Is kube-rbac-proxy required?

[micahhausler]

User Story

As a [distributor of Cluster-API] I would like to [distribute container images for CAPI] for [reasons].

Detailed Description

kube-rbac-proxy seems like a great project, and this is not meant to imply any mistrust of @brancz or his work, but distributing a security proxy that is a developer's personal project is concerning from both a a supply-chain and governance point of view.

Can someone clarify if kube-rbac-proxy is a required sidecar for CAPI controllers? If it is not, can templates and documentation be updated to reflect that and provide installation instructions that don't require it?

Anything else you would like to add:

My initial read is that kube-rbac-proxy is just being used to guard /metrics endpoints for Prometheus, but is there more to it then that?

/kind feature
/kind documentation

[brancz]

I don't know about cluster-api things, but FWIW I've attempted to donate kube-rbac-proxy to sig-auth, and there was interest from sig-auth to adopt it, I just don't have the time to make this happen right now. I think @s-urbaniak wanted to continue this.

[s-urbaniak]

Indeed yes, I would love to help in contributing kube-rbac-proxy to sig-auth! We use it in various places and maintain it continuously.

@micahhausler quick question: what are CAPI controllers? To answer your question: generally, kube-rbac-proxy can be used in front of any endpoint that requires authentication/authorization based on kubernetes tokens. Internally, it uses token reviews (optionally delegating to oidc servers) and subject access reviews.

@deads2k (cc @stlaz) do you, by any chance have any additional pointers how we can proceed with sig-auth donation?

[vincepri]

Hi folks! Trying to connect this conversation to other individuals.

FWIW, we're using kube-rbac-proxy because Cluster API is a project based on Kubebuilder.

[vincepri]

/milestone Next
/area dependency

[vincepri]

@brancz Would you be able to send an email to both SIG Auth and SIG API Machinery mailing lists to ask to adopt the project under the kubernetes-sigs org? We should make it clear that this project is used in all of Kubebuilder projects, and it has so far provided great value to the community. In addition, having it under the kubernetes-sigs can have the good side effect of increasing contribution and adoption even more.

[s-urbaniak]

@brancz willing to send out the email from my side just to offload you unless it is necessary for the original maintainer to do so.

[micahhausler]

kube-rbac-proxy seems like a great k8s-sigs addition. From assisting with other projects in the past, here are the steps for external projects to be donated

Can I get an answer to this original question?

My initial read is that kube-rbac-proxy is just being used to guard /metrics endpoints for Prometheus, but is there more to it then that?

[s-urbaniak]

@micahhausler yes, as mentioned above it can be used in any context where token based authentication/authorization is necessary inside the cluster. For instance, we use it (in OpenShift) as well to protect user access to the Prometheus UI, the Alertmanager UI, Thanos UI, etc. kube-rbac-proxy is dynamic in its configuration against which resources you want to have protection against and we plan to make a local static authorizer (to reduce API server load) as well.

Does that answer your question?

[micahhausler]

Does that answer your question?

Not quite. I understand how it works in the general sense, but I'm asking specifically about cluster-api. Are there non-metrics endpoints being protected, or is it exclusively used for metrics protection?

[s-urbaniak]

Ah sorry, I am not involved in cluster-api, so maybe others can chime in.

[vincepri]

@micahhausler I don't think so, but we need to double check. This might warrant a little poc to see what would break.