fix: replace deprecated kube-rbac-proxy with controller-runtime authn/authz (#443)

schahal · claude · diranged · web-flow · commit af8f5fe77b25 · 2026-03-10T21:30:07.000-07:00
## Background The `gcr.io/kubebuilder/kube-rbac-proxy` image is deprecated and Google Container Registry (GCR) is being sunset, making the image unavailable. This project used kube-rbac-proxy as a sidecar container to secure the `/metrics` endpoint via Kubernetes TokenReview and SubjectAccessReview. See [kubernetes-sigs/cluster-api-addon-provider-helm#318](kubernetes-sigs/cluster-api-addon-provider-helm#318) for upstream context. ## Changes Instead of finding an alternative image, this replaces the sidecar pattern entirely with controller-runtime's built-in `SecureServing` and `WithAuthenticationAndAuthorization` filter. The manager now serves metrics securely over HTTPS on port 8443 with native authn/authz — no sidecar needed. The kube-rbac-proxy container, its image configuration, and related Helm values have been removed from both the kustomize config and the Helm chart. The existing RBAC resources (TokenReview/SubjectAccessReview permissions and metrics-reader ClusterRole) are retained since the manager now performs these checks itself. ## Testing Deployed to a local KIND cluster and verified the pod runs with a single container (no sidecar). Confirmed that unauthenticated requests to the metrics endpoint return `Unauthorized`. Verified that authenticated requests without the `metrics-reader` ClusterRole return `Authorization denied`. Confirmed that authenticated requests with the `metrics-reader` role bound successfully return Prometheus metrics. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Matt Wise <matt@nextdoor.com>
diff --git a/charts/oz/README.md b/charts/oz/README.md
@@ -32,12 +32,6 @@ Kubernetes: `>=1.26.0-0`
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| controllerManager.kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` |  |
-| controllerManager.kubeRbacProxy.image.tag | string | `"v0.16.0"` |  |
-| controllerManager.kubeRbacProxy.resources.limits.cpu | string | `"500m"` |  |
-| controllerManager.kubeRbacProxy.resources.limits.memory | string | `"128Mi"` |  |
-| controllerManager.kubeRbacProxy.resources.requests.cpu | string | `"5m"` |  |
-| controllerManager.kubeRbacProxy.resources.requests.memory | string | `"64Mi"` |  |
 | controllerManager.manager.image.repository | `string` | `"ghcr.io/diranged/oz"` | Docker Image repository and name to use for the controller. |
 | controllerManager.manager.image.tag | `string` | `nil` | If set, overrides the .Chart.AppVersion field to set the target image version for the Oz controller. |
 | controllerManager.manager.resources.limits.cpu | string | `"500m"` |  |
diff --git a/charts/oz/templates/deployment.yaml b/charts/oz/templates/deployment.yaml
@@ -54,40 +54,13 @@ spec:
             secretName: {{ . }}
       {{- end }}
       containers:
-      - name: kube-rbac-proxy
-        image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop: [ALL]
-        args:
-          - --secure-listen-address=0.0.0.0:8443
-          - --upstream=http://127.0.0.1:8080/
-          - --logtostderr=true
-          - --v=0
-        env:
-          - name: KUBERNETES_CLUSTER_DOMAIN
-            value: {{ .Values.kubernetesClusterDomain }}
-        ports:
-          {{- /* Default Metrics Endpoint */}}
-          {{- with (index .Values.metricsService.ports 0) }}
-          - containerPort: 8443
-            name: {{ .targetPort }}
-            protocol: {{ .protocol }}
-          {{- end }}
-
-        {{- with .Values.controllerManager.kubeRbacProxy.resources }}
-        resources:
-          {{- toYaml . | nindent 10 }}
-        {{- end }}
-
       - name: manager
         image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.Version .Chart.AppVersion }}
         command:
           - /manager
         args:
           - --health-probe-bind-address=:8081
-          - --metrics-bind-address=127.0.0.1:8080
+          - --metrics-bind-address=:8443
           - --leader-elect
         securityContext:
           allowPrivilegeEscalation: false
@@ -113,18 +86,23 @@ spec:
           {{- toYaml . | nindent 10 }}
         {{- end }}
 
+        ports:
+        {{- /* Metrics Endpoint */}}
+        - containerPort: 8443
+          name: https
+          protocol: TCP
+
+        {{- /* Optional Webhook Endpoint */}}
+        {{- with (index .Values.webhookService.ports 0) }}
+        - containerPort: 9443
+          name: {{ .targetPort }}
+          protocol: {{ .protocol }}
+        {{- end }}
+
         {{- /* Optional Webhook Endpoint */}}
         {{- with .Values.webhook.secret.name }}
         volumeMounts:
           - mountPath: /tmp/k8s-webhook-server/serving-certs
             name: cert
             readOnly: true
         {{- end }}
-
-        {{- /* Optional Webhook Endpoint */}}
-        {{- with (index .Values.webhookService.ports 0) }}
-        ports:
-          - containerPort: 9443
-            name: {{ .targetPort }}
-            protocol: {{ .protocol }}
-        {{- end }}
diff --git a/charts/oz/templates/metrics-reader-rbac.yaml b/charts/oz/templates/metrics-reader-rbac.yaml
@@ -3,7 +3,7 @@ kind: ClusterRole
 metadata:
   name: {{ include "oz.fullname" . }}-metrics-reader
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: oz
     app.kubernetes.io/instance: metrics-reader
     app.kubernetes.io/name: clusterrole
diff --git a/charts/oz/templates/metrics-service.yaml b/charts/oz/templates/metrics-service.yaml
@@ -3,7 +3,7 @@ kind: Service
 metadata:
   name: {{ include "oz.fullname" . }}-controller-manager-metrics-service
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: oz
     app.kubernetes.io/instance: controller-manager-metrics-service
     app.kubernetes.io/name: service
diff --git a/charts/oz/templates/proxy-rbac.yaml b/charts/oz/templates/proxy-rbac.yaml
@@ -3,7 +3,7 @@ kind: ClusterRole
 metadata:
   name: {{ include "oz.fullname" . }}-proxy-role
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: oz
     app.kubernetes.io/instance: proxy-role
     app.kubernetes.io/name: clusterrole
@@ -28,7 +28,7 @@ kind: ClusterRoleBinding
 metadata:
   name: {{ include "oz.fullname" . }}-proxy-rolebinding
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: oz
     app.kubernetes.io/instance: proxy-rolebinding
     app.kubernetes.io/name: clusterrolebinding
diff --git a/charts/oz/templates/webhook-service.yaml b/charts/oz/templates/webhook-service.yaml
@@ -3,7 +3,7 @@ kind: Service
 metadata:
   name: {{ include "oz.fullname" . }}-controller-manager-webhook-service
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: webhook
   {{- include "oz.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.webhookService.type }}
diff --git a/charts/oz/values.yaml b/charts/oz/values.yaml
@@ -29,17 +29,6 @@ controllerManager:
         cpu: 10m
         memory: 64Mi
 
-  kubeRbacProxy:
-    image:
-      repository: gcr.io/kubebuilder/kube-rbac-proxy
-      tag: v0.16.0
-    resources:
-      limits:
-        cpu: 500m
-        memory: 128Mi
-      requests:
-        cpu: 5m
-        memory: 64Mi
 
 # Configuration for the oz-controller-manager-metrics-service, used for
 # collecting metrics from the controller.
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -1,5 +1,7 @@
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+# This patch configures the manager to serve metrics securely using
+# controller-runtime's built-in authn/authz (SecureServing +
+# WithAuthenticationAndAuthorization), replacing the deprecated
+# kube-rbac-proxy sidecar.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -25,32 +27,13 @@ spec:
                   values:
                     - linux
       containers:
-      - name: kube-rbac-proxy
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=0"
-        ports:
-        - containerPort: 8443
-          protocol: TCP
-          name: https
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
       - name: manager
         args:
         - "--health-probe-bind-address=:8081"
-        - "--metrics-bind-address=127.0.0.1:8080"
+        - "--metrics-bind-address=:8443"
         - "--leader-elect"
         - "--zap-log-level=5"
+        ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrole
     app.kubernetes.io/instance: metrics-reader
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: oz
     app.kubernetes.io/part-of: oz
     app.kubernetes.io/managed-by: kustomize
diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml
@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrole
     app.kubernetes.io/instance: proxy-role
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: oz
     app.kubernetes.io/part-of: oz
     app.kubernetes.io/managed-by: kustomize
diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrolebinding
     app.kubernetes.io/instance: proxy-rolebinding
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: oz
     app.kubernetes.io/part-of: oz
     app.kubernetes.io/managed-by: kustomize
diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml
@@ -5,7 +5,7 @@ metadata:
     control-plane: controller-manager
     app.kubernetes.io/name: service
     app.kubernetes.io/instance: controller-manager-metrics-service
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: oz
     app.kubernetes.io/part-of: oz
     app.kubernetes.io/managed-by: kustomize
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -9,9 +9,8 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
+# The following resources support the metrics endpoint authn/authz
+# provided by controller-runtime's WithAuthenticationAndAuthorization.
 - auth_proxy_service.yaml
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
diff --git a/go.mod b/go.mod
@@ -23,29 +23,36 @@ require (
 )
 
 require (
+	cel.dev/expr v0.24.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
+	github.com/google/cel-go v0.26.0 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -65,11 +72,22 @@ require (
 	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.32.0 // indirect
 	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
@@ -80,14 +98,20 @@ require (
 	golang.org/x/time v0.9.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/grpc v1.72.2 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.35.0 // indirect
+	k8s.io/apiserver v0.35.0 // indirect
+	k8s.io/component-base v0.35.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/kustomize/api v0.20.1 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
diff --git a/go.sum b/go.sum
diff --git a/internal/cmd/manager/main.go b/internal/cmd/manager/main.go
