-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace kube-rbac-proxy #284
base: main
Are you sure you want to change the base?
Replace kube-rbac-proxy #284
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: anshuman-agarwala The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Welcome @anshuman-agarwala! |
Hi @anshuman-agarwala. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
f9154ba
to
2e310d1
Compare
protocol: TCP | ||
targetPort: 8443 | ||
selector: | ||
control-plane: controller-manager |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NI: add an empty line at the end of the file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
subjects: | ||
- kind: ServiceAccount | ||
name: controller-manager | ||
namespace: system |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NI: add an empty line at the end of the file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
/ok-to-test thank you for taking this on! |
@@ -25,13 +25,10 @@ resources: | |||
- ../internalcert | |||
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. | |||
#- ../prometheus | |||
# [METRICS] Expose the controller manager metrics service. | |||
- manager_metrics_service.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See that projects scaffolded with Kubebuilder now also have the default e2e tests generated:
https://github.com/kubernetes-sigs/kubebuilder/tree/master/testdata/project-v4/test
The metrics can be used indeed to validate the reconciliations and etc
I would recommend you ensure that you also test it out in your tests.
See: https://github.com/kubernetes-sigs/kubebuilder/blob/master/testdata/project-v4/test/e2e/e2e_test.go#L166-L235
^ See here the tests to ensure the metrics endpoint
You might do not need the integration with prometheus. So, you could remove this block: https://github.com/kubernetes-sigs/kubebuilder/blob/master/testdata/project-v4/test/e2e/e2e_test.go#L180-L183
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added e2e test for metrics endpoint.
cmd/main.go
Outdated
// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. | ||
// More info: | ||
// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/server | ||
// - https://book.kubebuilder.io/reference/metrics.html | ||
metricsServerOptions := metricsserver.Options{ | ||
BindAddress: metricsAddr, | ||
SecureServing: true, | ||
FilterProvider: filters.WithAuthenticationAndAuthorization, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. | |
// More info: | |
// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/server | |
// - https://book.kubebuilder.io/reference/metrics.html | |
metricsServerOptions := metricsserver.Options{ | |
BindAddress: metricsAddr, | |
SecureServing: true, | |
FilterProvider: filters.WithAuthenticationAndAuthorization, | |
} | |
// if the enable-http2 flag is false (the default), http/2 should be disabled | |
// due to its vulnerabilities. More specifically, disabling http/2 will | |
// prevent from being vulnerable to the HTTP/2 Stream Cancellation and | |
// Rapid Reset CVEs. For more information see: | |
// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 | |
// - https://github.com/advisories/GHSA-4374-p667-p6c8 | |
disableHTTP2 := func(c *tls.Config) { | |
setupLog.Info("disabling http/2") | |
c.NextProtos = []string{"http/1.1"} | |
} | |
if !enableHTTP2 { | |
tlsOpts = append(tlsOpts, disableHTTP2) | |
} | |
// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. | |
// More info: | |
// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/server | |
// - https://book.kubebuilder.io/reference/metrics.html | |
metricsServerOptions := metricsserver.Options{ | |
BindAddress: metricsAddr, | |
SecureServing: true, | |
FilterProvider: filters.WithAuthenticationAndAuthorization, | |
TLSOpts: tlsOpts, | |
} |
You should not use HTTP/2
See that you should either use : https://github.com/kubernetes-sigs/kubebuilder/blob/master/testdata/project-v4/cmd/main.go#L95-L109
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You might want to disable always and not add the flag
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fix for GRCP are not good enough: kubernetes/kubernetes#121197
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Disabled HTTP/2
2e310d1
to
2457681
Compare
@@ -10,7 +10,7 @@ spec: | |||
type: {{ .Values.service.type }} | |||
ports: | |||
- name: https | |||
port: 8443 | |||
port: 8080 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should not use port 8080
You should protect it with TLS
therefore it is HTTPs and not 8080
What type of PR is this?
/kind deprecation
What this PR does / why we need it
Which issue(s) this PR fixes
Fixes #274
Special notes for your reviewer
Does this PR introduce a user-facing change?