feat: add flag to enable anonymous metrics access

[jindijamie]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Allow metrics access without authentication.
The default behavior is still require authentication.

Which issue(s) this PR fixes:

Does this PR have test?

N/A

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Add --enable-insecure-metrics-access flag for unauthenticated/unencrypted
  metrics access; default secure behavior remains unchanged.

[k8s-ci-robot]

Hi @jindijamie. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 24.64%. Comparing base (11d77f4) to head (ea5631e).
⚠️ Report is 1123 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #3110       +/-   ##
===========================================
- Coverage   45.50%   24.64%   -20.86%     
===========================================
  Files          79      126       +47     
  Lines        7782    17992    +10210     
===========================================
+ Hits         3541     4435      +894     
- Misses       4099    13265     +9166     
- Partials      142      292      +150     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ccojocar, jindijamie

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ccojocar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jindijamie]

/release-note-none

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[jindijamie]

/retest

[k8s-ci-robot]

@jindijamie: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jindijamie]

/retest

[k8s-ci-robot]

@jindijamie: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[saschagrunert]

/ok-to-test

[saschagrunert]

Follow-up review. The flag rename to enable-insecure-metrics-access and the release note address the previous round's concerns, but a few issues remain, one of them significant.

Also: the three commits ("feat: add flag...", "Update the name...", "Fix lint issue") should be squashed into one.

[saschagrunert]

This flag is defined and consumed in runDaemon, but there's no mechanism to propagate it to the spod daemonset. The operator manages the daemonset; users can't set env vars on it directly without the operator overwriting them on the next reconciliation.

The established pattern (see EnableProfiling in api/spod/v1alpha1/spod_types.go:289 and spod_controller.go:773) is:

1. Add a field to SPODSpec (e.g. EnableInsecureMetricsAccess bool)
2. Read it in the spod controller and inject ENABLE_INSECURE_METRICS_ACCESS as an env var into the daemon container

Without this integration, the flag is unusable in a standard SPO deployment.

[saschagrunert]

This flag is only consumed in runDaemon but is registered as a global flag. All other daemon-specific feature flags (seccompFlag, selinuxFlag, recordingFlag, memOptimFlag) are registered under the daemon subcommand's flags (lines 185-212). Move it there for consistency.

[saschagrunert]

Follow-up from the previous round: since there's no warning level on setupLog, consider making the message stand out by prefixing it:

Suggested change

	setupLog.Info("Insecure metrics access allowed (TLS and authentication disabled)")
	setupLog.Info("WARNING: Insecure metrics access enabled, TLS and authentication disabled")

[saschagrunert]

Missing space before parenthesis.

Suggested change

	// EnableInsecureMetricsAccessEnvKey is the environment variable key for enabling insecure
	// metrics access(disables TLS and authentication).
	// EnableInsecureMetricsAccessEnvKey is the environment variable key for enabling insecure
	// metrics access (disables TLS and authentication).