Drop deprecated kube-rbac-proxy #479
Conversation
mythi
force-pushed
the
drop-kube-rbac-proxy
branch
2 times, most recently
from
a15c8d5 to
ae7a56d
Compare
|
The remaining failure seems to be because of |
|
Hello @mythi, one way is to find out what stage the uninstall is in and recover the config based on that. Usually it suffices to just remove imports that are gone from Anyway I'm playing with this issue, I have one little workaround that improves things (kata-deploy and pre-reqs in operator) but I'm trying to find out the root cause first (which is proving to be more complex than I thought). I can submit the workarounds if you think it's worth it but I'd rather spend more time on the actual fix first (basically the |
OK, I've not followed the work done in this space. It used to be so that My main open/concern is if the failure is related to my PR or flaky tests since it'd be important to have this change for the next release. |
|
IIUC this PR is depending on #483 to get CI passing. |
kube-rbac-proxy was historically used to protect the metrics endpoint. However, its usage has been discontinued in Kubebuilder. The default scaffold now leverages the WithAuthenticationAndAuthorization feature provided by controller-runtime. This feature provides integrated support for securing metrics endpoints by embedding authentication (authn) and authorization (authz) mechanisms directly into the controller manager's metrics server, replacing the need for kube-rbac-proxy to secure metrics endpoints. Upgrade CoCo operator manually to follow the latest scaffolding for WithAuthenticationAndAuthorization. Signed-off-by: Mikko Ylinen <[email protected]>
mythi
force-pushed
the
drop-kube-rbac-proxy
branch
from
ae7a56d to
9db2021
Compare
| value: "--metrics-bind-address=:8443" | ||
| - op: add | ||
| path: /spec/template/spec/containers/0/args/0 | ||
| value: "--metrics-secure" |
There was a problem hiding this comment.
@mythi I'm using DISABLECVM="true" on v1.30.6 eks cluster and the usual way to deploy CAA failed to deploy the controller-manager, in logs it complains about this argument:
oc logs -n confidential-containers-system pods/cc-operator-controller-manager-78454cf6d8-qj9xg
flag provided but not defined: -metrics-secure
Usage of /manager:
-cc-runtime-namespace string
The namespace where CcRuntime secondary resources are created (default "kube-system")
-health-probe-bind-address string
The address the probe endpoint binds to. (default ":8081")
-kubeconfig string
Paths to a kubeconfig. Only required if out-of-cluster.
-leader-elect
Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
-metrics-bind-address string
The address the metric endpoint binds to. (default ":8080")
-peer-pods
Enable Peerpod controllers.
-zap-devel
Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default true)
-zap-encoder value
Zap log encoding (one of 'json' or 'console')
-zap-log-level value
Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity
-zap-stacktrace-level value
Zap Level at and above which stacktraces are captured (one of 'info', 'error', 'panic').
-zap-time-encoding value
Zap time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano'). Defaults to 'epoch'.
Removing it helps but my question is are there any new requirements tied to this change?
There was a problem hiding this comment.
Note deploying it via: CLOUD_PROVIDER=aws make deploy from cloud-api-adapter...
There was a problem hiding this comment.
I see, the problem is that it uses quay.io/confidential-containers/operator:v0.10.0 image by default, which doesn't supports this (and another problem is it uses different labels resulting in kata not being installed :-/) I'll have to figure-out why and if it's a default or something I set. Because if it's default it needs to be adjusted in order to work out of the box...
There was a problem hiding this comment.
Well, looking at the history of https://github.com/confidential-containers/operator/blob/main/config/manager/kustomization.yaml I guess we forgot to update and re-bump to latest a couple of times... @wainersm @fitzthum @fidencio what do you think?
There was a problem hiding this comment.
See #488
config/release looks to be the stable deployment with the pinned release versions
There was a problem hiding this comment.
I see, so let's hope it'll be updated soon as currently the latest CAA fails to install due to change of labels and the support for --metrics-secure.
See confidential-containers/trustee-operator#65