From 094734b01c1daeca001186537e600ddcc3a49e2d Mon Sep 17 00:00:00 2001 From: Mathieu Parent Date: Sat, 6 Jul 2024 19:52:04 +0200 Subject: [PATCH] [prom-label-proxy] kube-rbac-proxy support (#4624) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jan-Otto Kröpke --- charts/prom-label-proxy/Chart.yaml | 2 +- charts/prom-label-proxy/README.md | 65 +++++++++++++++++++ .../ci/kube-rbac-proxy-values.yaml | 18 +++++ .../prom-label-proxy/templates/_helpers.tpl | 8 +++ .../templates/clusterrole.yaml | 17 +++++ .../templates/clusterrolebinding.yaml | 16 +++++ .../templates/deployment.yaml | 55 +++++++++++++++- .../templates/rbac-configmap.yaml | 15 +++++ .../prom-label-proxy/templates/service.yaml | 4 ++ charts/prom-label-proxy/values.yaml | 58 +++++++++++++++++ 10 files changed, 255 insertions(+), 3 deletions(-) create mode 100644 charts/prom-label-proxy/ci/kube-rbac-proxy-values.yaml create mode 100644 charts/prom-label-proxy/templates/clusterrole.yaml create mode 100644 charts/prom-label-proxy/templates/clusterrolebinding.yaml create mode 100644 charts/prom-label-proxy/templates/rbac-configmap.yaml diff --git a/charts/prom-label-proxy/Chart.yaml b/charts/prom-label-proxy/Chart.yaml index e7b3c7a9d9a7..a928e00b4938 100644 --- a/charts/prom-label-proxy/Chart.yaml +++ b/charts/prom-label-proxy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: prom-label-proxy description: A proxy that enforces a given label in a given PromQL query. type: application -version: 0.8.0 +version: 0.9.0 appVersion: "v0.10.0" home: "https://github.com/prometheus-community/prom-label-proxy" keywords: diff --git a/charts/prom-label-proxy/README.md b/charts/prom-label-proxy/README.md index e7893ea781a1..5257d5567e91 100644 --- a/charts/prom-label-proxy/README.md +++ b/charts/prom-label-proxy/README.md @@ -48,3 +48,68 @@ See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_h ```console helm show values prometheus-community/prom-label-proxy ``` + +### kube-rbac-proxy + +You can enable `prom-label-proxy` endpoint protection using `kube-rbac-proxy`. By setting `kubeRBACProxy.enabled: true`, this chart will deploy one RBAC proxy container for `config.listenAddress`. + +With the below example `values.yaml` : + +```yaml +config: + upstream: http://prometheus:9090 + extraArgs: + - --enable-label-apis=true + - --header-name=X-Namespace + +kubeRBACProxy: + enabled: true + config: + authorization: + rewrites: + byHttpHeader: + name: X-Namespace + resourceAttributes: + apiVersion: v1 + resource: namespaces + subresource: metrics + namespace: "{{ .Value }}" +``` + +To authorize access, authenticate your requests (via a `ServiceAccount` for example) with a `Role` attached such as: + +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tenant1-metrics-reader + namespace: tenant1 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: tenant1-metrics + namespace: tenant1 +rules: + - apiGroups: [ '' ] + resources: + - namespaces/metrics + verbs: [ "create", "get" ] +--- +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tenant1-metrics-reader + namespace: tenant1 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tenant1-metrics +subjects: +- kind: ServiceAccount + name: tenant1-metrics-reader + namespace: tenant1 +``` + +See [kube-rbac-proxy examples](https://github.com/brancz/kube-rbac-proxy/tree/master/examples/rewrites) for more details. diff --git a/charts/prom-label-proxy/ci/kube-rbac-proxy-values.yaml b/charts/prom-label-proxy/ci/kube-rbac-proxy-values.yaml new file mode 100644 index 000000000000..a61cd88fc1b7 --- /dev/null +++ b/charts/prom-label-proxy/ci/kube-rbac-proxy-values.yaml @@ -0,0 +1,18 @@ +config: + upstream: http://prometheus:9090 + extraArgs: + - --enable-label-apis=true + - --header-name=X-Namespace + +kubeRBACProxy: + enabled: true + config: + authorization: + rewrites: + byHttpHeader: + name: X-Namespace + resourceAttributes: + apiVersion: v1 + resource: namespaces + subresource: metrics + namespace: "{{ .Value }}" diff --git a/charts/prom-label-proxy/templates/_helpers.tpl b/charts/prom-label-proxy/templates/_helpers.tpl index 991f43cd4e04..84f3198a05fa 100644 --- a/charts/prom-label-proxy/templates/_helpers.tpl +++ b/charts/prom-label-proxy/templates/_helpers.tpl @@ -79,3 +79,11 @@ Return the appropriate apiVersion for rbac. {{- .Release.Namespace -}} {{- end -}} {{- end -}} + + +{{/* +The image to use for kubeRBACProxy +*/}} +{{- define "kubeRBACProxy.image" -}} +{{- printf "%s:%s" .Values.kubeRBACProxy.image.repository .Values.kubeRBACProxy.image.tag }} +{{- end }} diff --git a/charts/prom-label-proxy/templates/clusterrole.yaml b/charts/prom-label-proxy/templates/clusterrole.yaml new file mode 100644 index 000000000000..a683dc1c86a7 --- /dev/null +++ b/charts/prom-label-proxy/templates/clusterrole.yaml @@ -0,0 +1,17 @@ +{{- if .Values.kubeRBACProxy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "prom-label-proxy.fullname" . }} + labels: + {{- include "prom-label-proxy.labels" . | nindent 4 }} +rules: + - apiGroups: [ "authentication.k8s.io" ] + resources: + - tokenreviews + verbs: [ "create" ] + - apiGroups: [ "authorization.k8s.io" ] + resources: + - subjectaccessreviews + verbs: [ "create" ] +{{- end -}} diff --git a/charts/prom-label-proxy/templates/clusterrolebinding.yaml b/charts/prom-label-proxy/templates/clusterrolebinding.yaml new file mode 100644 index 000000000000..d5acd477ce99 --- /dev/null +++ b/charts/prom-label-proxy/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.kubeRBACProxy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prom-label-proxy.labels" . | nindent 4 }} + name: {{ template "prom-label-proxy.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "prom-label-proxy.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "prom-label-proxy.serviceAccountName" . }} + namespace: {{ template "prom-label-proxy.namespace" . }} +{{- end -}} diff --git a/charts/prom-label-proxy/templates/deployment.yaml b/charts/prom-label-proxy/templates/deployment.yaml index 306ddd871bcd..7d982b2cdfde 100644 --- a/charts/prom-label-proxy/templates/deployment.yaml +++ b/charts/prom-label-proxy/templates/deployment.yaml @@ -12,9 +12,14 @@ spec: {{- include "prom-label-proxy.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- if or .Values.podAnnotations (and .Values.kubeRBACProxy.enabled .Values.kubeRBACProxy.config) }} annotations: + {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} + {{- end }} + {{- if and .Values.kubeRBACProxy.enabled .Values.kubeRBACProxy.config }} + checksum/config: {{ .Values.kubeRBACProxy.config | toJson | sha256sum }} + {{- end }} {{- end }} labels: {{- include "prom-label-proxy.selectorLabels" . | nindent 8 }} @@ -30,6 +35,7 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: + {{- $configListenPort := tpl .Values.config.listenAddress $ | splitList ":" | last }} - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} @@ -47,7 +53,7 @@ spec: {{- end }} ports: - name: http - containerPort: {{ splitList ":" .Values.config.listenAddress | last }} + containerPort: {{ $configListenPort }} protocol: TCP {{- if .Values.metrics.enabled }} - name: http-metrics @@ -60,6 +66,45 @@ spec: {{- toYaml .Values.readinessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.kubeRBACProxy.enabled }} + - name: kube-rbac-proxy + args: + {{- if .Values.kubeRBACProxy.extraArgs }} + {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 10 }} + {{- end }} + - --secure-listen-address=:{{ .Values.kubeRBACProxy.port }} + - --upstream=http://127.0.0.1:{{ $configListenPort }}/ + - --proxy-endpoints-port=8888 + {{- if .Values.kubeRBACProxy.config }} + - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml + {{- end }} + volumeMounts: + - name: kube-rbac-proxy-config + mountPath: /etc/kube-rbac-proxy-config + {{- with .Values.kubeRBACProxy.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} + image: {{ include "kubeRBACProxy.image" . }} + ports: + - containerPort: {{ .Values.kubeRBACProxy.port }} + name: krp + - containerPort: 8888 + name: krp-healthz + readinessProbe: + httpGet: + scheme: HTTPS + port: 8888 + path: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + {{- if .Values.kubeRBACProxy.resources }} + resources: {{ toYaml .Values.kubeRBACProxy.resources | nindent 10 }} + {{- end }} + {{- if .Values.kubeRBACProxy.containerSecurityContext }} + securityContext: {{ toYaml .Values.kubeRBACProxy.containerSecurityContext | nindent 12 }} + {{- end }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -72,3 +117,9 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if and .Values.kubeRBACProxy.enabled .Values.kubeRBACProxy.config }} + volumes: + - name: kube-rbac-proxy-config + configMap: + name: {{ template "prom-label-proxy.fullname" . }}-rbac-config + {{- end }} diff --git a/charts/prom-label-proxy/templates/rbac-configmap.yaml b/charts/prom-label-proxy/templates/rbac-configmap.yaml new file mode 100644 index 000000000000..6adfd99e7963 --- /dev/null +++ b/charts/prom-label-proxy/templates/rbac-configmap.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.kubeRBACProxy.enabled .Values.kubeRBACProxy.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "prom-label-proxy.fullname" . }}-rbac-config + namespace: {{ template "prom-label-proxy.namespace" . }} + labels: {{- include "prom-label-proxy.labels" . | nindent 4 }} + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} +data: + config-file.yaml: | + {{- .Values.kubeRBACProxy.config | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/prom-label-proxy/templates/service.yaml b/charts/prom-label-proxy/templates/service.yaml index bc909fae9663..d87291ab0c21 100644 --- a/charts/prom-label-proxy/templates/service.yaml +++ b/charts/prom-label-proxy/templates/service.yaml @@ -13,7 +13,11 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} + {{- if .Values.kubeRBACProxy.enabled }} + targetPort: krp + {{- else }} targetPort: http + {{- end }} protocol: TCP name: http {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} diff --git a/charts/prom-label-proxy/values.yaml b/charts/prom-label-proxy/values.yaml index 2bd05c93f22b..5c2199253153 100644 --- a/charts/prom-label-proxy/values.yaml +++ b/charts/prom-label-proxy/values.yaml @@ -198,3 +198,61 @@ metrics: # Additional settings for Endpoint. additionalEndpointConfigs: {} + +# Configure kube-rbac-proxy. When enabled, creates one kube-rbac-proxy container. +# The requests are served through the same service but requests are then HTTPS. +kubeRBACProxy: + enabled: false + + # Configuration see [here](https://github.com/brancz/kube-rbac-proxy?tab=readme-ov-file#usage) + config: {} + # authorization: + # rewrites: + # byHttpHeader: + # name: X-Namespace + # resourceAttributes: + # resource: pods + # subresource: metrics + # namespace: "{{ .Value }}" + + image: + repository: quay.io/brancz/kube-rbac-proxy + tag: v0.18.0 + pullPolicy: IfNotPresent + + # List of additional cli arguments to configure kube-rbac-prxy + # for example: --tls-cipher-suites, --log-file, etc. + # all the possible args can be found here: https://github.com/brancz/kube-rbac-proxy#usage + extraArgs: [] + + # targetPort of service + port: 8100 + + ## Specify security settings for a Container + ## Allows overrides and additional options compared to (Pod) securityContext + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + + ## volumeMounts enables mounting custom volumes in rbac-proxy containers + ## Useful for TLS certificates and keys + volumeMounts: [] + # - mountPath: /etc/tls + # name: kube-rbac-proxy-tls + # readOnly: true