Uploaded image for project: 'Multiple Architecture Enablement'
  1. Multiple Architecture Enablement
  2. MULTIARCH-4989

Address deprecation of kubebuilder/kube-rbac-proxy

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Minor Minor
    • None
    • None
    • Multiarch-Tuning-Operator
    • None
    • False
    • None
    • False
    • NEW
    • NEW
    • Multi-Arch Sprint 259

      https://book.kubebuilder.io/reference/metrics.html

      Images provided under gcr.io/kubebuilder/ will be unavailable from March 18, 2025.

      Projects initialized with Kubebuilder versions v3.14 or lower utilize kube-rbac-proxy to protect the metrics endpoint. Therefore, you might want to continue using kube-rbac-proxy by simply replacing the image or changing how the metrics endpoint is protected in your project.

      However, projects initialized with Kubebuilder versions v4.1.0 or higher have a similar protection using authn/authz enabled by default via Controller-Runtime’s feature WithAuthenticationAndAuthorization. In this case, you might want to upgrade your project or simply ensure that you have applied the same code changes to it.

      Please ensure that you update your configurations accordingly to avoid any disruptions.

      ❓ Why is this happening?

      Kubebuilder has been rebuilding and re-tagging these images for several years. However, due to recent infrastructure changes for projects under the Kubernetes umbrella, we now require the use of shared infrastructure. But as kube-rbac-proxy is in a process to be a part of it, but not yet, sadly we cannot build and promote these images using the new k8s infrastructure. To follow up the ongoing process and changes required for the project be accepted by, see: https://github.com/brancz/kube-rbac-proxy/issues/238

      Moreover, Google Cloud Platform has deprecated the Container Registry, which has been used to promote these images.

      Additionally, ongoing changes and the phase-out of the previous GCP infrastructure mean that Kubebuilder maintainers are no longer able to support, build, or ensure the promotion of these images. For further information, please check the proposal for this change and its motivations here.
      How the metrics endpoint can be protected ?

      (Protection enabled by default from release v4.1.0) By using Controller-Runtime’s feature WithAuthenticationAndAuthorization which can handle authn/authz similar what was provided via kube-rbac-proxy.
      By using NetworkPolicies. (example)
      By integrating cert-manager with your metrics service you can secure the endpoint via TLS encryption
      (Not support or promoted by Kubebuilder) By still using kube-rbac-proxy and the image provided by the project (quay.io/brancz/kube-rbac-proxy) or from any other source

              rhn-support-adistefa Alessandro Di Stefano
              rhn-support-adistefa Alessandro Di Stefano
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: