fix: migrate away from kube-rbac-proxy (critical) (#747)

jpaodev · hessjcg · web-flow · commit 9718f37bf41a · 2026-03-11T16:22:14.000-06:00
Co-authored-by: Jonathan Hess (he/him) &lt;103529393+hessjcg@users.noreply.github.com&gt;
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -35,6 +35,8 @@ bases:
   #- ../prometheus
 patchesStrategicMerge:
   # Protect the /metrics endpoint by putting it behind auth.
+  # Configure the controller-manager to serve metrics securely using
+  # controller-runtime's built-in authentication and authorization.
   # If you want your controller-manager to expose the /metrics
   # endpoint w/o any authn/z, please comment the following line.
   - manager_auth_proxy_patch.yaml
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -11,8 +11,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+# This patch configures the controller manager to expose metrics on port 8443.
+# Access is controlled via Kubernetes RBAC on the metrics service.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -22,31 +22,12 @@ spec:
   template:
     spec:
       containers:
-        - name: kube-rbac-proxy
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - "ALL"
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
+        - name: manager
           args:
-            - "--secure-listen-address=0.0.0.0:8443"
-            - "--upstream=http://127.0.0.1:8080/"
-            - "--logtostderr=true"
-            - "--v=0"
+            - "--health-probe-bind-address=:8081"
+            - "--metrics-bind-address=:8443"
+            - "--leader-elect"
           ports:
             - containerPort: 8443
               protocol: TCP
               name: https
-          resources:
-            limits:
-              cpu: 500m
-              memory: 128Mi
-            requests:
-              cpu: 5m
-              memory: 64Mi
-        - name: manager
-          args:
-            - "--health-probe-bind-address=:8081"
-            - "--metrics-bind-address=127.0.0.1:8080"
-            - "--leader-elect"
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -22,9 +22,9 @@ resources:
   - role_binding.yaml
   - leader_election_role.yaml
   - leader_election_role_binding.yaml
-  # Comment the following 4 lines if you want to disable
-  # the Auth Proxy (https://github.com/brancz/kube-rbac-proxy)
-  # which protects your /metrics endpoint.
+  # The following resources are required for the controller-runtime's
+  # built-in metrics authentication and authorization.
+  # Comment these lines if you want to disable secure metrics.
   - auth_proxy_service.yaml
   - auth_proxy_role.yaml
   - auth_proxy_role_binding.yaml
