Skip to content

Commit

Permalink
Removing kube-rbac-proxy (k0sproject#842)
Browse files Browse the repository at this point in the history
Signed-off-by: Alexey Makhov <amakhov@mirantis.com>
  • Loading branch information
makhov authored Dec 31, 2024
1 parent 44e04c3 commit 5413337
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 28 deletions.
37 changes: 32 additions & 5 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package main

import (
"crypto/md5"
"crypto/tls"
"flag"
"fmt"
"os"
Expand All @@ -41,6 +42,7 @@ import (
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/healthz"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"

clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
Expand Down Expand Up @@ -81,13 +83,21 @@ func init() {
func main() {
var metricsAddr string
var enableLeaderElection bool
var secureMetrics bool
var enableHTTP2 bool
var probeAddr string
var enabledController string
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8443", "The address the metric endpoint binds to. "+
"Use :8080 for http and :8443 for https. Setting to 0 will disable the metrics endpoint.")
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
flag.BoolVar(&enableLeaderElection, "leader-elect", false,
"Enable leader election for controller manager. "+
"Enabling this will ensure there is only one active controller manager.")
flag.BoolVar(&secureMetrics, "metrics-secure", true,
"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
flag.BoolVar(&enableHTTP2, "enable-http2", false,
"If set, HTTP/2 will be enabled for the metrics and webhook servers")

flag.StringVar(&enabledController, "enable-controller", "", "The controller to enable. Default: all")
opts := zap.Options{
Development: true,
Expand All @@ -103,11 +113,28 @@ func main() {

ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))

var tlsOpts []func(*tls.Config)
disableHTTP2 := func(c *tls.Config) {
setupLog.Info("disabling http/2")
c.NextProtos = []string{"http/1.1"}
}
if !enableHTTP2 {
tlsOpts = append(tlsOpts, disableHTTP2)
}

metricsOpts := metricsserver.Options{
BindAddress: metricsAddr,
SecureServing: secureMetrics,
TLSOpts: tlsOpts,
}

if secureMetrics {
metricsOpts.FilterProvider = filters.WithAuthenticationAndAuthorization
}

mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
Scheme: scheme,
Metrics: metricsserver.Options{
BindAddress: metricsAddr,
},
Scheme: scheme,
Metrics: metricsOpts,
HealthProbeBindAddress: probeAddr,
LeaderElection: enableLeaderElection,
LeaderElectionID: fmt.Sprintf("%x.k0smotron.io", md5.Sum([]byte(enabledController))),
Expand Down
23 changes: 0 additions & 23 deletions config/default/manager_auth_proxy_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,29 +25,6 @@ spec:
values:
- linux
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- name: manager
args:
- "--health-probe-bind-address=:8081"
Expand Down

0 comments on commit 5413337

Please sign in to comment.