diranged / oz / 22936814355

36%

push

github

fix: replace deprecated kube-rbac-proxy with controller-runtime authn/authz (#443)

## Background

The `gcr.io/kubebuilder/kube-rbac-proxy` image is deprecated and Google
Container Registry (GCR) is being sunset, making the image unavailable.
This project used kube-rbac-proxy as a sidecar container to secure the
`/metrics` endpoint via Kubernetes TokenReview and SubjectAccessReview.
See
[kubernetes-sigs/cluster-api-addon-provider-helm#318](https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm/issues/318)
for upstream context.

## Changes

Instead of finding an alternative image, this replaces the sidecar
pattern entirely with controller-runtime's built-in `SecureServing` and
`WithAuthenticationAndAuthorization` filter. The manager now serves
metrics securely over HTTPS on port 8443 with native authn/authz — no
sidecar needed. The kube-rbac-proxy container, its image configuration,
and related Helm values have been removed from both the kustomize config
and the Helm chart. The existing RBAC resources
(TokenReview/SubjectAccessReview permissions and metrics-reader
ClusterRole) are retained since the manager now performs these checks
itself.

## Testing

Deployed to a local KIND cluster and verified the pod runs with a single
container (no sidecar). Confirmed that unauthenticated requests to the
metrics endpoint return `Unauthorized`. Verified that authenticated
requests without the `metrics-reader` ClusterRole return `Authorization
denied`. Confirmed that authenticated requests with the `metrics-reader`
role bound successfully return Prometheus metrics.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Matt Wise <matt@nextdoor.com>

0 of 10 new or added lines in 1 file covered. (0.0%)

1037 of 2888 relevant lines covered (35.91%)

1.56 hits per line