chore(controller): deprecate kube-rbac-proxy with controller built-in auth protection #1913
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rksharma95
force-pushed
the
feat-deprecate-rbac-proxy
branch
4 times, most recently
from
f89b36a to
7a7954d
Compare
rksharma95
requested review from
daemon1024,
DelusionalOptimist and
rootxrishabh
daemon1024
previously approved these changes
Dec 16, 2024
There was a problem hiding this comment.
@rksharma95, why are we adding binary files kubearmor-v1.x.x.tgz , kubearmor-operator-1.3.2.tgz ?
rksharma95
force-pushed
the
feat-deprecate-rbac-proxy
branch
from
7a7954d to
83c2ae9
Compare
|
@rksharma95 Please resolve conflicts |
Signed-off-by: rksharma95 <ramakant@accuknox.com>
rksharma95
force-pushed
the
feat-deprecate-rbac-proxy
branch
from
83c2ae9 to
4653681
Compare
my bad! i added these by mistake, removed |
rootxrishabh
approved these changes
Dec 20, 2024
There was a problem hiding this comment.
LGTM!
Environment
OS - Google Container - Optimized OS
Kernel - 6.1.112+
Container Runtime - containerd://1.7.23
K8s env - v1.30.6-gke.1125000
Kube-rbac not deployed (expected) && Enforcement confirmed on AppArmor
rootxrishabh@Rishabhs-MacBook-Air KubeArmorOperator % k describe po kubearmor-controller-77bb969564-wkmjz -n kubearmor
Name: kubearmor-controller-77bb969564-wkmjz
Namespace: kubearmor
Priority: 0
Service Account: kubearmor-controller
Node: gke-rishab-cluster-ng-ae649047-dn25/10.128.0.25
Start Time: Fri, 20 Dec 2024 11:46:54 +0530
Labels: kubearmor-app=kubearmor-controller
pod-template-hash=77bb969564
Annotations: container.apparmor.security.beta.kubernetes.io/manager: unconfined
kubearmor-policy: audited
Status: Running
IP: 10.84.2.26
IPs:
IP: 10.84.2.26
Controlled By: ReplicaSet/kubearmor-controller-77bb969564
Containers:
manager:
Container ID: containerd://bd9d3a035edaad07249a0782144b52c92c231d9fbdcc3d60155427f44a88fb71
Image: ttl.sh/kubearmor-controller-rbac:24h
Image ID: ttl.sh/kubearmor-controller-rbac@sha256:0bed0d14fd98d3f5040611f694605f34d153b18f32ae79645988e9677a3439fb
Port: 9443/TCP
Host Port: 0/TCP
Command:
/manager
Args:
--leader-elect
--health-probe-bind-address=:8081
State: Running
Started: Fri, 20 Dec 2024 11:46:58 +0530
Ready: True
Restart Count: 0
Requests:
cpu: 10m
memory: 64Mi
Liveness: http-get http://:8081/healthz delay=15s timeout=1s period=20s #success=1 #failure=3
Readiness: http-get http://:8081/readyz delay=5s timeout=1s period=10s #success=1 #failure=3
Environment: <none>
Mounts:
/tmp/k8s-webhook-server/serving-certs from cert (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-gvn7w (ro)
Conditions:
Type Status
PodReadyToStartContainers True
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
cert:
Type: Secret (a volume populated by a Secret)
SecretName: kubearmor-controller-webhook-server-cert
Optional: false
kube-api-access-gvn7w:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: Burstable
Node-Selectors: kubearmor.io/securityfs=yes
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
rootxrishabh@Rishabhs-MacBook-Air templates % k exec -it nginx-bf5d5cf98-2tptx -- bash
root@nginx-bf5d5cf98-2tptx:/# apt
bash: /usr/bin/apt: Permission denied
root@nginx-bf5d5cf98-2tptx:/# exit
exit
command terminated with exit code 126
rootxrishabh@Rishabhs-MacBook-Air templates % k describe po nginx-bf5d5cf98-2tptx
Name: nginx-bf5d5cf98-2tptx
Namespace: default
Priority: 0
Service Account: default
Node: gke-rishab-cluster-ng-ae649047-dn25/10.128.0.25
Start Time: Fri, 20 Dec 2024 11:47:49 +0530
Labels: app=nginx
pod-template-hash=bf5d5cf98
Annotations: container.apparmor.security.beta.kubernetes.io/nginx: localhost/kubearmor-default-nginx-nginx
kubearmor-policy: enabled
kubearmor-visibility: process,file,network,capabilities
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose of PR?:
Fixes #1905
Does this PR introduce a breaking change?
No
If the changes in this PR are manually verified, list down the scenarios covered::
Additional information for reviewer? :
with this PR
kube-rbac-proxywould be deprecated therefore controller deployment will have a single container for kubearmor-controller manager only. operator should not deploy kube-rbac-proxy in any case. metric protection also disabled with this PR in effect as controller is not producing any metric at this point.Checklist:
<type>(<scope>): <subject>