-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update metrics.md - Provide a more clear information about kube-rbac-…
…proxy
- Loading branch information
1 parent
7533bc1
commit f1535bd
Showing
1 changed file
with
12 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,37 +6,22 @@ publishes [a collection of performance metrics](/reference/metrics-reference.md) | |
| <aside class="note warning"> | ||
| <h1>IMPORTANT: If you are using `kube-rbac-proxy`</h1> | ||
|
|
||
| **Images provided under `gcr.io/kubebuilder/` will be unavailable from March 18, 2025.** | ||
| Please stop using the image `gcr.io/kubebuilder/kube-rbac-proxy` as soon as possible. | ||
| Your projects will be affected and may fail to work if the image cannot be pulled. | ||
|
|
||
| Projects initialized with Kubebuilder versions `v3.14` or lower utilize [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) to protect the metrics endpoint. Therefore, you might want to continue using kube-rbac-proxy by simply replacing the image or changing how the metrics endpoint is protected in your project. | ||
| **Images provided under `gcr.io/kubebuilder/` will be unavailable from early 2025.** | ||
|
|
||
| - Check the usage in the file `config/default/manager_auth_proxy_patch.yaml` where the [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) container is patched. ([example](https://github.com/kubernetes-sigs/kubebuilder/blob/94a5ab8e52cf416a11428b15ef0f40e4aabbc6ab/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml#L11-L23)) | ||
| - See the file `/config/default/kustomization.yaml` where the [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) was patched by default previously. ([example](https://github.com/kubernetes-sigs/kubebuilder/blob/94a5ab8e52cf416a11428b15ef0f40e4aabbc6ab/testdata/project-v4/config/default/kustomization.yaml#L29-L33)) | ||
| - **Projects initialized with Kubebuilder versions `v3.14` or lower** utilize [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) to protect the metrics endpoint. | ||
| In this case, you might want to upgrade your project to the latest release or ensure that you have applied the same or similar code changes. | ||
|
|
||
| > Please ensure that you update your configurations accordingly to avoid any disruptions. | ||
| - **However, projects initialized with Kubebuilder versions `v4.1.0` or higher** have similar protection using `authn/authz` | ||
| enabled by default via Controller-Runtime's feature [WithAuthenticationAndAuthorization](https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization). | ||
|
|
||
| ### If you are using OR wish to continue using [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy): | ||
| If you want to continue using [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) then you MUST change | ||
| your project to use the image from another source. | ||
|
|
||
| In this case, you must replace the image `gcr.io/kubebuilder/kube-rbac-proxy` for the image provided by the kube-rbac-proxy maintainers ([quay.io/brancz/kube-rbac-proxy](https://quay.io/repository/brancz/kube-rbac-proxy)), which is **not support or promoted by Kubebuilder**, or from any other registry/source that please you. | ||
|
|
||
| ### ❓ Why is this happening? | ||
|
|
||
| Kubebuilder has been rebuilding and re-tagging these images for several years. However, due to recent infrastructure changes for projects under the Kubernetes umbrella, we now require the use of shared infrastructure. But as [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) is in a process to be a part of it, but not yet, sadly we cannot build and promote these images using the new k8s infrastructure. To follow up the ongoing process and changes required for the project be accepted by, see: https://github.com/brancz/kube-rbac-proxy/issues/238 | ||
|
|
||
| Moreover, Google Cloud Platform has [deprecated the Container Registry](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr), which has been used to promote these images. | ||
|
|
||
| Additionally, ongoing changes and the phase-out of the previous GCP infrastructure mean that **Kubebuilder maintainers are no longer able to support, build, or ensure the promotion of these images.** For further information, please check the proposal for this change and its motivations [here](https://github.com/kubernetes-sigs/kubebuilder/pull/2345). | ||
|
|
||
| ### How the metrics endpoint can be protected ? | ||
|
|
||
| - By still using [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) and the image provided by the project ([quay.io/brancz/kube-rbac-proxy](https://quay.io/repository/brancz/kube-rbac-proxy)) or from any other source - _(**Not support or promoted by Kubebuilder**)_ | ||
| - By using NetworkPolicies. ([example](https://github.com/prometheus-operator/kube-prometheus/discussions/1907#discussioncomment-3896712)) | ||
| - By integrating cert-manager with your metrics service you can secure the endpoint via TLS encryption | ||
| - By using Controller-Runtime's new feature added in the [PR](https://github.com/kubernetes-sigs/controller-runtime/pull/1457) which can handle authentication (`authn`), authorization (`authz`) similar to `kube-rbac-proxy`. Also, be aware of the [issue](https://github.com/kubernetes-sigs/controller-runtime/issues/2781). | ||
|
|
||
| Further information can be found bellow in this document. | ||
|
|
||
| > Note that we plan use the above options to protect the metrics endpoint in the Kubebuilder scaffold in the future. For further information, please check the [proposal](https://github.com/kubernetes-sigs/kubebuilder/pull/2345). | ||
| > This infrastructure is outside of our control, we cannot guarantee any timeline or any extensions. | ||
| > For further information, see: [kubebuilder/discussions/3907](https://github.com/kubernetes-sigs/kubebuilder/discussions/3907) | ||
| </aside> | ||
|
|
||
|
|
@@ -210,4 +195,4 @@ In order to publish metrics and view them on the Prometheus UI, the Prometheus i | |
| Those metrics will be available for prometheus or | ||
| other openmetrics systems to scrape. | ||
|
|
||
|  | ||
|  | ||