-
Feature
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
None
-
BU Product Work
-
False
-
-
False
-
0% To Do, 0% In Progress, 100% Done
-
0
Outcome Overview
A deprecated upstream image (gcr.io/kubebuilder/kube-rbac-proxy), historically used in scaffolding tools for building Operators (e.g., Operator-SDK), will be unavailable at any moment in early 2025. While the tools no longer use this image, many solutions maintained by RedHatters, and distributions under the OCP catalog still rely on it and will be impacted. Deployments/Operators that rely on it may not work when the image becomes unavailable. More Info: https://github.com/kubernetes-sigs/kubebuilder/discussions/3907
Upstream projects like Kubebuilder and Operator-SDK have moved on from kube-rbac-proxy, adopting the WithAuthenticationAndAuthorization feature from controller-runtime. This feature provides integrated support for securing metrics endpoints by embedding authentication (authn) and authorization (authz) mechanisms directly into the controller manager's metrics server, replacing the need for (https://github.com/brancz/kube-rbac-proxy) to secure metrics endpoints.
Key considerations:
- With the deprecation of the Operator SDK, which promoted best practices and supported authors as a path to move forward, it wasn’t updated promptly. No communication or updates were provided to SDK users until 19th November 2024. While the upstream community has shared this info externally via other venues, it is unlikely that partners, red hatters and SDK users were all exposed to this info before this date and proactively changed their solutions.
- When will the Image no longer be available? Sometime in early 2025, the image will no longer be pullable. Unfortunately, any guarantees regarding timelines or potential extensions can be provided. Images provided under GRC will be unavailable after March 18, 2025, as per the announcement. However, gcr.io/kubebuilder/ may be unavailable before this date due to efforts to deprecate infrastructure.
Success Criteria
1. Impact Mitigated
- Broad Awareness Achieved:
Success means Red Hatters, partners, and the community are fully informed about the deprecation, its implications, and the required actions to address it. This broad awareness fosters proactive updates and ensures a shared understanding of the impact, reducing potential disruptions.
- Catalog Solutions Updated:
Success here involves minimizing and reducing the number of solutions in the catalog that fail to install due to deprecation. The faster we ship new versions, the less overall impact there is.
- Prevention of New Versions Added to OCP and Increased Impact Caused By:
Success means stopping the addition of new solutions that rely on the deprecated image, thereby preventing future issues. Add solutions that we cannot guarantee will work or meet quality standards is crucial to avoid. Allowing such solutions only increases support costs, leads to poor customer experiences, introduces unnecessary risks, and discourages necessary updates and improvements. It does not meaningfully contribute to our goals or efforts.
2. Solutions maintained by RedHatters in downstream or upstream no longer using the deprecated image
Post Completion Review – Actual Results
- Broad Awareness Achieved: We could communicate it to all audiences. The details can be found at: OPRUN-3624
- Catalog Solutions Updated: This process will happen gradually but we could check that Operator solutions from Red Hatters for example, were migrated and no longer use it in the latest version.
- Prevention of New Versions Added to OCP and Increased Impact Caused By: The leadership/PM decided not to invest in any gating checks in the pipeline at this time.
A summary of the analysis of the impact can be found at: https://docs.google.com/spreadsheets/d/10KrhpfUrqY3nS-cOH0hB0XzVvhspKuVCMNCJGDbSJYs/edit?gid=0#gid=0.
Solutions impacted by each release can be found in the files attached at: https://issues.redhat.com/browse/OPRUN-3635
**
- account is impacted by
-
OPRUN-3607 [UPSTREAM] OLM V1 Transitioning from kube-rbac-proxy #1509
- Dev Complete
-
OPRUN-3609 [UPSTREAM] OLM V0 Transitioning from kube-rbac-proxy
- Closed