From 276f30e73df10c93077170877817b04d30385944 Mon Sep 17 00:00:00 2001 From: mgianluc Date: Tue, 27 Feb 2024 04:52:35 +0100 Subject: [PATCH] Update drift-detection-manager post rbac proxy removal --- Makefile | 2 +- config/default/manager_auth_proxy_patch.yaml | 2 +- config/default/manager_image_patch.yaml | 2 +- manifest/deployment-shard.yaml | 4 +- manifest/manifest.yaml | 4 +- ...drift-detection-manager-in-mgmt-cluster.go | 43 +------ ...ift-detection-manager-in-mgmt-cluster.yaml | 41 +------ .../drift-detection-manager.go | 112 +++++------------- .../drift-detection-manager.yaml | 112 +++++------------- 9 files changed, 64 insertions(+), 258 deletions(-) diff --git a/Makefile b/Makefile index 235a859d..d54d4973 100644 --- a/Makefile +++ b/Makefile @@ -25,7 +25,7 @@ ARCH ?= amd64 OS ?= $(shell uname -s | tr A-Z a-z) K8S_LATEST_VER ?= $(shell curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt) export CONTROLLER_IMG ?= $(REGISTRY)/$(IMAGE_NAME) -TAG ?= v0.24.0 +TAG ?= dev .PHONY: all all: build diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index b48ab1c9..c20df17e 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -15,4 +15,4 @@ spec: - "--report-mode=0" - --shard-key= - "--v=5" - - "--version=v0.24.0" + - "--version=dev" diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml index 4d3149d8..69525b25 100644 --- a/config/default/manager_image_patch.yaml +++ b/config/default/manager_image_patch.yaml @@ -8,5 +8,5 @@ spec: spec: containers: # Change the value of image field below to your controller image URL - - image: projectsveltos/addon-controller-amd64:v0.24.0 + - image: projectsveltos/addon-controller-amd64:dev name: controller diff --git a/manifest/deployment-shard.yaml b/manifest/deployment-shard.yaml index 2970c50a..5bf3de4f 100644 --- a/manifest/deployment-shard.yaml +++ b/manifest/deployment-shard.yaml @@ -23,10 +23,10 @@ spec: - --report-mode=0 - --shard-key={{.SHARD}} - --v=5 - - --version=v0.24.0 + - --version=dev command: - /manager - image: projectsveltos/addon-controller-amd64:v0.24.0 + image: projectsveltos/addon-controller-amd64:dev livenessProbe: failureThreshold: 3 httpGet: diff --git a/manifest/manifest.yaml b/manifest/manifest.yaml index 41ad2e31..f25207d4 100644 --- a/manifest/manifest.yaml +++ b/manifest/manifest.yaml @@ -3350,10 +3350,10 @@ spec: - --report-mode=0 - --shard-key= - --v=5 - - --version=v0.24.0 + - --version=dev command: - /manager - image: projectsveltos/addon-controller-amd64:v0.24.0 + image: projectsveltos/addon-controller-amd64:dev livenessProbe: failureThreshold: 3 httpGet: diff --git a/pkg/drift-detection/drift-detection-manager-in-mgmt-cluster.go b/pkg/drift-detection/drift-detection-manager-in-mgmt-cluster.go index 2079b3d8..f685c3b0 100644 --- a/pkg/drift-detection/drift-detection-manager-in-mgmt-cluster.go +++ b/pkg/drift-detection/drift-detection-manager-in-mgmt-cluster.go @@ -16,23 +16,7 @@ limitations under the License. */ package driftdetection -var driftDetectionInMgmtClusterYAML = []byte(`apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: $NAME - name: $NAME-metrics-service - namespace: projectsveltos -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: $NAME ---- -apiVersion: apps/v1 +var driftDetectionInMgmtClusterYAML = []byte(`apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -63,7 +47,7 @@ spec: - --run-mode=do-not-send-updates command: - /manager - image: projectsveltos/drift-detection-manager-amd64:v0.24.0 + image: projectsveltos/drift-detection-manager-amd64:dev livenessProbe: httpGet: path: /healthz @@ -89,29 +73,6 @@ spec: capabilities: drop: - ALL - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: drift-detection-manager diff --git a/pkg/drift-detection/drift-detection-manager-in-mgmt-cluster.yaml b/pkg/drift-detection/drift-detection-manager-in-mgmt-cluster.yaml index c9bd3107..6b719560 100644 --- a/pkg/drift-detection/drift-detection-manager-in-mgmt-cluster.yaml +++ b/pkg/drift-detection/drift-detection-manager-in-mgmt-cluster.yaml @@ -1,19 +1,3 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: $NAME - name: $NAME-metrics-service - namespace: projectsveltos -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: $NAME ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -45,7 +29,7 @@ spec: - --run-mode=do-not-send-updates command: - /manager - image: projectsveltos/drift-detection-manager-amd64:v0.24.0 + image: projectsveltos/drift-detection-manager-amd64:dev livenessProbe: httpGet: path: /healthz @@ -71,29 +55,6 @@ spec: capabilities: drop: - ALL - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: drift-detection-manager diff --git a/pkg/drift-detection/drift-detection-manager.go b/pkg/drift-detection/drift-detection-manager.go index 34bcdbb3..5aaf1d48 100644 --- a/pkg/drift-detection/drift-detection-manager.go +++ b/pkg/drift-detection/drift-detection-manager.go @@ -40,6 +40,18 @@ rules: - get - list - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create - apiGroups: - lib.projectsveltos.io resources: @@ -76,34 +88,6 @@ rules: - update --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: drift-detection-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: drift-detection-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: drift-detection-manager-rolebinding @@ -116,35 +100,6 @@ subjects: name: drift-detection-manager namespace: projectsveltos --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: drift-detection-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: drift-detection-proxy-role -subjects: -- kind: ServiceAccount - name: drift-detection-manager - namespace: projectsveltos ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: drift-detection-manager - name: drift-detection-manager-metrics-service - namespace: projectsveltos -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: drift-detection-manager ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -166,8 +121,7 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 + - --diagnostics-address=:8443 - --v=5 - --cluster-namespace= - --cluster-name= @@ -176,18 +130,29 @@ spec: - --run-mode=do-not-send-updates command: - /manager - image: projectsveltos/drift-detection-manager-amd64:v0.24.0 + image: projectsveltos/drift-detection-manager-amd64:dev livenessProbe: + failureThreshold: 3 httpGet: path: /healthz - port: 8081 + port: healthz + scheme: HTTP initialDelaySeconds: 15 periodSeconds: 20 name: manager + ports: + - containerPort: 8443 + name: metrics + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP readinessProbe: + failureThreshold: 3 httpGet: path: /readyz - port: 8081 + port: healthz + scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 resources: @@ -202,29 +167,6 @@ spec: capabilities: drop: - ALL - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: drift-detection-manager diff --git a/pkg/drift-detection/drift-detection-manager.yaml b/pkg/drift-detection/drift-detection-manager.yaml index adb6304a..63d629c8 100644 --- a/pkg/drift-detection/drift-detection-manager.yaml +++ b/pkg/drift-detection/drift-detection-manager.yaml @@ -22,6 +22,18 @@ rules: - get - list - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create - apiGroups: - lib.projectsveltos.io resources: @@ -58,34 +70,6 @@ rules: - update --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: drift-detection-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: drift-detection-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: drift-detection-manager-rolebinding @@ -98,35 +82,6 @@ subjects: name: drift-detection-manager namespace: projectsveltos --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: drift-detection-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: drift-detection-proxy-role -subjects: -- kind: ServiceAccount - name: drift-detection-manager - namespace: projectsveltos ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: drift-detection-manager - name: drift-detection-manager-metrics-service - namespace: projectsveltos -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: drift-detection-manager ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -148,8 +103,7 @@ spec: spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 + - --diagnostics-address=:8443 - --v=5 - --cluster-namespace= - --cluster-name= @@ -158,18 +112,29 @@ spec: - --run-mode=do-not-send-updates command: - /manager - image: projectsveltos/drift-detection-manager-amd64:v0.24.0 + image: projectsveltos/drift-detection-manager-amd64:dev livenessProbe: + failureThreshold: 3 httpGet: path: /healthz - port: 8081 + port: healthz + scheme: HTTP initialDelaySeconds: 15 periodSeconds: 20 name: manager + ports: + - containerPort: 8443 + name: metrics + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP readinessProbe: + failureThreshold: 3 httpGet: path: /readyz - port: 8081 + port: healthz + scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 resources: @@ -184,29 +149,6 @@ spec: capabilities: drop: - ALL - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL securityContext: runAsNonRoot: true serviceAccountName: drift-detection-manager