-
Epic
-
Resolution: Done
-
Critical
-
None
-
None
-
None
-
Replace Oauth Proxy by Kube-RBAC-Proxy in Monitoring components
-
False
-
None
-
False
-
Not Selected
-
NEW
-
To Do
-
-
NEW
-
0% To Do, 0% In Progress, 100% Done
-
N/A
Epic Goal
- Replace the "oauth-proxy" currently in use by monitoring components (Prometheus, Alert Manager, Thanos) with "kube-rbac-proxy" to streamline authentication and authorization.
Why is this important?
- kube-rbac-proxy offers a unified and fine-grain (different authorizaiton for different path) configurations of performing authentication and authorization on behalf of Kubernetes workloads, ensuring tight security measures around service endpoints.
- mTLS Implementation: Unlike oauth-proxy, kube-rbac-proxy is capable of implementing mutual TLS (mTLS), providing enhanced security through both client and server-side validation.
- Potential improvements in performance and resource consumption by skipping authentication request (TokenReview) or athorization request (SubjectAccessReview) in kubernetes.
Scenarios
- Prometheus endpoints are secured using kube-rbac-proxy without any loss of data or functionality.
- Alert Manager endpoints are secured using kube-rbac-proxy without any loss of data or functionality.
- Thanos endpoints are secured using kube-rbac-proxy without any loss of data or functionality.
Acceptance Criteria
- All monitoring components interact successfully with kube-rbac-proxy{}.
- CI - MUST be running successfully with tests automated.
- No regressions in monitoring functionality post-migration.
- Documentation is updated to reflect the changes in authentication and authorization mechanisms.
Dependencies (internal and external)
Previous Work (Optional):
https://github.com/rhobs/handbook/pull/59/files
https://github.com/openshift/cluster-monitoring-operator/pull/1631
https://github.com/openshift/origin/pull/27031
https://github.com/openshift/cluster-monitoring-operator/pull/1580
https://github.com/openshift/cluster-monitoring-operator/pull/1552
Related Tickets:
Require read-only access to Alertmanager in developer view.
https://issues.redhat.com/browse/RFE-4125
Common user should not see alerts in UWM.
https://issues.redhat.com/browse/OCPBUGS-17850
Related ServiceAccounts.
Interconnection diagram in monitoring stack.
https://docs.google.com/drawings/d/16TOFOZZLuawXMQkWl3T9uV2cDT6btqcaAwtp51dtS9A/edit?usp=sharing
Open questions:
None.
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- is documented by
-
-
- Closed
-
- is related to
-
MON-3346 Document Kube RBAC Proxy usage
-
- Closed
-
-
OCPSTRAT-947 Monitoring stack needs to function with external OIDC only
-
- Closed
-
- relates to
-
OCPBUGS-17850 common user can view UWM alertmanager alerts
-
- Closed
-