From 1a38b8edb08d670ad5d35d9cbb8d393414b93c86 Mon Sep 17 00:00:00 2001 From: Adam Roberts Date: Mon, 9 Dec 2024 12:08:12 -0500 Subject: [PATCH] feat(rh-shield-operator): upgrade base to 1.38.0 mostly done by following guidelines here: https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.38.0/ --- rh-shield-operator/Dockerfile | 2 +- rh-shield-operator/Makefile | 4 +- rh-shield-operator/bundle.Dockerfile | 2 +- ...er-manager-metrics-service_v1_service.yaml | 2 +- ...c.authorization.k8s.io_v1_clusterrole.yaml | 3 -- ...shield-operator.clusterserviceversion.yaml | 39 +++++------------- .../bundle/metadata/annotations.yaml | 2 +- .../config/default/kustomization.yaml | 12 ++++-- .../default/manager_auth_proxy_patch.yaml | 40 ------------------- .../config/default/manager_config_patch.yaml | 10 ----- .../config/default/manager_metrics_patch.yaml | 12 ++++++ .../metrics_service.yaml} | 8 ++-- .../config/manager/kustomization.yaml | 2 +- .../config/manager/manager.yaml | 1 + .../config/prometheus/monitor.yaml | 6 ++- .../rbac/auth_proxy_client_clusterrole.yaml | 12 ------ .../config/rbac/auth_proxy_role.yaml | 20 ---------- .../config/rbac/auth_proxy_role_binding.yaml | 15 ------- .../config/rbac/kustomization.yaml | 16 ++++---- .../config/rbac/metrics_auth_role.yaml | 17 ++++++++ .../rbac/metrics_auth_role_binding.yaml | 12 ++++++ .../config/rbac/metrics_reader_role.yaml | 9 +++++ 22 files changed, 92 insertions(+), 154 deletions(-) delete mode 100644 rh-shield-operator/config/default/manager_auth_proxy_patch.yaml delete mode 100644 rh-shield-operator/config/default/manager_config_patch.yaml create mode 100644 rh-shield-operator/config/default/manager_metrics_patch.yaml rename rh-shield-operator/config/{rbac/auth_proxy_service.yaml => default/metrics_service.yaml} (79%) delete mode 100644 rh-shield-operator/config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 rh-shield-operator/config/rbac/auth_proxy_role.yaml delete mode 100644 rh-shield-operator/config/rbac/auth_proxy_role_binding.yaml create mode 100644 rh-shield-operator/config/rbac/metrics_auth_role.yaml create mode 100644 rh-shield-operator/config/rbac/metrics_auth_role_binding.yaml create mode 100644 rh-shield-operator/config/rbac/metrics_reader_role.yaml diff --git a/rh-shield-operator/Dockerfile b/rh-shield-operator/Dockerfile index ce1268618..e0307f4e7 100644 --- a/rh-shield-operator/Dockerfile +++ b/rh-shield-operator/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM quay.io/operator-framework/helm-operator:v1.36.1 +FROM quay.io/operator-framework/helm-operator:v1.38.0 ARG RELEASE_VERSION diff --git a/rh-shield-operator/Makefile b/rh-shield-operator/Makefile index 383741286..a2f187446 100644 --- a/rh-shield-operator/Makefile +++ b/rh-shield-operator/Makefile @@ -3,7 +3,7 @@ # To re-generate a bundle for another specific version without changing the standard setup, you can: # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 0.1.6 +VERSION ?= 0.2.0 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") @@ -131,7 +131,7 @@ ifeq (,$(shell which kustomize 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(KUSTOMIZE)) ;\ - curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.3.0/kustomize_v5.3.0_$(OS)_$(ARCH).tar.gz | \ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.4.2/kustomize_v5.4.2_$(OS)_$(ARCH).tar.gz | \ tar xzf - -C bin/ ;\ } else diff --git a/rh-shield-operator/bundle.Dockerfile b/rh-shield-operator/bundle.Dockerfile index 6ce6a423c..d12238f17 100644 --- a/rh-shield-operator/bundle.Dockerfile +++ b/rh-shield-operator/bundle.Dockerfile @@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=rh-shield-operator LABEL operators.operatorframework.io.bundle.channels.v1=alpha -LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.36.1 +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.38.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=helm.sdk.operatorframework.io/v1 diff --git a/rh-shield-operator/bundle/manifests/rh-shield-operator-controller-manager-metrics-service_v1_service.yaml b/rh-shield-operator/bundle/manifests/rh-shield-operator-controller-manager-metrics-service_v1_service.yaml index bee7f3817..650ff0d38 100644 --- a/rh-shield-operator/bundle/manifests/rh-shield-operator-controller-manager-metrics-service_v1_service.yaml +++ b/rh-shield-operator/bundle/manifests/rh-shield-operator-controller-manager-metrics-service_v1_service.yaml @@ -12,7 +12,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: control-plane: controller-manager status: diff --git a/rh-shield-operator/bundle/manifests/rh-shield-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/rh-shield-operator/bundle/manifests/rh-shield-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml index 66619265d..654bb5cfc 100644 --- a/rh-shield-operator/bundle/manifests/rh-shield-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ b/rh-shield-operator/bundle/manifests/rh-shield-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -2,9 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: rh-shield-operator name: rh-shield-operator-metrics-reader rules: - nonResourceURLs: diff --git a/rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml b/rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml index f5b21a122..659fa0581 100644 --- a/rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml +++ b/rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml @@ -370,14 +370,14 @@ metadata: ] capabilities: Basic Install categories: Security, Monitoring - createdAt: "2024-12-09T17:08:58Z" + createdAt: "2025-01-02T15:51:05Z" description: | The Sysdig Shield Operator provides a way to deploy Sysdig Shield components on an OpenShift cluster. - operators.operatorframework.io/builder: operator-sdk-v1.36.1 + operators.operatorframework.io/builder: operator-sdk-v1.38.0 operators.operatorframework.io/project_layout: helm.sdk.operatorframework.io/v1 repository: https://github.com/sysdiglabs/charts support: https://sysdig.com - name: rh-shield-operator.v0.1.6 + name: rh-shield-operator.v0.2.0 namespace: placeholder spec: apiservicedefinitions: {} @@ -522,34 +522,13 @@ spec: spec: containers: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 + - --metrics-require-rbac + - --metrics-secure + - --metrics-bind-address=:8443 - --leader-elect + - --health-probe-bind-address=:8081 - --leader-election-id=rh-shield-operator - image: quay.io/sysdig/rh-shield-operator:v0.1.6 + image: quay.io/sysdig/rh-shield-operator:v0.2.0 livenessProbe: httpGet: path: /healthz @@ -653,4 +632,4 @@ spec: provider: name: Sysdig url: https://sysdig.com - version: 0.1.6 + version: 0.2.0 diff --git a/rh-shield-operator/bundle/metadata/annotations.yaml b/rh-shield-operator/bundle/metadata/annotations.yaml index a3898fdff..6aaee6bd9 100644 --- a/rh-shield-operator/bundle/metadata/annotations.yaml +++ b/rh-shield-operator/bundle/metadata/annotations.yaml @@ -5,7 +5,7 @@ annotations: operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: rh-shield-operator operators.operatorframework.io.bundle.channels.v1: alpha - operators.operatorframework.io.metrics.builder: operator-sdk-v1.36.1 + operators.operatorframework.io.metrics.builder: operator-sdk-v1.38.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: helm.sdk.operatorframework.io/v1 diff --git a/rh-shield-operator/config/default/kustomization.yaml b/rh-shield-operator/config/default/kustomization.yaml index a7b66c903..cf678d147 100644 --- a/rh-shield-operator/config/default/kustomization.yaml +++ b/rh-shield-operator/config/default/kustomization.yaml @@ -20,9 +20,13 @@ resources: - ../manager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [METRICS] Expose the controller manager metrics service. +- metrics_service.yaml +# Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics +- path: manager_metrics_patch.yaml + target: + kind: Deployment diff --git a/rh-shield-operator/config/default/manager_auth_proxy_patch.yaml b/rh-shield-operator/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index f953f8d0e..000000000 --- a/rh-shield-operator/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" - - "--leader-election-id=rh-shield-operator" diff --git a/rh-shield-operator/config/default/manager_config_patch.yaml b/rh-shield-operator/config/default/manager_config_patch.yaml deleted file mode 100644 index f6f589169..000000000 --- a/rh-shield-operator/config/default/manager_config_patch.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager diff --git a/rh-shield-operator/config/default/manager_metrics_patch.yaml b/rh-shield-operator/config/default/manager_metrics_patch.yaml new file mode 100644 index 000000000..a3cb2f186 --- /dev/null +++ b/rh-shield-operator/config/default/manager_metrics_patch.yaml @@ -0,0 +1,12 @@ +# This patch adds the args to allow exposing the metrics endpoint using HTTPS +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 +# This patch adds the args to allow securing the metrics endpoint +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-secure +# This patch adds the args to allow RBAC-based authn/authz the metrics endpoint +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-require-rbac diff --git a/rh-shield-operator/config/rbac/auth_proxy_service.yaml b/rh-shield-operator/config/default/metrics_service.yaml similarity index 79% rename from rh-shield-operator/config/rbac/auth_proxy_service.yaml rename to rh-shield-operator/config/default/metrics_service.yaml index fb1498d98..1486f6798 100644 --- a/rh-shield-operator/config/rbac/auth_proxy_service.yaml +++ b/rh-shield-operator/config/default/metrics_service.yaml @@ -9,9 +9,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 selector: control-plane: controller-manager diff --git a/rh-shield-operator/config/manager/kustomization.yaml b/rh-shield-operator/config/manager/kustomization.yaml index 19e1fa701..98af65d23 100644 --- a/rh-shield-operator/config/manager/kustomization.yaml +++ b/rh-shield-operator/config/manager/kustomization.yaml @@ -5,4 +5,4 @@ kind: Kustomization images: - name: controller newName: quay.io/sysdig/rh-shield-operator - newTag: v0.1.6 + newTag: v0.2.0 diff --git a/rh-shield-operator/config/manager/manager.yaml b/rh-shield-operator/config/manager/manager.yaml index 133878b83..ed983b38b 100644 --- a/rh-shield-operator/config/manager/manager.yaml +++ b/rh-shield-operator/config/manager/manager.yaml @@ -60,6 +60,7 @@ spec: containers: - args: - --leader-elect + - --health-probe-bind-address=:8081 - --leader-election-id=rh-shield-operator image: controller:latest name: manager diff --git a/rh-shield-operator/config/prometheus/monitor.yaml b/rh-shield-operator/config/prometheus/monitor.yaml index 4b0c3da7f..2e7cbfac8 100644 --- a/rh-shield-operator/config/prometheus/monitor.yaml +++ b/rh-shield-operator/config/prometheus/monitor.yaml @@ -11,11 +11,13 @@ metadata: spec: endpoints: - path: /metrics - port: https + port: https # Ensure this is the name of the port that exposes HTTPS metrics scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: - insecureSkipVerify: true + caFile: /etc/metrics-certs/ca.crt + certFile: /etc/metrics-certs/tls.crt + keyFile: /etc/metrics-certs/tls.key selector: matchLabels: control-plane: controller-manager diff --git a/rh-shield-operator/config/rbac/auth_proxy_client_clusterrole.yaml b/rh-shield-operator/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index 5e9b23f0f..000000000 --- a/rh-shield-operator/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: rh-shield-operator - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/rh-shield-operator/config/rbac/auth_proxy_role.yaml b/rh-shield-operator/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 9c8ad9d0b..000000000 --- a/rh-shield-operator/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: rh-shield-operator - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/rh-shield-operator/config/rbac/auth_proxy_role_binding.yaml b/rh-shield-operator/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 320294d82..000000000 --- a/rh-shield-operator/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: rh-shield-operator - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/rh-shield-operator/config/rbac/kustomization.yaml b/rh-shield-operator/config/rbac/kustomization.yaml index 7bebc8ad6..7e3b0ed75 100644 --- a/rh-shield-operator/config/rbac/kustomization.yaml +++ b/rh-shield-operator/config/rbac/kustomization.yaml @@ -9,13 +9,15 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml # For each CRD, "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are # not used by the Project itself. You can comment the following lines diff --git a/rh-shield-operator/config/rbac/metrics_auth_role.yaml b/rh-shield-operator/config/rbac/metrics_auth_role.yaml new file mode 100644 index 000000000..bd419f4e2 --- /dev/null +++ b/rh-shield-operator/config/rbac/metrics_auth_role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-auth-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/rh-shield-operator/config/rbac/metrics_auth_role_binding.yaml b/rh-shield-operator/config/rbac/metrics_auth_role_binding.yaml new file mode 100644 index 000000000..eb0c3f582 --- /dev/null +++ b/rh-shield-operator/config/rbac/metrics_auth_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics-auth-role +subjects: + - kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/rh-shield-operator/config/rbac/metrics_reader_role.yaml b/rh-shield-operator/config/rbac/metrics_reader_role.yaml new file mode 100644 index 000000000..07f438293 --- /dev/null +++ b/rh-shield-operator/config/rbac/metrics_reader_role.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: + - nonResourceURLs: + - "/metrics" + verbs: + - get