Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠️ Action Required: Replace Deprecated gcr.io/kubebuilder/kube-rbac-proxy #383

Open
camilamacedo86 opened this issue Dec 1, 2024 · 4 comments
Open

⚠️ Action Required: Replace Deprecated gcr.io/kubebuilder/kube-rbac-proxy #383

camilamacedo86 opened this issue Dec 1, 2024 · 4 comments

Comments

@camilamacedo86
Copy link

Description

⚠️ The image gcr.io/kubebuilder/kube-rbac-proxy is deprecated and will become unavailable.
You must move as soon as possible, sometime from early 2025, the GCR will go away.

Unfortunately, we're unable to provide any guarantees regarding timelines or potential extensions at this time. Images provided under GRC will be unavailable from March 18, 2025, as per announcement. However, gcr.io/kubebuilder/may be unavailable before this date due to efforts to deprecate infrastructure.

  • If your project uses gcr.io/kubebuilder/kube-rbac-proxy, it will be affected.
    Your project may fail to work if the image cannot be pulled. You must take action as soon as possible.

  • However, if your project is no longer using this image, no action is required, and you can close this issue.

Using the image gcr.io/kubebuilder/kube-rbac-proxy?

kube-rbac-proxy was historically used to protect the metrics endpoint. However, its usage has been discontinued in Kubebuilder. The default scaffold now leverages the WithAuthenticationAndAuthorization feature provided by Controller-Runtime.

This feature provides integrated support for securing metrics endpoints by embedding authentication (authn) and authorization (authz) mechanisms directly into the controller manager's metrics server, replacing the need for (https://github.com/brancz/kube-rbac-proxy) to secure metrics endpoints.

What To Do?

You must replace the deprecated image gcr.io/kubebuilder/kube-rbac-proxy with an alternative approach. For example:

  • Update your project to use WithAuthenticationAndAuthorization:

    You can fully upgrade your project to use the latest scaffolds provided by the tool or manually make the necessary changes. Refer to the FAQ and Discussion for detailed instructions on how to manually update your project and test the changes.

  • Alternatively, replace the image with another trusted source at your own risk, as its usage has been discontinued in Kubebuilder.

For further information, suggestions, and guidance:

NOTE: This issue was opened automatically as part of our efforts to identify projects that might be affected and to raise awareness about this change within the community. If your project is no longer using this image, feel free to close this issue.

We sincerely apologize for any inconvenience this may cause.

Thank you for your cooperation and understanding! 🙏
@aleskandro
Copy link
Member

Hi @camilamacedo86! I think we've addressed this issue in #257 already and this can be closed.

@camilamacedo86
Copy link
Author

camilamacedo86 commented Dec 1, 2024
edited
Loading

Hi @aleskandro

Thank you for checking it. That is great, seems that you are already using the feature provided by controller-runtime in:

multiarch-tuning-operator/main.go

Lines 138 to 142 in be80129

Metrics: metricsserver.Options{
BindAddress: metricsAddr,
CertDir: certDir,
FilterProvider: filters.WithAuthenticationAndAuthorization,
SecureServing: true,

However, I still able to check the usage of the image in https://github.com/openshift/multiarch-tuning-operator/blob/main/config/default/manager_auth_proxy_patch.yaml

That is why the project was returned in the scripts to find projects that need to move forward.

I would like to suggest you check out the FAQ section: "How can I manually change my project to switch to Controller-Runtime's built-in auth protection?" for detailed instructions. You can either re-scaffold a project with the latest version of the tool and compare it with your project using IDE to ensure that you have all changes in place.

Thank you very much for your attention on this matter.

@aleskandro
Copy link
Member

aleskandro commented Dec 1, 2024
edited
Loading

You're right, we kept that patch file but is not used in the kustomization. We can better check and remove any other references.

Thanks!

@camilamacedo86
Copy link
Author

Hi @aleskandro

So, you can close this one by removing the file that is no longer used.
I did not find a reference to the patch, which is great !!!

For a follow-up, I think you should consider passing the certs for the server so that you can improve its security.
Otherwise, the controller runtime will create those which are not really recommended for prod. But that would be another task. See the code in :

https://github.com/kubernetes-sigs/kubebuilder/pull/4400/files#diff-3469d8c23653836d5f1e9bf30535595ae76aaa445485f8d9d7165d687805c424R150-R167

The above PR is for we introduce a feature to help kubebuilder users.
It seems that you can use OpenShift's certificate management.

I hope that helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@camilamacedo86 @aleskandro