chore: closes ⚠️ Action Required: Replace Deprecated gcr.io/kubebuild…

…er/kube-rbac-proxy #46

cmd/operator/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 
 	"github.com/spf13/cobra"
@@ -14,7 +15,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 )
 
 var (
@@ -29,6 +30,8 @@ type flags struct {
 	enableLeaderElection bool
 	metricsAddr          string
 	probeAddr            string
+	secureMetrics        bool
+	enableHTTP2          bool
 }
 
 var f = &flags{}
@@ -50,6 +53,8 @@ func init() {
 	rootCmd.Flags().BoolVar(&f.enableLeaderElection, "leader-elect", f.enableLeaderElection, "only one controller")
 	rootCmd.Flags().StringVar(&f.metricsAddr, "metrics-bind-address", ":8080", "metrics endpoint")
 	rootCmd.Flags().StringVar(&f.probeAddr, "health-probe-bind-address", ":8081", "health probe")
+	rootCmd.Flags().BoolVar(&f.secureMetrics, "secure-metrics", f.secureMetrics, "serve metrics over https")
+	rootCmd.Flags().BoolVar(&f.enableHTTP2, "enable-http2", f.enableHTTP2, "enable http/2")
 
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
@@ -62,11 +67,31 @@ func run(ctx context.Context) error {
 		Development: true,
 	}
 
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	tlsOpts := []func(*tls.Config){}
+	if !f.enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:                 scheme,
-		Metrics:                server.Options{BindAddress: f.metricsAddr},
+		Scheme: scheme,
+		Metrics: metricsserver.Options{
+			BindAddress:   f.metricsAddr,
+			SecureServing: f.secureMetrics,
+			TLSOpts:       tlsOpts,
+		},
 		HealthProbeBindAddress: f.probeAddr,
 		LeaderElection:         f.enableLeaderElection,
 		LeaderElectionID:       "432c802.zeiss.com",

helm/charts/natz-operator/templates/deployment.yaml

@@ -39,21 +39,6 @@ spec:
                 values:
                 - linux
       containers:
-      - args:
-          {{- toYaml .Values.controller.kubeRbacProxy.args | nindent 8 }}
-        env:
-        - name: KUBERNETES_CLUSTER_DOMAIN
-          value: {{ quote .Values.kubernetesClusterDomain }}
-        image: {{ .Values.controller.kubeRbacProxy.image.repository }}:{{ .Values.controller.kubeRbacProxy.image.tag | default .Chart.AppVersion }}
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-          {{- toYaml .Values.controller.kubeRbacProxy.resources | nindent 10 }}
-        securityContext:
-          {{- toYaml .Values.controller.kubeRbacProxy.containerSecurityContext | nindent 10 }}
       - args:
           {{- toYaml .Values.controller.extraArgs | nindent 10 }}
         command:
@@ -82,4 +67,4 @@ spec:
       securityContext:
         runAsNonRoot: true
       serviceAccountName: {{ include "natz-operator.fullname" . }}-controller-manager
-      terminationGracePeriodSeconds: 10
+      terminationGracePeriodSeconds: 10

helm/charts/natz-operator/values.yaml

@@ -19,7 +19,8 @@ crds:
 ## Globally shared configuration
 global:
   # -- Common labels for the all resources
-  additionalLabels: {}
+  additionalLabels:
+    {}
     # app: natz
 
   # Default image used by all components
@@ -35,9 +36,10 @@ global:
   imagePullSecrets: []
 
   # -- Labels for the all deployed pods
-  podLabels: {}
+  podLabels:
+    {}
 
-   # -- Annotations for the all deployed pods
+    # -- Annotations for the all deployed pods
   podAnnotations: {}
 
   # -- Toggle and define pod-level security context.
@@ -62,7 +64,7 @@ global:
 ## NATZ Configs
 configs:
 
-## 
+##
 
 ## NATZ Controller
 controller:
@@ -107,9 +109,10 @@ controller:
   podAnnotations: {}
 
   # -- Labels to be added to natz controller pods
-  podLabels: {}
+  podLabels:
+    {}
 
-   # -- Additional volumes to the natz controller pod
+    # -- Additional volumes to the natz controller pod
   volumes: []
 
   # -- [Node selector]
@@ -184,26 +187,3 @@ controller:
 
   # -- Init containers to add to the natz controller pod
   initContainers: []
-
-  # -- Sidecar containers to add to the natz controller pod
-  kubeRbacProxy:
-    args:
-      - --secure-listen-address=0.0.0.0:8443
-      - --upstream=http://127.0.0.1:8080/
-      - --logtostderr=true
-      - --v=0
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-    image:
-      repository: gcr.io/kubebuilder/kube-rbac-proxy
-      tag: v0.13.1
-    resources:
-      limits:
-        cpu: 500m
-        memory: 128Mi
-      requests:
-        cpu: 5m
-        memory: 64Mi

manifests/default/kustomization.yaml

@@ -13,9 +13,9 @@ namePrefix: natz-operator-
 #  someName: someValue
 
 bases:
-- ../crd
-- ../rbac
-- ../manager
+  - ../crd
+  - ../rbac
+  - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook
@@ -25,12 +25,6 @@ bases:
 #- ../prometheus
 
 patchesStrategicMerge:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
-
-
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml

manifests/rbac/kustomization.yaml

@@ -1,18 +1,11 @@
 resources:
-# All RBAC will be applied under this service account in
-# the deployment namespace. You may comment out this resource
-# if your manager will use a service account that exists at
-# runtime. Be sure to update RoleBinding and ClusterRoleBinding
-# subjects if changing service account names.
-- service_account.yaml
-- role.yaml
-- role_binding.yaml
-- leader_election_role.yaml
-- leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+  # All RBAC will be applied under this service account in
+  # the deployment namespace. You may comment out this resource
+  # if your manager will use a service account that exists at
+  # runtime. Be sure to update RoleBinding and ClusterRoleBinding
+  # subjects if changing service account names.
+  - service_account.yaml
+  - role.yaml
+  - role_binding.yaml
+  - leader_election_role.yaml
+  - leader_election_role_binding.yaml