Skip to content

Commit

Permalink
Use controller-runtime to protect metrics endpoint
Browse files Browse the repository at this point in the history 
Use the new `FilterProvider` and `SecureServing` fields to authenticate and authorize requests to the metrics endpoint

ref: https://issues.redhat.com/browse/ACM-8346
Signed-off-by: Jason Zhang <jaszhang@redhat.com>
  • Loading branch information
@zyjjay @openshift-merge-bot
zyjjay authored and openshift-merge-bot[bot] committed Jul 29, 2024
1 parent 2cbd7fe commit feebc30
Show file tree
Hide file tree
Showing 7 changed files with 83 additions and 4 deletions.
18 changes: 18 additions & 0 deletions deploy/rbac/auth_cluster_role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: governance-policy-framework-addon-auth
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
13 changes: 13 additions & 0 deletions deploy/rbac/auth_cluster_role_binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: governance-policy-framework-addon-auth
subjects:
- kind: ServiceAccount
name: governance-policy-framework-addon
namespace: open-cluster-management-agent-addon
roleRef:
kind: ClusterRole
name: governance-policy-framework-addon-auth
apiGroup: rbac.authorization.k8s.io
23 changes: 23 additions & 0 deletions deploy/rbac/metrics_reader.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: governance-policy-framework-addon-metrics-reader
rules:
- nonResourceURLs:
- "/metrics"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: governance-policy-framework-addon-metrics-reader
subjects:
- kind: ServiceAccount
name: governance-policy-framework-addon
namespace: open-cluster-management-agent-addon
roleRef:
kind: ClusterRole
name: governance-policy-framework-addon-metrics-reader
apiGroup: rbac.authorization.k8s.io
7 changes: 7 additions & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,16 @@ require (
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/emicklei/go-restful/v3 v3.12.0 // indirect
github.com/evanphx/json-patch v5.9.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
Expand Down Expand Up @@ -81,9 +84,12 @@ require (
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0 // indirect
go.opentelemetry.io/otel v1.23.1 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.23.1 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.23.1 // indirect
go.opentelemetry.io/otel/metric v1.23.1 // indirect
go.opentelemetry.io/otel/sdk v1.23.1 // indirect
go.opentelemetry.io/otel/trace v1.23.1 // indirect
go.opentelemetry.io/proto/otlp v1.1.0 // indirect
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
Expand All @@ -100,6 +106,7 @@ require (
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240528155852-a33235495d66 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240528155852-a33235495d66 // indirect
google.golang.org/grpc v1.64.0 // indirect
google.golang.org/protobuf v1.34.1 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
Expand Down
1 change: 1 addition & 0 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyT
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 h1:Mn26/9ZMNWSw9C9ERFA1PUxfmGpolnw2v0bKOREu5ew=
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
Expand Down
17 changes: 13 additions & 4 deletions main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/event"
"sigs.k8s.io/controller-runtime/pkg/healthz"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
"sigs.k8s.io/controller-runtime/pkg/metrics/server"
"sigs.k8s.io/controller-runtime/pkg/source"

Expand Down Expand Up @@ -215,13 +216,21 @@ func main() {
managedCfg.QPS = tool.Options.ClientQPS
managedCfg.Burst = int(tool.Options.ClientBurst)

metricsOptions := server.Options{
BindAddress: tool.Options.MetricsAddr,
}

if tool.Options.SecureMetrics {
metricsOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
metricsOptions.SecureServing = true
metricsOptions.CertDir = "/var/run/metrics-cert"
}

mgrOptionsBase := manager.Options{
LeaderElection: tool.Options.EnableLeaderElection,
// Disable the metrics endpoint
Metrics: server.Options{
BindAddress: tool.Options.MetricsAddr,
},
Scheme: scheme,
Metrics: metricsOptions,
Scheme: scheme,
// Override the EventBroadcaster so that the spam filter will not ignore events for the policy but with
// different messages if a large amount of events for that policy are sent in a short time.
EventBroadcaster: record.NewBroadcasterWithCorrelatorOptions(
Expand Down
8 changes: 8 additions & 0 deletions tool/options.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ type SyncerOptions struct {
EnableLeaderElection bool
ProbeAddr string
MetricsAddr string
SecureMetrics bool
// The namespace that the replicated policies should be synced to. This defaults to the same namespace as on the
// Hub.
ClusterNamespace string
Expand Down Expand Up @@ -111,6 +112,13 @@ func ProcessFlags() {
"The address the metrics endpoint binds to.",
)

flag.BoolVar(
&Options.SecureMetrics,
"secure-metrics",
false,
"Enable secure metrics endpoint with certificates at /var/run/metrics-cert",
)

flag.Uint8Var(
&Options.EvaluationConcurrency,
"evaluation-concurrency",
Expand Down

0 comments on commit feebc30

Please sign in to comment.