Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-4236

Enhanced use of `kube-rbac-proxy`

Prepare for Y ReleasePrepare for Z ReleaseRemove QuarterXMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • 1.4
    • None
    • Operator
    • None
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • RHIDP-4212 - Feature parity between Helm Chart and Operator
    • Hide
      This update removes the `kube-rbac-proxy` sidecar container from the {product-very-short} Operator Pod. This sidecar container protected the operator metrics endpoint. However, the main container now provides this functionality out-of-the-box. Removing this sidecar container allows for reducing the resources required to run the Operator.
      Show
      This update removes the `kube-rbac-proxy` sidecar container from the {product-very-short} Operator Pod. This sidecar container protected the operator metrics endpoint. However, the main container now provides this functionality out-of-the-box. Removing this sidecar container allows for reducing the resources required to run the Operator.
    • Enhancement
    • RHDH Install 3264

      From this upstream controller-runtime issue it looks like we can remove all use of kube-rbac-proxy . It is recommended to leverage the built-in WithAuthenticationAndAuthorization filter in controller-runtime: https://book.kubebuilder.io/reference/metrics#how-the-metrics-endpoint-can-be-protected-
       
      Use of kube-rbac-proxy

      • This is used to protect the metrics endpoint exposed by the operator.

      Acceptance Criteria

      • Remove all occurrences of  the sidecar container using kube-rbac-proxy/ ose-kube-rbac-proxy images from the Operator Deployment
      • Leverage the built-in WithAuthenticationAndAuthorization filter to protect the /metrics endpoint
      • Regenerate the bundle manifests
      • Everything works as before.
        • Check if the /metrics endpoint is used (perhaps from OpenShift Monitoring) and if metrics still show up

      Testing

      • create a Pod that curls this endpoint
      • make sure only pods with the right K8s service account role can access this endpoint

      If successful, RHIDP-2830 can be closed as won't do, since this eliminates the need for the extra container in the CSV.

              rh-ee-asoro Armel Soro
              rh-ee-asoro Armel Soro
              RHIDP - Install
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: