You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be great to have this capability built into controller-runtime as it would make it possible to have this functionality without a dependency to an additional project and a sidecar container.
Is there interest in the controller-runtime community to support the nonResourceURL-based authorization (like core Kubernetes components)?
Notes:
Not sure how other projects are handling this but in cluster-api we removed kube-rbac-proxy after a few lengthy disussions (I think main reason was that it's not community-owned, xref: ⚠️ Remove kube-rbac-proxy and expose metrics on localhost:8080 cluster-api#4640). Since then metrics are basically disabled per default in Cluster API since we also didn't want to expose them unauthorized per default for security reasons.
~ related the metrics endpoint should also be served on https instead of http (with the same cert as the webhook?)
Not sure if other endpoints should be protected as well, but /metrics would be the most important one for us.
It would be great if controller-runtime would be able to authorize requests to the /metrics endpoint.
Some background information:
get, nonResourceURLs:/metrics) (docs).It would be great to have this capability built into controller-runtime as it would make it possible to have this functionality without a dependency to an additional project and a sidecar container.
Is there interest in the controller-runtime community to support the nonResourceURL-based authorization (like core Kubernetes components)?
Notes: