To save on API resources, the downstream version of kube-rbac-proxy includes a patch which allows all requests to the /metrics endpoint when authenticated by the prometheus-k8s service account. The goal here is to avoid sending subject access reviews to the Kubernetes API.
Instead of maintaining a downstream patch, the upstream version should support static authorization mapping and all components using kube-rbac-proxy for metrics authn/authz should be configured to authorize the prometheus-k8s service account.
- is related to
MON-1679 use static authorizer feature of kube-rbac-proxy
- links to