Skip to content

Commit a227e64

Browse files
author
Mengqi Yu
committed
✨ scaffold auth proxy
1 parent 001b3ad commit a227e64

File tree

13 files changed

+357
-5
lines changed

13 files changed

+357
-5
lines changed

cmd/init_project.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ import (
3535
"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
3636
"sigs.k8s.io/kubebuilder/pkg/scaffold/manager"
3737
"sigs.k8s.io/kubebuilder/pkg/scaffold/project"
38+
"sigs.k8s.io/kubebuilder/pkg/scaffold/resource"
3839
)
3940

4041
func newInitProjectCmd() *cobra.Command {
@@ -143,7 +144,11 @@ func (o *projectOptions) runInit() {
143144
&project.GitIgnore{},
144145
&project.Kustomize{},
145146
&project.KustomizeImagePatch{},
146-
&project.KustomizePrometheusMetricsPatch{})
147+
&project.KustomizePrometheusMetricsPatch{},
148+
&project.KustomizeAuthProxyPatch{},
149+
&resource.AuthProxyService{},
150+
&resource.AuthProxyRole{},
151+
&resource.AuthProxyRoleBinding{})
147152
if err != nil {
148153
log.Fatal(err)
149154
}

pkg/scaffold/manager/cmd.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@ import (
5757
)
5858
5959
func main() {
60+
var metricsAddr string
61+
flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
6062
flag.Parse()
6163
logf.SetLogger(logf.ZapLogger(false))
6264
log := logf.Log.WithName("entrypoint")
@@ -71,7 +73,7 @@ func main() {
7173
7274
// Create a new Cmd to provide shared dependencies and start components
7375
log.Info("setting up manager")
74-
mgr, err := manager.New(cfg, manager.Options{})
76+
mgr, err := manager.New(cfg, manager.Options{MetricsBindAddress: metricsAddr})
7577
if err != nil {
7678
log.Error(err, "unable to set up overall controller manager")
7779
os.Exit(1)

pkg/scaffold/project/kustomize.go

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,10 +74,25 @@ resources:
7474
- ../rbac/rbac_role.yaml
7575
- ../rbac/rbac_role_binding.yaml
7676
- ../manager/manager.yaml
77+
# Comment the following 3 lines if you want to disable
78+
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
79+
# which protects your /metrics endpoint.
80+
- ../rbac/auth_proxy_service.yaml
81+
- ../rbac/auth_proxy_role.yaml
82+
- ../rbac/auth_proxy_role_binding.yaml
7783
7884
patches:
7985
- manager_image_patch.yaml
80-
- manager_prometheus_metrics_patch.yaml
86+
# Protect the /metrics endpoint by putting it behind auth.
87+
# Only one of manager_auth_proxy_patch.yaml and
88+
# manager_prometheus_metrics_patch.yaml should be enabled.
89+
- manager_auth_proxy_patch.yaml
90+
# If you want your controller-manager to expose the /metrics
91+
# endpoint w/o any authn/z, uncomment the following line and
92+
# comment manager_auth_proxy_patch.yaml.
93+
# Only one of manager_auth_proxy_patch.yaml and
94+
# manager_prometheus_metrics_patch.yaml should be enabled.
95+
#- manager_prometheus_metrics_patch.yaml
8196
8297
vars:
8398
- name: WEBHOOK_SECRET_NAME
Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
/*
2+
Copyright 2018 The Kubernetes Authors.
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
http://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
*/
16+
17+
package project
18+
19+
import (
20+
"path/filepath"
21+
22+
"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
23+
)
24+
25+
var _ input.File = &KustomizeAuthProxyPatch{}
26+
27+
// KustomizeAuthProxyPatch scaffolds the patch file for enabling
28+
// prometheus metrics for manager Pod.
29+
type KustomizeAuthProxyPatch struct {
30+
input.Input
31+
}
32+
33+
// GetInput implements input.File
34+
func (c *KustomizeAuthProxyPatch) GetInput() (input.Input, error) {
35+
if c.Path == "" {
36+
c.Path = filepath.Join("config", "default", "manager_auth_proxy_patch.yaml")
37+
}
38+
c.TemplateBody = kustomizeAuthProxyPatchTemplate
39+
c.Input.IfExistsAction = input.Error
40+
return c.Input, nil
41+
}
42+
43+
var kustomizeAuthProxyPatchTemplate = `# This patch inject a sidecar container which is a HTTP proxy for the controller manager,
44+
# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
45+
apiVersion: apps/v1
46+
kind: StatefulSet
47+
metadata:
48+
name: controller-manager
49+
namespace: system
50+
spec:
51+
template:
52+
spec:
53+
containers:
54+
- name: kube-rbac-proxy
55+
image: quay.io/brancz/kube-rbac-proxy:v0.4.0
56+
args:
57+
- "--secure-listen-address=0.0.0.0:8443"
58+
- "--upstream=http://127.0.0.1:8080/"
59+
- "--logtostderr=true"
60+
- "--v=10"
61+
ports:
62+
- containerPort: 8443
63+
name: https
64+
- name: manager
65+
args:
66+
- "--metrics-addr=127.0.0.1:8080"
67+
`
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
/*
2+
Copyright 2018 The Kubernetes Authors.
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
http://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
*/
16+
17+
package resource
18+
19+
import (
20+
"path/filepath"
21+
22+
"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
23+
)
24+
25+
var _ input.File = &AuthProxyRole{}
26+
27+
// AuthProxyRole scaffolds the config/rbac/auth_proxy_role.yaml file
28+
type AuthProxyRole struct {
29+
input.Input
30+
31+
// Resource is a resource in the API group
32+
Resource *Resource
33+
}
34+
35+
// GetInput implements input.File
36+
func (r *AuthProxyRole) GetInput() (input.Input, error) {
37+
if r.Path == "" {
38+
r.Path = filepath.Join("config", "rbac", "auth_proxy_role.yaml")
39+
}
40+
r.TemplateBody = proxyRoleTemplate
41+
return r.Input, nil
42+
}
43+
44+
var proxyRoleTemplate = `apiVersion: rbac.authorization.k8s.io/v1
45+
kind: ClusterRole
46+
metadata:
47+
name: proxy-role
48+
rules:
49+
- apiGroups: ["authentication.k8s.io"]
50+
resources:
51+
- tokenreviews
52+
verbs: ["create"]
53+
- apiGroups: ["authorization.k8s.io"]
54+
resources:
55+
- subjectaccessreviews
56+
verbs: ["create"]
57+
`
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
/*
2+
Copyright 2018 The Kubernetes Authors.
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
http://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
*/
16+
17+
package resource
18+
19+
import (
20+
"path/filepath"
21+
22+
"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
23+
)
24+
25+
var _ input.File = &AuthProxyRoleBinding{}
26+
27+
// AuthProxyRoleBinding scaffolds the config/rbac/auth_proxy_role_binding_rbac.yaml file
28+
type AuthProxyRoleBinding struct {
29+
input.Input
30+
31+
// Resource is a resource in the API group
32+
Resource *Resource
33+
}
34+
35+
// GetInput implements input.File
36+
func (r *AuthProxyRoleBinding) GetInput() (input.Input, error) {
37+
if r.Path == "" {
38+
r.Path = filepath.Join("config", "rbac", "auth_proxy_role_binding.yaml")
39+
}
40+
r.TemplateBody = proxyRoleBindinggTemplate
41+
return r.Input, nil
42+
}
43+
44+
var proxyRoleBindinggTemplate = `apiVersion: rbac.authorization.k8s.io/v1
45+
kind: ClusterRoleBinding
46+
metadata:
47+
name: proxy-rolebinding
48+
roleRef:
49+
apiGroup: rbac.authorization.k8s.io
50+
kind: ClusterRole
51+
name: proxy-role
52+
subjects:
53+
- kind: ServiceAccount
54+
name: default
55+
namespace: system
56+
`
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
/*
2+
Copyright 2018 The Kubernetes Authors.
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
http://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
*/
16+
17+
package resource
18+
19+
import (
20+
"path/filepath"
21+
22+
"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
23+
)
24+
25+
var _ input.File = &AuthProxyService{}
26+
27+
// AuthProxyService scaffolds the config/rbac/auth_proxy_role.yaml file
28+
type AuthProxyService struct {
29+
input.Input
30+
31+
// Resource is a resource in the API group
32+
Resource *Resource
33+
}
34+
35+
// GetInput implements input.File
36+
func (r *AuthProxyService) GetInput() (input.Input, error) {
37+
if r.Path == "" {
38+
r.Path = filepath.Join("config", "rbac", "auth_proxy_service.yaml")
39+
}
40+
r.TemplateBody = AuthProxyServiceTemplate
41+
return r.Input, nil
42+
}
43+
44+
var AuthProxyServiceTemplate = `apiVersion: v1
45+
kind: Service
46+
metadata:
47+
annotations:
48+
prometheus.io/port: "8443"
49+
prometheus.io/scheme: https
50+
prometheus.io/scrape: "true"
51+
labels:
52+
control-plane: controller-manager
53+
controller-tools.k8s.io: "1.0"
54+
name: controller-manager-metrics-service
55+
namespace: system
56+
spec:
57+
ports:
58+
- name: https
59+
port: 8443
60+
targetPort: https
61+
selector:
62+
control-plane: controller-manager
63+
controller-tools.k8s.io: "1.0"
64+
`

test/project/cmd/manager/main.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ import (
3131
)
3232

3333
func main() {
34+
var metricsAddr string
35+
flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
3436
flag.Parse()
3537
logf.SetLogger(logf.ZapLogger(false))
3638
log := logf.Log.WithName("entrypoint")
@@ -45,7 +47,7 @@ func main() {
4547

4648
// Create a new Cmd to provide shared dependencies and start components
4749
log.Info("setting up manager")
48-
mgr, err := manager.New(cfg, manager.Options{})
50+
mgr, err := manager.New(cfg, manager.Options{MetricsBindAddress: metricsAddr})
4951
if err != nil {
5052
log.Error(err, "unable to set up overall controller manager")
5153
os.Exit(1)

test/project/config/default/kustomization.yaml

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,25 @@ resources:
2121
- ../rbac/rbac_role.yaml
2222
- ../rbac/rbac_role_binding.yaml
2323
- ../manager/manager.yaml
24+
# Comment the following 3 lines if you want to disable
25+
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
26+
# which protects your /metrics endpoint.
27+
- ../rbac/auth_proxy_service.yaml
28+
- ../rbac/auth_proxy_role.yaml
29+
- ../rbac/auth_proxy_role_binding.yaml
2430

2531
patches:
2632
- manager_image_patch.yaml
27-
- manager_prometheus_metrics_patch.yaml
33+
# Protect the /metrics endpoint by putting it behind auth.
34+
# Only one of manager_auth_proxy_patch.yaml and
35+
# manager_prometheus_metrics_patch.yaml should be enabled.
36+
- manager_auth_proxy_patch.yaml
37+
# If you want your controller-manager to expose the /metrics
38+
# endpoint w/o any authn/z, uncomment the following line and
39+
# comment manager_auth_proxy_patch.yaml.
40+
# Only one of manager_auth_proxy_patch.yaml and
41+
# manager_prometheus_metrics_patch.yaml should be enabled.
42+
#- manager_prometheus_metrics_patch.yaml
2843

2944
vars:
3045
- name: WEBHOOK_SECRET_NAME
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# This patch inject a sidecar container which is a HTTP proxy for the controller manager,
2+
# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
3+
apiVersion: apps/v1
4+
kind: StatefulSet
5+
metadata:
6+
name: controller-manager
7+
namespace: system
8+
spec:
9+
template:
10+
spec:
11+
containers:
12+
- name: kube-rbac-proxy
13+
image: quay.io/brancz/kube-rbac-proxy:v0.4.0
14+
args:
15+
- "--secure-listen-address=0.0.0.0:8443"
16+
- "--upstream=http://127.0.0.1:8080/"
17+
- "--logtostderr=true"
18+
- "--v=10"
19+
ports:
20+
- containerPort: 8443
21+
name: https
22+
- name: manager
23+
args:
24+
- "--metrics-addr=127.0.0.1:8080"
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
name: proxy-role
5+
rules:
6+
- apiGroups: ["authentication.k8s.io"]
7+
resources:
8+
- tokenreviews
9+
verbs: ["create"]
10+
- apiGroups: ["authorization.k8s.io"]
11+
resources:
12+
- subjectaccessreviews
13+
verbs: ["create"]

0 commit comments

Comments
 (0)