[META - Phases]: Discontinue Kube RBAC Proxy in Default Kubebuilder Scaffolding

[camilamacedo86]

What do you want to happen?

Address the phases and changes discussed in the proposal: https://github.com/kubernetes-sigs/kubebuilder/blob/master/designs/discontinue_usage_of_kube_rbac_proxy.md

• [x] - Phase 0: Remove the RBAC Proxy: PR: https://github.com/kubernetes-sigs/kubebuilder/pull/3899
• [x] - Phase 1: Transition to NetworkPolicies: PR: https://github.com/kubernetes-sigs/kubebuilder/pull/3853
• [x] - Phase 2: Add Cert-Manager as Optional option to be used with metrics (help wanted) PS.: See that we should address the request made in: https://github.com/kubernetes-sigs/kubebuilder/issues/3657 within this one. Done at: https://github.com/kubernetes-sigs/kubebuilder/pull/4243
• [x] - Phase 3: Add Controller-Runtime feature. Details can be found in: https://kubernetes.slack.com/archives/CAR30FCJZ/p1716290359950339?thread_ts=1716289540.582639&cid=CAR30FCJZ -> DONE: PR: https://github.com/kubernetes-sigs/kubebuilder/pull/4003
• [ ] - Phase 4: When kube-rbac-proxy be accepted under the umbrella (Blocked by: https://github.com/brancz/kube-rbac-proxy/issues/238 and the project be part of the umbrella. When it happens we can reach out its maintainers and see if we can support them out to create the external plugin)

Extra Labels

No response

[fgiloux]

Hi Camilla. Nice to see progress on this. If I am understanding things right you are considering two different ways of doing RBAC:

• the new controller-runtime feature #3657, which has merged
• kube-rbac proxy

You also have two orthogonal subjects:

• TLS certificates for the metrics endpoint, where you propose to optionally scaffold resources for cert-manager

• scaffolding an SA, and referencing it in the ServiceMonitors, that can be leveraged by Prometheus for scrapping the metrics

  This sounds good to me.

[fgiloux]

For phase 3: Maybe you mean issue 2781 as blocker?

[camilamacedo86]

Hi @fgiloux,

For phase 3: Maybe you mean https://github.com/kubernetes-sigs/controller-runtime/issues/2781 as blocker?

Yes, it is a blocker for us since it is not following the good practices and we cannot properly pass the certs via cert-manager within as it is now. However, asap they be able to enhance the feature in controller-runtime we can move forward within.

[fgiloux]

I meant controller-runtime #2781 is now blocking phase 3 instead of #2407, as it is its follow-up and #2407 has been merged.

[camilamacedo86]

All that we could to do in Kubebuilder is done now. So, because of it I am closing this one.

If kube-rbac-proxy maintainers desire to do an external plugin or any one decide to contribute with to allow kubebuilder users use their solution we are more than happy to help out. Just ping us and let's speak via the Slack Channel