k8snetworkplumbingwg · zeeke · Mar 20, 2026 · gemini-code-assist · Mar 20, 2026
diff --git a/bindata/manifests/metrics-exporter/metrics-daemonset.yaml b/bindata/manifests/metrics-exporter/metrics-daemonset.yaml
@@ -25,7 +25,11 @@ spec:
       containers:
       - name: metrics-exporter
         args:
-        - --web.listen-address=127.0.0.1:{{.MetricsExporterPort}}
+        - --web.listen-address=[$(HOST_IP)]:{{.MetricsExporterPort}}
+        - --tls-cert-file=/etc/metrics/tls.crt
+        - --tls-private-key-file=/etc/metrics/tls.key
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+        - --authentication-and-authorization
         - --path.kubecgroup=/sys/fs/cgroup
         - --path.sysbuspci=/host/sys/bus/pci/devices/
         - --path.sysclassnet=/host/sys/class/net/
@@ -35,14 +39,22 @@ spec:
         - --collector.vfstatspriority=netlink,sysfs
         image: {{.Image}}
         imagePullPolicy: IfNotPresent
+        ports:
+          - containerPort: {{.MetricsExporterPort}}
+            name: https-metrics
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.hostIP
         resources:
           requests:
             memory: 100Mi
             cpu: 100m
         securityContext:
           capabilities:
             drop:
-              - ALL      
+              - ALL
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
         volumeMounts:
@@ -60,35 +72,9 @@ spec:
         - mountPath: /host/cpu_manager_state
           name: cpucheckpoint
           readOnly: true
-      - name: kube-rbac-proxy
-        image: '{{.MetricsExporterKubeRbacProxyImage}}'
-        imagePullPolicy: IfNotPresent
-        args:
-          - --logtostderr
-          - --secure-listen-address=[$(HOST_IP)]:{{.MetricsExporterPort}}
-          - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-          - --upstream=http://127.0.0.1:{{.MetricsExporterPort}}/
-          - --tls-private-key-file=/etc/metrics/tls.key
-          - --tls-cert-file=/etc/metrics/tls.crt
-        ports:
-          - containerPort: {{.MetricsExporterPort}}
-            name: https-metrics
-        env:
-          - name: HOST_IP
-            valueFrom:
-              fieldRef:
-                fieldPath: status.hostIP
-        securityContext:
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-        resources:
-          requests:
-            cpu: 10m
-            memory: 20Mi
-        volumeMounts:
-          - name: metrics-certs
-            mountPath: /etc/metrics
-            readOnly: true
+        - name: metrics-certs
+          mountPath: /etc/metrics
+          readOnly: true
       nodeSelector:
         {{- range $key, $value := .NodeSelectorField }}
           {{ $key }}: "{{ $value }}"

diff --git a/controllers/sriovoperatorconfig_controller.go b/controllers/sriovoperatorconfig_controller.go
@@ -254,8 +254,6 @@ func (r *SriovOperatorConfigReconciler) syncMetricsExporter(ctx context.Context,
 	data.Data["ImagePullSecrets"] = GetImagePullSecrets()
 	data.Data["MetricsExporterSecretName"] = os.Getenv("METRICS_EXPORTER_SECRET_NAME")
 	data.Data["MetricsExporterPort"] = os.Getenv("METRICS_EXPORTER_PORT")
-	data.Data["MetricsExporterKubeRbacProxyImage"] = os.Getenv("METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE")
-
 	data.Data["IsOpenshift"] = r.Orchestrator.ClusterType() == consts.ClusterTypeOpenshift
 
 	data.Data["IsPrometheusOperatorInstalled"] = strings.ToLower(os.Getenv("METRICS_EXPORTER_PROMETHEUS_OPERATOR_ENABLED")) == trueString

diff --git a/controllers/suite_test.go b/controllers/suite_test.go
@@ -150,8 +150,6 @@ var _ = BeforeSuite(func() {
 	Expect(err).NotTo(HaveOccurred())
 	err = os.Setenv("METRICS_EXPORTER_PORT", "9110")
 	Expect(err).NotTo(HaveOccurred())
-	err = os.Setenv("METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE", "mock-image")
-	Expect(err).NotTo(HaveOccurred())
 	err = os.Setenv("METRICS_EXPORTER_PROMETHEUS_OPERATOR_SERVICE_ACCOUNT", "k8s-prometheus")
 	Expect(err).NotTo(HaveOccurred())
 	err = os.Setenv("METRICS_EXPORTER_PROMETHEUS_OPERATOR_NAMESPACE", "default")

diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -81,8 +81,6 @@ spec:
               value: $SRIOV_NETWORK_WEBHOOK_IMAGE
             - name: METRICS_EXPORTER_IMAGE
               value: $METRICS_EXPORTER_IMAGE
-            - name: METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE
-              value: $METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE
             - name: METRICS_EXPORTER_PROMETHEUS_OPERATOR_ENABLED
               value: "$METRICS_EXPORTER_PROMETHEUS_OPERATOR_ENABLED"
             - name: METRICS_EXPORTER_PROMETHEUS_DEPLOY_RULES

diff --git a/deployment/sriov-network-operator-chart/README.md b/deployment/sriov-network-operator-chart/README.md
@@ -157,7 +157,6 @@ Upon chart deletion, those files are not cleaned up. For cases where this is not
 | `images.resourcesInjector` | Resources Injector image |
 | `images.webhook` | Operator Webhook image |
 | `images.metricsExporter` | Network Metrics Exporter image |
-| `images.metricsExporterKubeRbacProxy` | Kube RBAC Proxy image used for metrics exporter |
 
 ### Extra objects parameters
 

diff --git a/deployment/sriov-network-operator-chart/templates/operator.yaml b/deployment/sriov-network-operator-chart/templates/operator.yaml
@@ -85,8 +85,6 @@ spec:
               value: "{{ .Values.operator.metricsExporter.port }}"
             - name: METRICS_EXPORTER_SECRET_NAME
               value: {{ .Values.operator.metricsExporter.certificates.secretName }}
-            - name: METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE
-              value: {{ .Values.images.metricsExporterKubeRbacProxy }}
             {{- if .Values.operator.externalDrainer.enabled }}
             - name: USE_EXTERNAL_DRAINER
               value: {{ .Values.operator.externalDrainer.enabled | quote }}

diff --git a/deployment/sriov-network-operator-chart/values.yaml b/deployment/sriov-network-operator-chart/values.yaml
@@ -133,7 +133,6 @@ images:
   resourcesInjector: ghcr.io/k8snetworkplumbingwg/network-resources-injector
   webhook: ghcr.io/k8snetworkplumbingwg/sriov-network-operator-webhook
   metricsExporter: ghcr.io/k8snetworkplumbingwg/sriov-network-metrics-exporter
-  metricsExporterKubeRbacProxy: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
 
 imagePullSecrets: []
 extraDeploy: []
diff --git a/hack/env.sh b/hack/env.sh
@@ -13,7 +13,6 @@ if [ -z $SKIP_VAR_SET ]; then
         export SRIOV_NETWORK_WEBHOOK_IMAGE=${SRIOV_NETWORK_WEBHOOK_IMAGE:-ghcr.io/k8snetworkplumbingwg/sriov-network-operator-webhook}
         export METRICS_EXPORTER_IMAGE=${METRICS_EXPORTER_IMAGE:-ghcr.io/k8snetworkplumbingwg/sriov-network-metrics-exporter}
         export SRIOV_NETWORK_OPERATOR_IMAGE=${SRIOV_NETWORK_OPERATOR_IMAGE:-ghcr.io/k8snetworkplumbingwg/sriov-network-operator}
-        export METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE=${METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE:-gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0}
         fail_msg_detect="is empty and failed to detect"
 else
         fail_msg_detect="is empty but SKIP_VAR_SET is set"
@@ -23,7 +22,6 @@ fi
 OVS_CNI_IMAGE=${OVS_CNI_IMAGE:-}
 # ensure that RDMA_CNI_IMAGE is set, empty string is a valid value
 RDMA_CNI_IMAGE=${RDMA_CNI_IMAGE:-}
-METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE=${METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE:-}
 [ -z $SRIOV_CNI_IMAGE ] && echo "SRIOV_CNI_IMAGE $fail_msg_detect" && exit 1
 [ -z $SRIOV_INFINIBAND_CNI_IMAGE ] && echo "SRIOV_INFINIBAND_CNI_IMAGE $fail_msg_detect" && exit 1
 [ -z $SRIOV_DEVICE_PLUGIN_IMAGE ] && echo "SRIOV_DEVICE_PLUGIN_IMAGE $fail_msg_detect" && exit 1