in auth protection? at FAQ provide guidance how to manually update your projects and test it out.

For all scenarios, you must provide a new version of your Operator that does not rely on this image to avoid user disruption. Any previously offered versions that use this image will be impacted and your users should be informed to adopt your newer release.