Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-3378

Replace Oauth Proxy by Kube-RBAC-Proxy in Monitoring components

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • Alertmanager, Prometheus, Thanos
    • None
    • Replace Oauth Proxy by Kube-RBAC-Proxy in Monitoring components
    • False
    • None
    • False
    • Not Selected
    • NEW
    • To Do
    • MON-3159Technical Debt
    • NEW
    • 0% To Do, 0% In Progress, 100% Done
    • N/A

      Epic Goal

      • Replace the "oauth-proxy" currently in use by monitoring components (Prometheus, Alert Manager, Thanos) with "kube-rbac-proxy" to streamline authentication and authorization.

      Why is this important?

      • kube-rbac-proxy offers a unified and fine-grain (different authorizaiton for different path) configurations of performing authentication and authorization on behalf of Kubernetes workloads, ensuring tight security measures around service endpoints. 
      • mTLS Implementation: Unlike oauth-proxy, kube-rbac-proxy is capable of implementing mutual TLS (mTLS), providing enhanced security through both client and server-side validation. 
      • Potential improvements in performance and resource consumption by skipping authentication request (TokenReview) or athorization request (SubjectAccessReview) in kubernetes.

      Scenarios

      1. Prometheus endpoints are secured using kube-rbac-proxy without any loss of data or functionality.
      2. Alert Manager endpoints are secured using kube-rbac-proxy without any loss of data or functionality.
      3. Thanos endpoints are secured using kube-rbac-proxy without any loss of data or functionality.

       

      Acceptance Criteria

      • All monitoring components interact successfully with kube-rbac-proxy{}.
      • CI - MUST be running successfully with tests automated.
      • No regressions in monitoring functionality post-migration.
      • Documentation is updated to reflect the changes in authentication and authorization mechanisms.

      Dependencies (internal and external)

       

      Previous Work (Optional):

      https://github.com/rhobs/handbook/pull/59/files

      https://github.com/openshift/cluster-monitoring-operator/pull/1631

      https://github.com/openshift/origin/pull/27031

      https://github.com/openshift/cluster-monitoring-operator/pull/1580

      https://github.com/openshift/cluster-monitoring-operator/pull/1552

       

      Related Tickets:

      Require read-only access to Alertmanager in developer view. 

      https://issues.redhat.com/browse/RFE-4125

      Common user should not see alerts in UWM. 

      https://issues.redhat.com/browse/OCPBUGS-17850

      Related ServiceAccounts.

      https://docs.google.com/spreadsheets/d/1CIgF9dN4ynu-E7FLq0uBcoZPqOxwas20/edit?usp=sharing&ouid=108370831581113620824&rtpof=true&sd=true

      Interconnection diagram in monitoring stack.

      https://docs.google.com/drawings/d/16TOFOZZLuawXMQkWl3T9uV2cDT6btqcaAwtp51dtS9A/edit?usp=sharing

       

      Open questions:

      None.

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            spasquie@redhat.com Simon Pasquier
            hasun@redhat.com Haoyu Sun
            Tai Gao Tai Gao
            Brian Burt Brian Burt
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: