Skip to content

Commit b9dd3f5

Browse files
clarify in note that metrics are protected by default via controller-runtime feature
1 parent c3a5806 commit b9dd3f5

File tree

1 file changed

+5
-2
lines changed

1 file changed

+5
-2
lines changed

docs/book/src/reference/metrics.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,10 @@ publishes [a collection of performance metrics](/reference/metrics-reference.md)
88

99
**Images provided under `gcr.io/kubebuilder/` will be unavailable from March 18, 2025.**
1010

11-
Projects initialized with Kubebuilder versions `v3.14` or lower utilize [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) to protect the metrics endpoint. Therefore, you might want to continue using kube-rbac-proxy by simply replacing the image or changing how the metrics endpoint is protected in your project.
11+
**Projects initialized with Kubebuilder versions `v3.14` or lower** utilize [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) to protect the metrics endpoint. Therefore, you might want to continue using kube-rbac-proxy by simply replacing the image or changing how the metrics endpoint is protected in your project.
12+
13+
**However, projects initialized with Kubebuilder versions `v4.1.0` or higher** have a similar protection using authn/authz enabled by default via Controller-Runtime's feature [WithAuthenticationAndAuthorization](https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization).
14+
In this case, you might want to upgrade your project or simply ensure that you have applied the same code changes to it.
1215

1316
- Check the usage in the file `config/default/manager_auth_proxy_patch.yaml` where the [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) container is patched. ([example](https://github.com/kubernetes-sigs/kubebuilder/blob/94a5ab8e52cf416a11428b15ef0f40e4aabbc6ab/testdata/project-v4/config/default/manager_auth_proxy_patch.yaml#L11-L23))
1417
- See the file `/config/default/kustomization.yaml` where the [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) was patched by default previously. ([example](https://github.com/kubernetes-sigs/kubebuilder/blob/94a5ab8e52cf416a11428b15ef0f40e4aabbc6ab/testdata/project-v4/config/default/kustomization.yaml#L29-L33))
@@ -29,10 +32,10 @@ Additionally, ongoing changes and the phase-out of the previous GCP infrastructu
2932

3033
### How the metrics endpoint can be protected ?
3134

35+
- **(Protection enabled by default from release `v4.1.0`)** By using Controller-Runtime's feature [WithAuthenticationAndAuthorization](https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization) which can handle `authn/authz` similar what was provided via `kube-rbac-proxy`.
3236
- By still using [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) and the image provided by the project ([quay.io/brancz/kube-rbac-proxy](https://quay.io/repository/brancz/kube-rbac-proxy)) or from any other source - _(**Not support or promoted by Kubebuilder**)_
3337
- By using NetworkPolicies. ([example](https://github.com/prometheus-operator/kube-prometheus/discussions/1907#discussioncomment-3896712))
3438
- By integrating cert-manager with your metrics service you can secure the endpoint via TLS encryption
35-
- By using Controller-Runtime's new feature added in the [PR](https://github.com/kubernetes-sigs/controller-runtime/pull/1457) which can handle authentication (`authn`), authorization (`authz`) similar to `kube-rbac-proxy`. Also, be aware of the [issue](https://github.com/kubernetes-sigs/controller-runtime/issues/2781).
3639

3740
Further information can be found bellow in this document.
3841

0 commit comments

Comments
 (0)