From 6cc9e95381e559ec5f377c26b162cdf847975106 Mon Sep 17 00:00:00 2001 From: aleskandro Date: Thu, 5 Sep 2024 16:06:43 -0400 Subject: [PATCH] MULTIARCH-4989: Remove the kube-rbac-proxy Images provided under gcr.io/kubebuilder/ will be unavailable from March 18, 2025. Projects initialized with Kubebuilder versions v3.14 or lower utilize gcr.io/kubebuilder/kube-rbac-proxy to protect the metrics endpoint. Following the work in kubernetes-sigs/kubebuilder#4003, this commit removes the kube-rbac-proxy container and let the main container of the controller expose the metrics via HTTPS and by using the WithAuthenticatoinAndAuthorization filter. This also includes a minor fix in BuildService escaped during the resolution of some conflicts during a rebase. Related to kubernetes-sigs/kubebuilder#3871 --- ...controller-manager-service_v1_service.yaml | 6 +- ...tuning-operator.clusterserviceversion.yaml | 31 ++---- config/default/kustomization.yaml | 8 -- config/default/manager_auth_proxy_patch.yaml | 35 ------- config/default/manager_config_patch.yaml | 38 -------- config/manager/manager.yaml | 97 +++++++++++++------ config/webhook/service.yaml | 4 + .../clusterpodplacementconfig_controller.go | 34 ++----- controllers/operator/objects.go | 64 +++++------- go.mod | 7 +- go.sum | 12 +++ main.go | 20 +++- .../framework/cluster_pod_placement_config.go | 3 +- pkg/utils/const.go | 10 +- 14 files changed, 153 insertions(+), 216 deletions(-) delete mode 100644 config/default/manager_config_patch.yaml diff --git a/bundle/manifests/multiarch-tuning-operator-controller-manager-service_v1_service.yaml b/bundle/manifests/multiarch-tuning-operator-controller-manager-service_v1_service.yaml index 60191b5b5..d67c71ad8 100644 --- a/bundle/manifests/multiarch-tuning-operator-controller-manager-service_v1_service.yaml +++ b/bundle/manifests/multiarch-tuning-operator-controller-manager-service_v1_service.yaml @@ -5,8 +5,12 @@ metadata: name: multiarch-tuning-operator-controller-manager-service spec: ports: - - port: 443 + - name: webhook + port: 443 targetPort: 9443 + - name: metrics + port: 8443 + targetPort: 8443 selector: control-plane: controller-manager status: diff --git a/bundle/manifests/multiarch-tuning-operator.clusterserviceversion.yaml b/bundle/manifests/multiarch-tuning-operator.clusterserviceversion.yaml index 83dc5e17e..0f2671b46 100644 --- a/bundle/manifests/multiarch-tuning-operator.clusterserviceversion.yaml +++ b/bundle/manifests/multiarch-tuning-operator.clusterserviceversion.yaml @@ -27,7 +27,7 @@ metadata: categories: OpenShift Optional, Other console.openshift.io/disable-operand-delete: "false" containerImage: registry.ci.openshift.org/origin/multiarch-tuning-operator:main - createdAt: "2024-08-27T22:08:50Z" + createdAt: "2024-09-05T20:29:54Z" features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "false" features.operators.openshift.io/csi: "false" @@ -350,7 +350,7 @@ spec: containers: - args: - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 + - --metrics-bind-address=:8443 - --leader-elect - --enable-operator command: @@ -373,6 +373,13 @@ spec: initialDelaySeconds: 15 periodSeconds: 20 name: manager + ports: + - containerPort: 8081 + name: health + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -395,26 +402,6 @@ spec: - mountPath: /etc/ssl/certs/ name: ca-projected-volume readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL priorityClassName: system-cluster-critical securityContext: runAsNonRoot: true diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index d39537982..5211d180d 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -25,14 +25,6 @@ bases: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml -- manager_config_patch.yaml - - # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- manager_webhook_patch.yaml diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 89cb512f7..4695ec523 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -8,26 +8,6 @@ metadata: spec: template: spec: - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - name: kube-rbac-proxy securityContext: @@ -49,18 +29,3 @@ spec: requests: cpu: 10m memory: 64Mi - - name: manager - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: IMAGE - valueFrom: - fieldRef: - fieldPath: metadata.annotations['multiarch.openshift.io/image'] - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" - - "--enable-operator" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml deleted file mode 100644 index 74eb83b50..000000000 --- a/config/default/manager_config_patch.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - volumeMounts: - - mountPath: /var/run/manager/tls - name: multiarch-tuning-operator-controller-manager-service-cert - readOnly: true - - mountPath: /etc/ssl/certs/ - name: ca-projected-volume - readOnly: true - volumes: - - name: multiarch-tuning-operator-controller-manager-service-cert - secret: - secretName: multiarch-tuning-operator-controller-manager-service-cert - defaultMode: 420 - - name: ca-projected-volume - projected: - sources: - - configMap: - name: openshift-service-ca.crt - items: - - key: service-ca.crt - path: openshift-ca.crt - optional: true - - configMap: - name: kube-root-ca.crt - items: - - key: ca.crt - path: kube-root-ca.crt - - diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index ceda0487f..898d8ca1d 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -41,43 +41,54 @@ spec: labels: control-plane: controller-manager spec: - # TODO(user): Uncomment the following code to configure the nodeAffinity expression - # according to the platforms which are supported by your solution. - # It is considered best practice to support multiple architectures. You can - # build your manager image using the makefile target docker-buildx. - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: kubernetes.io/arch - # operator: In - # values: - # - amd64 - # - arm64 - # - ppc64le - # - s390x - # - key: kubernetes.io/os - # operator: In - # values: - # - linux + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux securityContext: runAsNonRoot: true - # TODO(user): For common cases that do not require escalating privileges - # it is recommended to ensure that all your Pods/Containers are restrictive. - # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - # Please uncomment the following code if your project does NOT have to work on old Kubernetes - # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). - # seccompProfile: - # type: RuntimeDefault + seccompProfile: + type: RuntimeDefault containers: - command: - /manager args: - - --leader-elect + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=:8443" + - "--leader-elect" + - "--enable-operator" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: IMAGE + valueFrom: + fieldRef: + fieldPath: metadata.annotations['multiarch.openshift.io/image'] image: controller:latest - imagePullPolicy: Always # TODO[aleskandro]: this is for testing reasons. + imagePullPolicy: Always name: manager + ports: + - containerPort: 8081 + name: health + protocol: TCP + - containerPort: 8443 + name: https # This should be "metrics", but the automated bundle generation tooling requires the name to be https + # for backwards compatibility with the previous version of kubebuilder that used kube-rbac-proxy + protocol: TCP securityContext: allowPrivilegeEscalation: false capabilities: @@ -95,12 +106,36 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 - # TODO(user): Configure the resources accordingly based on the project requirements. - # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: requests: cpu: 10m memory: 64Mi + volumeMounts: + - mountPath: /var/run/manager/tls + name: multiarch-tuning-operator-controller-manager-service-cert + readOnly: true + - mountPath: /etc/ssl/certs/ + name: ca-projected-volume + readOnly: true priorityClassName: system-cluster-critical serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 + volumes: + - name: multiarch-tuning-operator-controller-manager-service-cert + secret: + secretName: multiarch-tuning-operator-controller-manager-service-cert + defaultMode: 420 + - name: ca-projected-volume + projected: + sources: + - configMap: + name: openshift-service-ca.crt + items: + - key: service-ca.crt + path: openshift-ca.crt + optional: true + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: kube-root-ca.crt diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml index 0d4c44f95..1a6e8b8fe 100644 --- a/config/webhook/service.yaml +++ b/config/webhook/service.yaml @@ -7,5 +7,9 @@ spec: ports: - port: 443 targetPort: 9443 + name: webhook + - port: 8443 + targetPort: 8443 + name: metrics selector: control-plane: controller-manager \ No newline at end of file diff --git a/controllers/operator/clusterpodplacementconfig_controller.go b/controllers/operator/clusterpodplacementconfig_controller.go index 4a9e9384d..df01e6b38 100644 --- a/controllers/operator/clusterpodplacementconfig_controller.go +++ b/controllers/operator/clusterpodplacementconfig_controller.go @@ -27,7 +27,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" errorutils "k8s.io/apimachinery/pkg/util/errors" - "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/client-go/kubernetes" ctrl "sigs.k8s.io/controller-runtime" @@ -211,14 +210,6 @@ func (r *ClusterPodPlacementConfigReconciler) handleDelete(ctx context.Context, NamespacedTypedClient: r.ClientSet.CoreV1().Services(utils.Namespace()), ObjName: utils.PodPlacementWebhookName, }, - { - NamespacedTypedClient: r.ClientSet.CoreV1().Services(utils.Namespace()), - ObjName: utils.PodPlacementControllerMetricsServiceName, - }, - { - NamespacedTypedClient: r.ClientSet.CoreV1().Services(utils.Namespace()), - ObjName: utils.PodPlacementWebhookMetricsServiceName, - }, { NamespacedTypedClient: r.ClientSet.AppsV1().Deployments(utils.Namespace()), ObjName: utils.PodPlacementWebhookName, @@ -306,6 +297,10 @@ func (r *ClusterPodPlacementConfigReconciler) handleDelete(ctx context.Context, } } objsToDelete = []utils.ToDeleteRef{ + { + NamespacedTypedClient: r.ClientSet.CoreV1().Services(utils.Namespace()), + ObjName: utils.PodPlacementControllerName, + }, { NamespacedTypedClient: r.ClientSet.AppsV1().Deployments(utils.Namespace()), ObjName: utils.PodPlacementControllerName, @@ -354,25 +349,8 @@ func (r *ClusterPodPlacementConfigReconciler) reconcile(ctx context.Context, clu objects := []client.Object{ // The finalizer will not affect the reconciliation of ReplicaSets and Pods // when updates to the ClusterPodPlacementConfig are made. - buildService(utils.PodPlacementControllerName, utils.PodPlacementControllerName, - 443, intstr.FromInt32(9443)), - buildService(utils.PodPlacementWebhookName, utils.PodPlacementWebhookName, - 443, intstr.FromInt32(9443)), - buildService( - utils.PodPlacementControllerMetricsServiceName, utils.PodPlacementControllerName, - 8443, intstr.FromInt32(8443)), - buildService( - utils.PodPlacementWebhookMetricsServiceName, utils.PodPlacementWebhookName, - 8443, intstr.FromInt32(8443)), buildService(utils.PodPlacementControllerName, utils.PodPlacementControllerName, - 443, intstr.FromInt32(9443)), - buildService(utils.PodPlacementWebhookName, utils.PodPlacementWebhookName, - 443, intstr.FromInt32(9443)), - buildService( - utils.PodPlacementControllerMetricsServiceName, utils.PodPlacementControllerName, - 8443, intstr.FromInt32(8443)), - buildService( - utils.PodPlacementWebhookMetricsServiceName, utils.PodPlacementWebhookName, - 8443, intstr.FromInt32(8443)), + buildService(utils.PodPlacementControllerName), + buildService(utils.PodPlacementWebhookName), buildClusterRoleController(), buildClusterRoleWebhook(), buildRoleController(), buildServiceAccount(utils.PodPlacementWebhookName), buildServiceAccount(utils.PodPlacementControllerName), buildClusterRoleBinding(utils.PodPlacementControllerName, rbacv1.RoleRef{ diff --git a/controllers/operator/objects.go b/controllers/operator/objects.go index 23afaa321..3b203ee40 100644 --- a/controllers/operator/objects.go +++ b/controllers/operator/objects.go @@ -74,14 +74,14 @@ func buildMutatingWebhookConfiguration(clusterPodPlacementConfig *v1beta1.Cluste } } -func buildService(name string, controllerName string, port int32, targetPort intstr.IntOrString) *corev1.Service { +func buildService(name string) *corev1.Service { return &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: utils.Namespace(), Labels: map[string]string{ utils.OperandLabelKey: operandName, - utils.ControllerNameKey: controllerName, + utils.ControllerNameKey: name, }, Annotations: map[string]string{ "service.beta.openshift.io/serving-cert-secret-name": name, @@ -91,14 +91,20 @@ func buildService(name string, controllerName string, port int32, targetPort int Ports: []corev1.ServicePort{ { Name: "https", - Port: port, - TargetPort: targetPort, + Port: 443, + TargetPort: intstr.FromInt32(9443), + Protocol: corev1.ProtocolTCP, + }, + { + Name: "metrics", + Port: 8443, + TargetPort: intstr.FromInt32(8443), Protocol: corev1.ProtocolTCP, }, }, Selector: map[string]string{ utils.OperandLabelKey: operandName, - utils.ControllerNameKey: controllerName, + utils.ControllerNameKey: name, }, }, } @@ -241,7 +247,7 @@ func buildDeployment(clusterPodPlacementConfig *v1beta1.ClusterPodPlacementConfi }, Args: append([]string{ "--health-probe-bind-address=:8081", - "--metrics-bind-address=127.0.0.1:8080", + "--metrics-bind-address=:8443", fmt.Sprintf("--initial-log-level=%d", clusterPodPlacementConfig.Spec.LogVerbosity.ToZapLevelInt()), }, args...), @@ -312,42 +318,6 @@ func buildDeployment(clusterPodPlacementConfig *v1beta1.ClusterPodPlacementConfi ReadOnly: true, }, }, - }, { - Name: "kube-rbac-proxy", - Image: "gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522", - ImagePullPolicy: corev1.PullIfNotPresent, - Args: []string{ - "--secure-listen-address=0.0.0.0:8443", - "--upstream=http://127.0.0.1:8080/", - "--logtostderr=true", - "--v=0", - }, - Ports: []corev1.ContainerPort{ - { - ContainerPort: 8443, - Protocol: corev1.ProtocolTCP, - Name: "https", - }, - }, - SecurityContext: &corev1.SecurityContext{ - AllowPrivilegeEscalation: utils.NewPtr(false), - Capabilities: &corev1.Capabilities{ - Drop: []corev1.Capability{ - "ALL", - }, - }, - Privileged: utils.NewPtr(false), - RunAsNonRoot: utils.NewPtr(true), - SeccompProfile: &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeRuntimeDefault, - }, - }, - Resources: corev1.ResourceRequirements{ - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("10m"), - corev1.ResourceMemory: resource.MustParse("64Mi"), - }, - }, }, }, PriorityClassName: priorityClassName, @@ -508,6 +478,11 @@ func buildClusterRoleWebhook() *rbacv1.ClusterRole { Resources: []string{"pods"}, Verbs: []string{LIST, WATCH, GET}, }, + { + APIGroups: []string{"authentication.k8s.io"}, + Resources: []string{"tokenreviews"}, + Verbs: []string{CREATE}, + }, }) } @@ -553,6 +528,11 @@ func buildClusterRoleController() *rbacv1.ClusterRole { Resources: []string{"imagetagmirrorsets", "imagedigestmirrorsets", "images"}, Verbs: []string{LIST, WATCH, GET}, }, + { + APIGroups: []string{"authentication.k8s.io"}, + Resources: []string{"tokenreviews"}, + Verbs: []string{CREATE}, + }, }) } diff --git a/go.mod b/go.mod index 10cf35c5f..828802cf0 100644 --- a/go.mod +++ b/go.mod @@ -28,6 +28,7 @@ require ( ) require ( + github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect @@ -72,6 +73,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect + github.com/google/cel-go v0.17.8 // indirect github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect @@ -101,7 +103,7 @@ require ( github.com/opencontainers/runtime-spec v1.2.0 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/proglottis/gpgme v0.1.3 // indirect - github.com/prometheus/client_golang v1.20.0 // indirect + github.com/prometheus/client_golang v1.20.0 github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/common v0.55.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect @@ -115,6 +117,7 @@ require ( github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/stoewer/go-strcase v1.2.0 // indirect github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/xlab/treeprint v1.2.0 // indirect @@ -155,10 +158,12 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.30.4 // indirect + k8s.io/apiserver v0.30.4 // indirect k8s.io/component-base v0.30.4 // indirect k8s.io/kube-aggregator v0.30.4 // indirect k8s.io/kube-openapi v0.0.0-20240816214639-573285566f34 // indirect k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect diff --git a/go.sum b/go.sum index d39c333c7..7136193e7 100644 --- a/go.sum +++ b/go.sum @@ -4,6 +4,8 @@ github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0 github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -126,6 +128,8 @@ github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/cel-go v0.17.8 h1:j9m730pMZt1Fc4oKhCLUHfjj6527LuhYcYw0Rl8gqto= +github.com/google/cel-go v0.17.8/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -273,6 +277,8 @@ github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= +github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= @@ -280,6 +286,7 @@ github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= @@ -421,6 +428,7 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWM gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= @@ -433,6 +441,8 @@ k8s.io/apiextensions-apiserver v0.30.4 h1:FwOMIk/rzZvM/Gx0IOz0+biZ+dlnlCeyfXW17u k8s.io/apiextensions-apiserver v0.30.4/go.mod h1:m8cAkJ9PVU8Olb4cPW4hrUDBZGvoSJ0kY0G0CfdGQac= k8s.io/apimachinery v0.30.4 h1:5QHQI2tInzr8LsT4kU/2+fSeibH1eIHswNx480cqIoY= k8s.io/apimachinery v0.30.4/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/apiserver v0.30.4 h1:rHkGJhxd+m4jILrgkenwSmG4X0QXk6ecGuybzS/PQak= +k8s.io/apiserver v0.30.4/go.mod h1:oyGAj9B9/0+I9huJyf4/8SMBF2mNh2bTMlu7703dkH8= k8s.io/client-go v0.30.4 h1:eculUe+HPQoPbixfwmaSZGsKcOf7D288tH6hDAdd+wY= k8s.io/client-go v0.30.4/go.mod h1:IBS0R/Mt0LHkNHF4E6n+SUDPG7+m2po6RZU7YHeOpzc= k8s.io/component-base v0.30.4 h1:FlgKqazIkIIxpLA4wFXsiPiDllJn9fhsN3G4TeX7T7U= @@ -445,6 +455,8 @@ k8s.io/kube-openapi v0.0.0-20240816214639-573285566f34 h1:/amS69DLm09mtbFtN3+Lyy k8s.io/kube-openapi v0.0.0-20240816214639-573285566f34/go.mod h1:G0W3eI9gG219NHRq3h5uQaRBl4pj4ZpwzRP5ti8y770= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 h1:/U5vjBbQn3RChhv7P11uhYvCSm5G2GaIi5AIGBS6r4c= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0/go.mod h1:z7+wmGM2dfIiLRfrC6jb5kV2Mq/sK1ZP303cxzkV5Y4= sigs.k8s.io/controller-runtime v0.18.5 h1:nTHio/W+Q4aBlQMgbnC5hZb4IjIidyrizMai9P6n4Rk= sigs.k8s.io/controller-runtime v0.18.5/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/main.go b/main.go index 37c469be8..542f47665 100644 --- a/main.go +++ b/main.go @@ -17,6 +17,7 @@ limitations under the License. package main import ( + "crypto/tls" "errors" "flag" "fmt" @@ -39,6 +40,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" ctrllog "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" "sigs.k8s.io/controller-runtime/pkg/webhook" @@ -101,15 +103,29 @@ func main() { if enableClusterPodPlacementConfigOperandControllers { leaderId = fmt.Sprintf("ppc-controllers-%s", leaderId) } + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 + // - https://github.com/kubernetes-sigs/kubebuilder/blob/33a2f3dc556a9e49e06e6f19e0ae737d82d402db/testdata/project-v4/cmd/main.go#L78-L89 + var tlsOpts []func(*tls.Config) + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + tlsOpts = append(tlsOpts, disableHTTP2) + webhookServer := webhook.NewServer(webhook.Options{ Port: 9443, CertDir: certDir, + TLSOpts: tlsOpts, }) mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, Metrics: metricsserver.Options{ - BindAddress: metricsAddr, - CertDir: certDir, + BindAddress: metricsAddr, + CertDir: certDir, + FilterProvider: filters.WithAuthenticationAndAuthorization, + SecureServing: true, }, WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, diff --git a/pkg/testing/framework/cluster_pod_placement_config.go b/pkg/testing/framework/cluster_pod_placement_config.go index 283f6467b..2c0f000ec 100644 --- a/pkg/testing/framework/cluster_pod_placement_config.go +++ b/pkg/testing/framework/cluster_pod_placement_config.go @@ -52,8 +52,7 @@ func getObjects() []client.Object { builder.NewDeployment().WithName(utils.PodPlacementControllerName).WithNamespace(utils.Namespace()).Build(), builder.NewDeployment().WithName(utils.PodPlacementWebhookName).WithNamespace(utils.Namespace()).Build(), builder.NewService().WithName(utils.PodPlacementWebhookName).WithNamespace(utils.Namespace()).Build(), - builder.NewService().WithName(utils.PodPlacementControllerMetricsServiceName).WithNamespace(utils.Namespace()).Build(), - builder.NewService().WithName(utils.PodPlacementWebhookMetricsServiceName).WithNamespace(utils.Namespace()).Build(), + builder.NewService().WithName(utils.PodPlacementControllerName).WithNamespace(utils.Namespace()).Build(), builder.NewMutatingWebhookConfiguration().WithName(utils.PodMutatingWebhookConfigurationName).Build(), builder.NewClusterRole().WithName(utils.PodPlacementControllerName).Build(), builder.NewClusterRole().WithName(utils.PodPlacementWebhookName).Build(), diff --git a/pkg/utils/const.go b/pkg/utils/const.go index f228b100a..5c3207a56 100644 --- a/pkg/utils/const.go +++ b/pkg/utils/const.go @@ -38,10 +38,8 @@ const ( ) const ( - PodMutatingWebhookConfigurationName = "pod-placement-mutating-webhook-configuration" - PodPlacementWebhookMetricsServiceName = "pod-placement-web-hook-metrics-service" - PodMutatingWebhookName = "pod-placement-scheduling-gate.multiarch.openshift.io" - PodPlacementControllerMetricsServiceName = "pod-placement-controller-metrics-service" - PodPlacementControllerName = "pod-placement-controller" - PodPlacementWebhookName = "pod-placement-web-hook" + PodMutatingWebhookConfigurationName = "pod-placement-mutating-webhook-configuration" + PodMutatingWebhookName = "pod-placement-scheduling-gate.multiarch.openshift.io" + PodPlacementControllerName = "pod-placement-controller" + PodPlacementWebhookName = "pod-placement-web-hook" )