:warning: Action Required: Replace Deprecated gcr.io/kubebuilder/kube-rbac-proxy

camilamacedo86 commented 3 days ago

Description

:warning: The image gcr.io/kubebuilder/kube-rbac-proxy is deprecated and will become unavailable. You must move as soon as possible, sometime from early 2025, the GCR will go away.

Unfortunately, we're unable to provide any guarantees regarding timelines or potential extensions at this time. Images provided under GRC will be unavailable from March 18, 2025, as per announcement. However, gcr.io/kubebuilder/may be unavailable before this date due to efforts to deprecate infrastructure.

If your project uses gcr.io/kubebuilder/kube-rbac-proxy, it will be affected. Your project may fail to work if the image cannot be pulled. You must take action as soon as possible.
However, if your project is no longer using this image, no action is required, and you can close this issue.

Using the image `gcr.io/kubebuilder/kube-rbac-proxy`?

kube-rbac-proxy was historically used to protect the metrics endpoint. However, its usage has been discontinued in Kubebuilder. The default scaffold now leverages the WithAuthenticationAndAuthorization feature provided by Controller-Runtime.

This feature provides integrated support for securing metrics endpoints by embedding authentication (authn) and authorization (authz) mechanisms directly into the controller manager's metrics server, replacing the need for (https://github.com/brancz/kube-rbac-proxy) to secure metrics endpoints.

What To Do?

You must replace the deprecated image gcr.io/kubebuilder/kube-rbac-proxy with an alternative approach. For example:

Update your project to use WithAuthenticationAndAuthorization:

You can fully upgrade your project to use the latest scaffolds provided by the tool or manually make the necessary changes. Refer to the FAQ and Discussion for detailed instructions on how to manually update your project and test the changes.
Alternatively, replace the image with another trusted source at your own risk, as its usage has been discontinued in Kubebuilder.

For further information, suggestions, and guidance:

📖 FAQ and Discussion
💬 Join the Slack channel: #kubebuilder.

NOTE: This issue was opened automatically as part of our efforts to identify projects that might be affected and to raise awareness about this change within the community. If your project is no longer using this image, feel free to close this issue.

We sincerely apologize for any inconvenience this may cause.

Thank you for your cooperation and understanding! :pray:

acornett21 commented 1 day ago

Since this project is used by alot of teams for testing, we should try to take this up when we have some cycles. As part of this (or to get to this point of removal), we should also update go, k8s, and do the operator-sdk migrations from v1.32 through current version (or rescafold).

camilamacedo86 commented 1 day ago

Hi @acornett21

Before the end of this year we should have a kubebuilder release with 1.32 support. We can bump it on SDK, and then, projects here might want to fully upgrade to the latest release.

See that we are adding an option to help out pass cert-manager certs for the metrics server instead of using those that are self-signed done by controller-runtime, see: https://github.com/kubernetes-sigs/kubebuilder/pull/4400

It should either be available within the next release or be merged into the master. A partial version of the feature is already merged,, and it also helps provide a secure config to enable Prometheus integration.

acornett21 commented 1 day ago

This project isn't used in production, so I'm not concerned about self-signed certs, but thanks for the additional info, I'll follow the kubebuilder issue for other projects.

komish commented 4 hours ago

Fixed in the referenced issue. Closing.

opdev / simple-demo-operator