diff --git a/.github/workflows/helm-test-workflow.yml b/.github/workflows/helm-test-workflow.yml index e49a9865f..f69bcf7d2 100644 --- a/.github/workflows/helm-test-workflow.yml +++ b/.github/workflows/helm-test-workflow.yml @@ -4,6 +4,7 @@ on: branches: - develop - main + - bugfix/remove-rbac-bindings - feature** jobs: build-operator-image: diff --git a/config/debug/manager_auth_proxy_patch.yaml b/config/debug/manager_auth_proxy_patch.yaml deleted file mode 100644 index 2d31fa4ec..000000000 --- a/config/debug/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - metadata: - labels: - control-plane: controller-manager - name: splunk-operator - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - "ALL" - add: - - "NET_BIND_SERVICE" - seccompProfile: - type: "RuntimeDefault" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi diff --git a/config/default/kustomization-cluster.yaml b/config/default/kustomization-cluster.yaml index fa36d8a21..81d09b56f 100644 --- a/config/default/kustomization-cluster.yaml +++ b/config/default/kustomization-cluster.yaml @@ -27,11 +27,6 @@ bases: #- ../prometheus patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml - # Mount the controller config file for loading manager configurations # through a ComponentConfig type #- manager_config_patch.yaml diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index fa36d8a21..81d09b56f 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -27,11 +27,6 @@ bases: #- ../prometheus patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml - # Mount the controller config file for loading manager configurations # through a ComponentConfig type #- manager_config_patch.yaml diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 2d31fa4ec..000000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - metadata: - labels: - control-plane: controller-manager - name: splunk-operator - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - "ALL" - add: - - "NET_BIND_SERVICE" - seccompProfile: - type: "RuntimeDefault" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 80e1857c5..000000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 71f179727..000000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager diff --git a/config/rbac/kustomization-cluster.yaml b/config/rbac/kustomization-cluster.yaml index 731832a6a..166fe7986 100644 --- a/config/rbac/kustomization-cluster.yaml +++ b/config/rbac/kustomization-cluster.yaml @@ -9,10 +9,3 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 731832a6a..445ca4783 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -9,10 +9,7 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +- metrics_auth_proxy_role.yaml +- metrics_auth_proxy_role_binding.yaml +- metrics_reader_role.yaml +- metrics_reader_role_binding.yaml diff --git a/config/rbac/metrics_auth_proxy_role.yaml b/config/rbac/metrics_auth_proxy_role.yaml new file mode 100644 index 000000000..87a16f461 --- /dev/null +++ b/config/rbac/metrics_auth_proxy_role.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-auth-proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] \ No newline at end of file diff --git a/config/rbac/metrics_auth_proxy_role_binding.yaml b/config/rbac/metrics_auth_proxy_role_binding.yaml new file mode 100644 index 000000000..f8fd9b880 --- /dev/null +++ b/config/rbac/metrics_auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics-auth-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics-auth-proxy-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system \ No newline at end of file diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/metrics_reader_role.yaml similarity index 66% rename from config/rbac/auth_proxy_client_clusterrole.yaml rename to config/rbac/metrics_reader_role.yaml index 51a75db47..275dad16c 100644 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/config/rbac/metrics_reader_role.yaml @@ -3,7 +3,5 @@ kind: ClusterRole metadata: name: metrics-reader rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get +- nonResourceURLs: ["/metrics"] + verbs: ["get"] \ No newline at end of file diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/metrics_reader_role_binding.yaml similarity index 72% rename from config/rbac/auth_proxy_role_binding.yaml rename to config/rbac/metrics_reader_role_binding.yaml index ec7acc0a1..76e70fdff 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/metrics_reader_role_binding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: proxy-rolebinding + name: metrics-reader-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-reader subjects: - kind: ServiceAccount name: controller-manager - namespace: system + namespace: system \ No newline at end of file diff --git a/helm-chart/splunk-operator/templates/rbac/auth_proxy_client_clusterrole.yaml b/helm-chart/splunk-operator/templates/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index efc7bca74..000000000 --- a/helm-chart/splunk-operator/templates/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if .Values.splunkOperator.clusterWideAccess }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "splunk-operator.operator.fullname" . }}-metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get -{{- end }} \ No newline at end of file diff --git a/helm-chart/splunk-operator/templates/rbac/auth_proxy_role.yaml b/helm-chart/splunk-operator/templates/rbac/auth_proxy_role.yaml deleted file mode 100644 index b6605bd57..000000000 --- a/helm-chart/splunk-operator/templates/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.splunkOperator.clusterWideAccess }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "splunk-operator.operator.fullname" . }}-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -{{- else }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "splunk-operator.operator.fullname" . }}-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -{{- end }} \ No newline at end of file diff --git a/helm-chart/splunk-operator/templates/rbac/auth_proxy_role_binding.yaml b/helm-chart/splunk-operator/templates/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index a560aba9f..000000000 --- a/helm-chart/splunk-operator/templates/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.splunkOperator.clusterWideAccess }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "splunk-operator.operator.fullname" . }}-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "splunk-operator.operator.fullname" . }}-proxy-role -subjects: -- kind: ServiceAccount - name: {{ include "splunk-operator.operator.fullname" . }}-controller-manager - namespace: {{ include "splunk-operator.namespace" . }} -{{- end }} \ No newline at end of file diff --git a/helm-chart/splunk-operator/templates/rbac/auth_proxy_service.yaml b/helm-chart/splunk-operator/templates/rbac/auth_proxy_service.yaml deleted file mode 100644 index cf4e7f13b..000000000 --- a/helm-chart/splunk-operator/templates/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: -{{- include "splunk-operator.labels" . | nindent 4 }} - name: {{ include "splunk-operator.operator.fullname" . }}-controller-manager-metrics-service - namespace: {{ include "splunk-operator.namespace" . }} -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: -{{- include "splunk-operator.selectorLabels" . | nindent 4 }}