feat: add rbac proxy sidecar (#28)

petardoodle · web-flow · commit f29b9fd45b90 · 2023-06-07T16:30:40.000+02:00
diff --git a/chart/k8skafka-controller/Chart.yaml b/chart/k8skafka-controller/Chart.yaml
@@ -12,4 +12,4 @@ keywords:
 name: k8skafka-controller
 sources:
 - https://github.com/DoodleScheduling/k8skafka-controller
-version: 0.3.2
+version: 0.3.3
diff --git a/chart/k8skafka-controller/templates/deployment.yaml b/chart/k8skafka-controller/templates/deployment.yaml
@@ -50,6 +50,9 @@ spec:
         image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args:
+        {{- if .Values.kubeRBACProxy.enabled }}
+        - --metrics-addr=127.0.0.1:9556
+        {{- end }}
         {{- if .Values.extraArgs }}
         {{- toYaml .Values.extraArgs | nindent 8 }}
         {{- end }}
@@ -76,6 +79,26 @@ spec:
           subPath: {{ .subPath }}
           {{- end }}
         {{- end }}
+      {{- if .Values.kubeRBACProxy.enabled }}
+      - args:
+          - --secure-listen-address=0.0.0.0:8443
+          - --upstream=http://127.0.0.1:{{ .Values.metricsPort }}
+          - --logtostderr=true
+          - --v=0
+        image: quay.io/brancz/kube-rbac-proxy:v0.14.0
+        imagePullPolicy: IfNotPresent
+        name: kube-rbac-proxy
+        ports:
+          - containerPort: 8443
+            name: https
+            protocol: TCP
+        resources:
+          {{- toYaml .Values.kubeRBACProxy.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.kubeRBACProxy.securityContext | nindent 10 }}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      {{- end }}
       {{- if .Values.extraContainers }}
       {{- toYaml .Values.extraContainers | nindent 6 }}
       {{- end }}
diff --git a/chart/k8skafka-controller/templates/metrics-rbac.yaml b/chart/k8skafka-controller/templates/metrics-rbac.yaml
@@ -0,0 +1,57 @@
+{{- if .Values.kubeRBACProxy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "k8skafka-controller.fullname" . }}-metrics-reader
+  labels:
+    app.kubernetes.io/name: {{ include "k8skafka-controller.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "k8skafka-controller.chart" . }}
+rules:
+  - nonResourceURLs:
+      - "/metrics"
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "k8skafka-controller.fullname" . }}-proxy
+  labels:
+    app.kubernetes.io/name: {{ include "k8skafka-controller.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "k8skafka-controller.chart" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "k8skafka-controller.fullname" . }}-proxy
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "k8skafka-controller.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "k8skafka-controller.fullname" . }}-proxy
+  labels:
+    app.kubernetes.io/name: {{ include "k8skafka-controller.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "k8skafka-controller.chart" . }}
+rules:
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+  {{- end }}
diff --git a/chart/k8skafka-controller/templates/podmonitor.yaml b/chart/k8skafka-controller/templates/podmonitor.yaml
@@ -18,8 +18,18 @@ metadata:
     {{- toYaml .Values.annotations | nindent 4 }}
 spec:
   podMetricsEndpoints:
-  - port: metrics
-    path: {{ .Values.metricsPath }}
+  - path: {{ .Values.metricsPath }}
+    {{- if .Values.kubeRBACProxy.enabled }}
+    port: https
+    scheme: https
+    bearerTokenSecret:
+      key: token
+      name: {{ template "k8skafka-controller.serviceAccountName" . }}
+    tlsConfig:
+      insecureSkipVerify: true
+    {{- else }}
+    port: metrics
+    {{- end }}
     interval: {{ .Values.podMonitor.interval }}
     scrapeTimeout: {{ .Values.podMonitor.scrapeTimeout }}
     {{- if .Values.podMonitor.metricRelabelings }}
diff --git a/chart/k8skafka-controller/values.yaml b/chart/k8skafka-controller/values.yaml
@@ -117,4 +117,15 @@ prometheusRule:
   labels: {}
   rules: []
 
+kubeRBACProxy:
+  enabled: true
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["all"]
+    readOnlyRootFilesystem: true
+
+  resources: {}
+
 tolerations: []
