Skip to content

Commit

Permalink
[prom-label-proxy] kube-rbac-proxy support (#4624)
Browse files Browse the repository at this point in the history
Co-authored-by: Jan-Otto Kröpke <github@jkroepke.de>
  • Loading branch information
sathieu and jkroepke authored Jul 6, 2024
1 parent f8d334e commit 094734b
Show file tree
Hide file tree
Showing 10 changed files with 255 additions and 3 deletions.
2 changes: 1 addition & 1 deletion charts/prom-label-proxy/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: prom-label-proxy
description: A proxy that enforces a given label in a given PromQL query.
type: application
version: 0.8.0
version: 0.9.0
appVersion: "v0.10.0"
home: "https://github.com/prometheus-community/prom-label-proxy"
keywords:
Expand Down
65 changes: 65 additions & 0 deletions charts/prom-label-proxy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,3 +48,68 @@ See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_h
```console
helm show values prometheus-community/prom-label-proxy
```

### kube-rbac-proxy

You can enable `prom-label-proxy` endpoint protection using `kube-rbac-proxy`. By setting `kubeRBACProxy.enabled: true`, this chart will deploy one RBAC proxy container for `config.listenAddress`.

With the below example `values.yaml` :

```yaml
config:
upstream: http://prometheus:9090
extraArgs:
- --enable-label-apis=true
- --header-name=X-Namespace

kubeRBACProxy:
enabled: true
config:
authorization:
rewrites:
byHttpHeader:
name: X-Namespace
resourceAttributes:
apiVersion: v1
resource: namespaces
subresource: metrics
namespace: "{{ .Value }}"
```
To authorize access, authenticate your requests (via a `ServiceAccount` for example) with a `Role` attached such as:

```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: tenant1-metrics-reader
namespace: tenant1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tenant1-metrics
namespace: tenant1
rules:
- apiGroups: [ '' ]
resources:
- namespaces/metrics
verbs: [ "create", "get" ]
---
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tenant1-metrics-reader
namespace: tenant1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tenant1-metrics
subjects:
- kind: ServiceAccount
name: tenant1-metrics-reader
namespace: tenant1
```

See [kube-rbac-proxy examples](https://github.com/brancz/kube-rbac-proxy/tree/master/examples/rewrites) for more details.
18 changes: 18 additions & 0 deletions charts/prom-label-proxy/ci/kube-rbac-proxy-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
config:
upstream: http://prometheus:9090
extraArgs:
- --enable-label-apis=true
- --header-name=X-Namespace

kubeRBACProxy:
enabled: true
config:
authorization:
rewrites:
byHttpHeader:
name: X-Namespace
resourceAttributes:
apiVersion: v1
resource: namespaces
subresource: metrics
namespace: "{{ .Value }}"
8 changes: 8 additions & 0 deletions charts/prom-label-proxy/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -79,3 +79,11 @@ Return the appropriate apiVersion for rbac.
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}


{{/*
The image to use for kubeRBACProxy
*/}}
{{- define "kubeRBACProxy.image" -}}
{{- printf "%s:%s" .Values.kubeRBACProxy.image.repository .Values.kubeRBACProxy.image.tag }}
{{- end }}
17 changes: 17 additions & 0 deletions charts/prom-label-proxy/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{{- if .Values.kubeRBACProxy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "prom-label-proxy.fullname" . }}
labels:
{{- include "prom-label-proxy.labels" . | nindent 4 }}
rules:
- apiGroups: [ "authentication.k8s.io" ]
resources:
- tokenreviews
verbs: [ "create" ]
- apiGroups: [ "authorization.k8s.io" ]
resources:
- subjectaccessreviews
verbs: [ "create" ]
{{- end -}}
16 changes: 16 additions & 0 deletions charts/prom-label-proxy/templates/clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if .Values.kubeRBACProxy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
{{- include "prom-label-proxy.labels" . | nindent 4 }}
name: {{ template "prom-label-proxy.fullname" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "prom-label-proxy.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "prom-label-proxy.serviceAccountName" . }}
namespace: {{ template "prom-label-proxy.namespace" . }}
{{- end -}}
55 changes: 53 additions & 2 deletions charts/prom-label-proxy/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,14 @@ spec:
{{- include "prom-label-proxy.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
{{- if or .Values.podAnnotations (and .Values.kubeRBACProxy.enabled .Values.kubeRBACProxy.config) }}
annotations:
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if and .Values.kubeRBACProxy.enabled .Values.kubeRBACProxy.config }}
checksum/config: {{ .Values.kubeRBACProxy.config | toJson | sha256sum }}
{{- end }}
{{- end }}
labels:
{{- include "prom-label-proxy.selectorLabels" . | nindent 8 }}
Expand All @@ -30,6 +35,7 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
{{- $configListenPort := tpl .Values.config.listenAddress $ | splitList ":" | last }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
Expand All @@ -47,7 +53,7 @@ spec:
{{- end }}
ports:
- name: http
containerPort: {{ splitList ":" .Values.config.listenAddress | last }}
containerPort: {{ $configListenPort }}
protocol: TCP
{{- if .Values.metrics.enabled }}
- name: http-metrics
Expand All @@ -60,6 +66,45 @@ spec:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.kubeRBACProxy.enabled }}
- name: kube-rbac-proxy
args:
{{- if .Values.kubeRBACProxy.extraArgs }}
{{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 10 }}
{{- end }}
- --secure-listen-address=:{{ .Values.kubeRBACProxy.port }}
- --upstream=http://127.0.0.1:{{ $configListenPort }}/
- --proxy-endpoints-port=8888
{{- if .Values.kubeRBACProxy.config }}
- --config-file=/etc/kube-rbac-proxy-config/config-file.yaml
{{- end }}
volumeMounts:
- name: kube-rbac-proxy-config
mountPath: /etc/kube-rbac-proxy-config
{{- with .Values.kubeRBACProxy.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }}
image: {{ include "kubeRBACProxy.image" . }}
ports:
- containerPort: {{ .Values.kubeRBACProxy.port }}
name: krp
- containerPort: 8888
name: krp-healthz
readinessProbe:
httpGet:
scheme: HTTPS
port: 8888
path: healthz
initialDelaySeconds: 5
timeoutSeconds: 5
{{- if .Values.kubeRBACProxy.resources }}
resources: {{ toYaml .Values.kubeRBACProxy.resources | nindent 10 }}
{{- end }}
{{- if .Values.kubeRBACProxy.containerSecurityContext }}
securityContext: {{ toYaml .Values.kubeRBACProxy.containerSecurityContext | nindent 12 }}
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand All @@ -72,3 +117,9 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if and .Values.kubeRBACProxy.enabled .Values.kubeRBACProxy.config }}
volumes:
- name: kube-rbac-proxy-config
configMap:
name: {{ template "prom-label-proxy.fullname" . }}-rbac-config
{{- end }}
15 changes: 15 additions & 0 deletions charts/prom-label-proxy/templates/rbac-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if and .Values.kubeRBACProxy.enabled .Values.kubeRBACProxy.config }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "prom-label-proxy.fullname" . }}-rbac-config
namespace: {{ template "prom-label-proxy.namespace" . }}
labels: {{- include "prom-label-proxy.labels" . | nindent 4 }}
{{- if .Values.annotations }}
annotations:
{{ toYaml .Values.annotations | nindent 4 }}
{{- end }}
data:
config-file.yaml: |
{{- .Values.kubeRBACProxy.config | toYaml | nindent 4 }}
{{- end }}
4 changes: 4 additions & 0 deletions charts/prom-label-proxy/templates/service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,11 @@ spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
{{- if .Values.kubeRBACProxy.enabled }}
targetPort: krp
{{- else }}
targetPort: http
{{- end }}
protocol: TCP
name: http
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
Expand Down
58 changes: 58 additions & 0 deletions charts/prom-label-proxy/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -198,3 +198,61 @@ metrics:

# Additional settings for Endpoint.
additionalEndpointConfigs: {}

# Configure kube-rbac-proxy. When enabled, creates one kube-rbac-proxy container.
# The requests are served through the same service but requests are then HTTPS.
kubeRBACProxy:
enabled: false

# Configuration see [here](https://github.com/brancz/kube-rbac-proxy?tab=readme-ov-file#usage)
config: {}
# authorization:
# rewrites:
# byHttpHeader:
# name: X-Namespace
# resourceAttributes:
# resource: pods
# subresource: metrics
# namespace: "{{ .Value }}"

image:
repository: quay.io/brancz/kube-rbac-proxy
tag: v0.18.0
pullPolicy: IfNotPresent

# List of additional cli arguments to configure kube-rbac-prxy
# for example: --tls-cipher-suites, --log-file, etc.
# all the possible args can be found here: https://github.com/brancz/kube-rbac-proxy#usage
extraArgs: []

# targetPort of service
port: 8100

## Specify security settings for a Container
## Allows overrides and additional options compared to (Pod) securityContext
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 64Mi
# requests:
# cpu: 10m
# memory: 32Mi

## volumeMounts enables mounting custom volumes in rbac-proxy containers
## Useful for TLS certificates and keys
volumeMounts: []
# - mountPath: /etc/tls
# name: kube-rbac-proxy-tls
# readOnly: true

0 comments on commit 094734b

Please sign in to comment.