diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml index c16e9663..8b0eac25 100644 --- a/charts/zora/templates/operator/deployment.yaml +++ b/charts/zora/templates/operator/deployment.yaml @@ -65,22 +65,6 @@ spec: {{- end }} {{- end }} containers: - - name: kube-rbac-proxy - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: "{{ .Values.operator.rbacProxy.image.repository }}:{{ .Values.operator.rbacProxy.image.tag }}" - imagePullPolicy: {{ .Values.operator.rbacProxy.image.pullPolicy }} - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - {{- toYaml .Values.operator.rbacProxy.resources | nindent 12 }} - securityContext: - {{- toYaml .Values.operator.rbacProxy.securityContext | nindent 12 }} - name: manager {{- if .Values.httpsProxy }} env: @@ -93,7 +77,7 @@ spec: - /manager args: - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 + - --metrics-bind-address=:8443 - --leader-elect - --zap-encoder={{ .Values.operator.log.encoding }} - --zap-log-level={{ .Values.operator.log.level }} @@ -106,9 +90,9 @@ spec: - --cronjob-serviceaccount-name=zora-plugins - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-dbs-volume{{- end }} - --trivy-fs-group={{ .Values.scan.plugins.trivy.fsGroup }} -{{- if .Values.scan.plugins.annotations}} + {{- if .Values.scan.plugins.annotations }} - --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }} -{{- end }} + {{- end }} - --saas-workspace-id={{ .Values.saas.workspaceID }} - --saas-server={{ .Values.saas.server }} - --version={{ .Chart.Version }} @@ -127,7 +111,7 @@ spec: - containerPort: 8081 protocol: TCP name: probe - - containerPort: 8080 + - containerPort: 8443 protocol: TCP name: metrics {{- if .Values.operator.webhook.enabled }} diff --git a/charts/zora/templates/operator/metrics-service.yaml b/charts/zora/templates/operator/metrics-service.yaml index f11ec19e..2ba0b913 100644 --- a/charts/zora/templates/operator/metrics-service.yaml +++ b/charts/zora/templates/operator/metrics-service.yaml @@ -24,6 +24,6 @@ spec: - name: https port: {{ .Values.operator.metricsService.port }} protocol: TCP - targetPort: https + targetPort: metrics selector: {{- include "zora.operatorSelectorLabels" . | nindent 4 }} diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index 3a1cc27a..1dc202d6 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -102,29 +102,6 @@ operator: requests: cpu: 10m memory: 64Mi - rbacProxy: - image: - # -- `kube-rbac-proxy` image repository - repository: gcr.io/kubebuilder/kube-rbac-proxy - # -- `kube-rbac-proxy` image tag - tag: v0.15.0 - # -- Image pull policy - pullPolicy: IfNotPresent - # -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to `kube-rbac-proxy` container - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `kube-rbac-proxy` container - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi # -- [Node selection](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node) to constrain a Pod to only be able to run on particular Node(s) nodeSelector: {} # -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration) for pod assignment diff --git a/cmd/main.go b/cmd/main.go index 85f511ca..f0215478 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -23,12 +23,9 @@ import ( "strings" "time" - "github.com/undistro/zora/pkg/crds" - // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. _ "k8s.io/client-go/plugin/pkg/client/auth" - ctrllog "sigs.k8s.io/controller-runtime/pkg/log" "go.uber.org/zap/zapcore" apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1" @@ -38,7 +35,9 @@ import ( clientgoscheme "k8s.io/client-go/kubernetes/scheme" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" + ctrllog "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" "sigs.k8s.io/controller-runtime/pkg/webhook" @@ -46,6 +45,7 @@ import ( zorav1alpha2 "github.com/undistro/zora/api/zora/v1alpha2" zoracontroller "github.com/undistro/zora/internal/controller/zora" "github.com/undistro/zora/internal/saas" + "github.com/undistro/zora/pkg/crds" //+kubebuilder:scaffold:imports ) @@ -91,13 +91,14 @@ func main() { var webhookServicePath string var tokenPath string - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") - flag.BoolVar(&secureMetrics, "metrics-secure", false, - "If set the metrics endpoint is served securely") + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") flag.StringVar(&defaultPluginsNamespace, "default-plugins-namespace", "zora-system", "The namespace of default plugins") @@ -153,7 +154,7 @@ func main() { c.NextProtos = []string{"http/1.1"} } - tlsOpts := []func(*tls.Config){} + var tlsOpts []func(*tls.Config) if !enableHTTP2 { tlsOpts = append(tlsOpts, disableHTTP2) } @@ -161,14 +162,25 @@ func main() { TLSOpts: tlsOpts, }) + metricsServerOptions := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + if secureMetrics { + // FilterProvider is used to protect the metrics endpoint with authn/authz. + // These configurations ensure that only authorized users and service accounts + // can access the metrics endpoint. + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + + // If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. + } + restConfig := ctrl.GetConfigOrDie() mgr, err := ctrl.NewManager(restConfig, ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{ - BindAddress: metricsAddr, - SecureServing: secureMetrics, - TLSOpts: tlsOpts, - }, + Scheme: scheme, + Metrics: metricsServerOptions, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "e0f4eef4.zora.undistro.io", diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index c4d86ad6..d88c9620 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -39,6 +39,5 @@ patches: # [WEBHOOK] To enable webhook, uncomment the following section # the following config is for teaching kustomize how to do kustomization for CRDs. - configurations: - kustomizeconfig.yaml diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 240807a7..1c231b81 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -25,88 +25,152 @@ resources: #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [METRICS] Expose the controller manager metrics service. +- metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml - - +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics +- path: manager_metrics_patch.yaml + target: + kind: Deployment # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml - path: manager_webhook_patch.yaml -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -#- path: webhookcainjection_patch.yaml - # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # Uncomment the following replacements to add the cert-manager CA injection annotations #replacements: -# - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldPath: .metadata.namespace # namespace of the certificate CR -# targets: -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - source: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldPath: .metadata.name -# targets: -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - source: # Add cert-manager annotation to the webhook Service -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.name # namespace of the service -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 0 -# create: true -# - source: -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.namespace # namespace of the service -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 1 -# create: true +# - source: # Uncomment the following block if you have any webhook +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.name # Name of the service +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.namespace # Namespace of the service +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true +# +# - source: # Uncomment the following block if you have a ValidatingWebhook (--programmatic-validation) +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.namespace # Namespace of the certificate CR +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.name +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# +# - source: # Uncomment the following block if you have a DefaultingWebhook (--defaulting ) +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.namespace # Namespace of the certificate CR +# targets: +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.name +# targets: +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# +# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion) +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.namespace # Namespace of the certificate CR +# targets: +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.name +# targets: +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 2f1414b3..00000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml deleted file mode 100644 index f6f58916..00000000 --- a/config/default/manager_config_patch.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml new file mode 100644 index 00000000..2aaef653 --- /dev/null +++ b/config/default/manager_metrics_patch.yaml @@ -0,0 +1,4 @@ +# This patch adds the args to allow exposing the metrics endpoint using HTTPS +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 diff --git a/config/rbac/auth_proxy_service.yaml b/config/default/metrics_service.yaml similarity index 78% rename from config/rbac/auth_proxy_service.yaml rename to config/default/metrics_service.yaml index cc35b8da..bbdf90cb 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/default/metrics_service.yaml @@ -17,11 +17,7 @@ kind: Service metadata: labels: control-plane: controller-manager - app.kubernetes.io/name: service - app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: controller-manager-metrics-service namespace: system @@ -30,6 +26,6 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: control-plane: controller-manager diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 68cbb9c4..4658bea4 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -3,11 +3,7 @@ kind: Namespace metadata: labels: control-plane: controller-manager - app.kubernetes.io/name: namespace - app.kubernetes.io/instance: system - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: system --- @@ -18,11 +14,7 @@ metadata: namespace: system labels: control-plane: controller-manager - app.kubernetes.io/name: deployment - app.kubernetes.io/instance: controller-manager - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize spec: selector: @@ -70,6 +62,7 @@ spec: - /manager args: - --leader-elect + - -health-probe-bind-address=:8081 image: controller:latest imagePullPolicy: IfNotPresent name: manager diff --git a/config/network-policy/allow-metrics-traffic.yaml b/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 00000000..82bb1201 --- /dev/null +++ b/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: zora + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/config/network-policy/kustomization.yaml b/config/network-policy/kustomization.yaml new file mode 100644 index 00000000..ec0fb5e5 --- /dev/null +++ b/config/network-policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- allow-metrics-traffic.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index 0c7d9b8e..41530d4e 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -1,15 +1,10 @@ - # Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: control-plane: controller-manager - app.kubernetes.io/name: servicemonitor - app.kubernetes.io/instance: controller-manager-metrics-monitor - app.kubernetes.io/component: metrics - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: controller-manager-metrics-monitor namespace: system diff --git a/config/rbac/zora_cluster_editor_role.yaml b/config/rbac/cluster_editor_role.yaml similarity index 83% rename from config/rbac/zora_cluster_editor_role.yaml rename to config/rbac/cluster_editor_role.yaml index d9f5972c..02908baf 100644 --- a/config/rbac/zora_cluster_editor_role.yaml +++ b/config/rbac/cluster_editor_role.yaml @@ -17,11 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: cluster-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: cluster-editor-role rules: diff --git a/config/rbac/zora_cluster_viewer_role.yaml b/config/rbac/cluster_viewer_role.yaml similarity index 82% rename from config/rbac/zora_cluster_viewer_role.yaml rename to config/rbac/cluster_viewer_role.yaml index ed1739e0..533314aa 100644 --- a/config/rbac/zora_cluster_viewer_role.yaml +++ b/config/rbac/cluster_viewer_role.yaml @@ -17,11 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: cluster-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: cluster-viewer-role rules: diff --git a/config/rbac/zora_clusterissue_editor_role.yaml b/config/rbac/clusterissue_editor_role.yaml similarity index 83% rename from config/rbac/zora_clusterissue_editor_role.yaml rename to config/rbac/clusterissue_editor_role.yaml index 27625472..bb45e70b 100644 --- a/config/rbac/zora_clusterissue_editor_role.yaml +++ b/config/rbac/clusterissue_editor_role.yaml @@ -17,11 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: clusterissue-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: clusterissue-editor-role rules: diff --git a/config/rbac/zora_clusterissue_viewer_role.yaml b/config/rbac/clusterissue_viewer_role.yaml similarity index 82% rename from config/rbac/zora_clusterissue_viewer_role.yaml rename to config/rbac/clusterissue_viewer_role.yaml index 6d554d19..f6cf3367 100644 --- a/config/rbac/zora_clusterissue_viewer_role.yaml +++ b/config/rbac/clusterissue_viewer_role.yaml @@ -17,11 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: clusterissue-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: clusterissue-viewer-role rules: diff --git a/config/rbac/zora_clusterscan_editor_role.yaml b/config/rbac/clusterscan_editor_role.yaml similarity index 83% rename from config/rbac/zora_clusterscan_editor_role.yaml rename to config/rbac/clusterscan_editor_role.yaml index f42c6ff3..ffd172af 100644 --- a/config/rbac/zora_clusterscan_editor_role.yaml +++ b/config/rbac/clusterscan_editor_role.yaml @@ -17,11 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: clusterscan-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: clusterscan-editor-role rules: diff --git a/config/rbac/zora_clusterscan_viewer_role.yaml b/config/rbac/clusterscan_viewer_role.yaml similarity index 82% rename from config/rbac/zora_clusterscan_viewer_role.yaml rename to config/rbac/clusterscan_viewer_role.yaml index 7138f59d..b319f399 100644 --- a/config/rbac/zora_clusterscan_viewer_role.yaml +++ b/config/rbac/clusterscan_viewer_role.yaml @@ -17,11 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: clusterscan-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: clusterscan-viewer-role rules: diff --git a/config/rbac/zora_customcheck_editor_role.yaml b/config/rbac/customcheck_editor_role.yaml similarity index 67% rename from config/rbac/zora_customcheck_editor_role.yaml rename to config/rbac/customcheck_editor_role.yaml index 389ce5b1..b283589d 100644 --- a/config/rbac/zora_customcheck_editor_role.yaml +++ b/config/rbac/customcheck_editor_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: customcheck-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: customcheck-editor-role rules: diff --git a/config/rbac/zora_customcheck_viewer_role.yaml b/config/rbac/customcheck_viewer_role.yaml similarity index 65% rename from config/rbac/zora_customcheck_viewer_role.yaml rename to config/rbac/customcheck_viewer_role.yaml index 81b73eb2..fd369832 100644 --- a/config/rbac/zora_customcheck_viewer_role.yaml +++ b/config/rbac/customcheck_viewer_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: customcheck-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: customcheck-viewer-role rules: diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index c46b991f..b3ca1303 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -23,10 +23,28 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. Those roles are +# not used by the Project itself. You can comment the following lines +# if you do not want those helpers be installed with your Project. +- cluster_editor_role.yaml +- cluster_viewer_role.yaml +- clusterissue_editor_role.yaml +- clusterissue_viewer_role.yaml +- clusterscan_editor_role.yaml +- clusterscan_viewer_role.yaml +- customcheck_editor_role.yaml +- customcheck_viewer_role.yaml +- plugin_editor_role.yaml +- plugin_viewer_role.yaml +- vulnerabilityreport_editor_role.yaml +- vulnerabilityreport_viewer_role.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index 362fd0c4..749154ed 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -17,11 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - app.kubernetes.io/name: role - app.kubernetes.io/instance: leader-election-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: leader-election-role rules: diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index 314a8be9..afa282df 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -16,11 +16,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - app.kubernetes.io/name: rolebinding - app.kubernetes.io/instance: leader-election-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: leader-election-rolebinding roleRef: diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/metrics_auth_role.yaml similarity index 79% rename from config/rbac/auth_proxy_role.yaml rename to config/rbac/metrics_auth_role.yaml index 6e4f72e7..c22dc695 100644 --- a/config/rbac/auth_proxy_role.yaml +++ b/config/rbac/metrics_auth_role.yaml @@ -16,13 +16,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - name: proxy-role + name: metrics-auth-role rules: - apiGroups: - authentication.k8s.io diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/metrics_auth_role_binding.yaml similarity index 76% rename from config/rbac/auth_proxy_role_binding.yaml rename to config/rbac/metrics_auth_role_binding.yaml index 4a28c193..147d3afc 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/metrics_auth_role_binding.yaml @@ -16,17 +16,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-auth-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/metrics_reader_role.yaml similarity index 78% rename from config/rbac/auth_proxy_client_clusterrole.yaml rename to config/rbac/metrics_reader_role.yaml index 9a844fd5..3cc745eb 100644 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/config/rbac/metrics_reader_role.yaml @@ -16,11 +16,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora app.kubernetes.io/managed-by: kustomize name: metrics-reader rules: diff --git a/config/rbac/zora_plugin_editor_role.yaml b/config/rbac/plugin_editor_role.yaml similarity index 83% rename from config/rbac/zora_plugin_editor_role.yaml rename to config/rbac/plugin_editor_role.yaml index ee34e7b1..646aa1d3 100644 --- a/config/rbac/zora_plugin_editor_role.yaml +++ b/config/rbac/plugin_editor_role.yaml @@ -17,11 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: plugin-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: plugin-editor-role rules: diff --git a/config/rbac/zora_plugin_viewer_role.yaml b/config/rbac/plugin_viewer_role.yaml similarity index 82% rename from config/rbac/zora_plugin_viewer_role.yaml rename to config/rbac/plugin_viewer_role.yaml index 3448711e..804f708e 100644 --- a/config/rbac/zora_plugin_viewer_role.yaml +++ b/config/rbac/plugin_viewer_role.yaml @@ -17,11 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: plugin-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: plugin-viewer-role rules: diff --git a/config/rbac/zora_plugins_role.yaml b/config/rbac/plugins_role.yaml similarity index 91% rename from config/rbac/zora_plugins_role.yaml rename to config/rbac/plugins_role.yaml index a19d1582..0dbcfbc9 100644 --- a/config/rbac/zora_plugins_role.yaml +++ b/config/rbac/plugins_role.yaml @@ -16,11 +16,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: zora-plugins-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: zora-plugins rules: diff --git a/config/rbac/zora_plugins_role_binding.yaml b/config/rbac/plugins_role_binding.yaml similarity index 100% rename from config/rbac/zora_plugins_role_binding.yaml rename to config/rbac/plugins_role_binding.yaml diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index b697d33a..ca0ce39b 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -16,11 +16,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: manager-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: manager-rolebinding roleRef: diff --git a/config/rbac/zora_vulnerabilityreport_editor_role.yaml b/config/rbac/vulnerabilityreport_editor_role.yaml similarity index 68% rename from config/rbac/zora_vulnerabilityreport_editor_role.yaml rename to config/rbac/vulnerabilityreport_editor_role.yaml index fb3c5861..5e40fc45 100644 --- a/config/rbac/zora_vulnerabilityreport_editor_role.yaml +++ b/config/rbac/vulnerabilityreport_editor_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: vulnerabilityreport-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: vulnerabilityreport-editor-role rules: diff --git a/config/rbac/zora_vulnerabilityreport_viewer_role.yaml b/config/rbac/vulnerabilityreport_viewer_role.yaml similarity index 66% rename from config/rbac/zora_vulnerabilityreport_viewer_role.yaml rename to config/rbac/vulnerabilityreport_viewer_role.yaml index dda9e408..b79d1e9f 100644 --- a/config/rbac/zora_vulnerabilityreport_viewer_role.yaml +++ b/config/rbac/vulnerabilityreport_viewer_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: vulnerabilityreport-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: zora - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize name: vulnerabilityreport-viewer-role rules: diff --git a/config/samples/zora_v1alpha1_cluster.yaml b/config/samples/zora_v1alpha1_cluster.yaml index 79a05141..6cf1310b 100644 --- a/config/samples/zora_v1alpha1_cluster.yaml +++ b/config/samples/zora_v1alpha1_cluster.yaml @@ -2,10 +2,7 @@ apiVersion: zora.undistro.io/v1alpha1 kind: Cluster metadata: labels: - app.kubernetes.io/name: cluster - app.kubernetes.io/instance: mycluster - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: zora name: mycluster spec: {} diff --git a/config/samples/zora_v1alpha1_clusterscan_misconfig.yaml b/config/samples/zora_v1alpha1_clusterscan_misconfig.yaml index 379bf3d4..9e80caa8 100644 --- a/config/samples/zora_v1alpha1_clusterscan_misconfig.yaml +++ b/config/samples/zora_v1alpha1_clusterscan_misconfig.yaml @@ -2,11 +2,8 @@ apiVersion: zora.undistro.io/v1alpha1 kind: ClusterScan metadata: labels: - app.kubernetes.io/name: clusterscan - app.kubernetes.io/instance: mycluster-misconfig - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: zora name: mycluster-misconfig spec: clusterRef: diff --git a/config/samples/zora_v1alpha1_clusterscan_vuln.yaml b/config/samples/zora_v1alpha1_clusterscan_vuln.yaml index dbb3ed64..10a8a1a1 100644 --- a/config/samples/zora_v1alpha1_clusterscan_vuln.yaml +++ b/config/samples/zora_v1alpha1_clusterscan_vuln.yaml @@ -2,11 +2,8 @@ apiVersion: zora.undistro.io/v1alpha1 kind: ClusterScan metadata: labels: - app.kubernetes.io/name: clusterscan - app.kubernetes.io/instance: mycluster-vuln - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: zora name: mycluster-vuln spec: clusterRef: diff --git a/config/samples/zora_v1alpha1_customcheck_replicas.yaml b/config/samples/zora_v1alpha1_customcheck_replicas.yaml index 77f810ce..c7e2adbe 100644 --- a/config/samples/zora_v1alpha1_customcheck_replicas.yaml +++ b/config/samples/zora_v1alpha1_customcheck_replicas.yaml @@ -2,11 +2,8 @@ apiVersion: zora.undistro.io/v1alpha1 kind: CustomCheck metadata: labels: - app.kubernetes.io/name: customcheck - app.kubernetes.io/instance: custom-001 - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: zora name: custom-001 spec: message: "Replicas limit" diff --git a/config/samples/zora_v1alpha1_plugin_marvin.yaml b/config/samples/zora_v1alpha1_plugin_marvin.yaml index 64e41c1b..c62a8cc1 100644 --- a/config/samples/zora_v1alpha1_plugin_marvin.yaml +++ b/config/samples/zora_v1alpha1_plugin_marvin.yaml @@ -2,11 +2,8 @@ apiVersion: zora.undistro.io/v1alpha1 kind: Plugin metadata: labels: - app.kubernetes.io/name: plugin - app.kubernetes.io/instance: marvin - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: zora name: marvin spec: type: misconfiguration diff --git a/config/samples/zora_v1alpha1_plugin_popeye.yaml b/config/samples/zora_v1alpha1_plugin_popeye.yaml index 4933e0a1..a30658ab 100644 --- a/config/samples/zora_v1alpha1_plugin_popeye.yaml +++ b/config/samples/zora_v1alpha1_plugin_popeye.yaml @@ -2,11 +2,8 @@ apiVersion: zora.undistro.io/v1alpha1 kind: Plugin metadata: labels: - app.kubernetes.io/name: plugin - app.kubernetes.io/instance: popeye - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: zora name: popeye spec: type: misconfiguration diff --git a/config/samples/zora_v1alpha1_plugin_popeye_all.yaml b/config/samples/zora_v1alpha1_plugin_popeye_all.yaml index cbb3a357..585bf818 100644 --- a/config/samples/zora_v1alpha1_plugin_popeye_all.yaml +++ b/config/samples/zora_v1alpha1_plugin_popeye_all.yaml @@ -2,11 +2,8 @@ apiVersion: zora.undistro.io/v1alpha1 kind: Plugin metadata: labels: - app.kubernetes.io/name: plugin - app.kubernetes.io/instance: popeye - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: zora name: popeye spec: type: misconfiguration diff --git a/config/samples/zora_v1alpha1_plugin_trivy.yaml b/config/samples/zora_v1alpha1_plugin_trivy.yaml index f15fe9da..8f258676 100644 --- a/config/samples/zora_v1alpha1_plugin_trivy.yaml +++ b/config/samples/zora_v1alpha1_plugin_trivy.yaml @@ -2,11 +2,8 @@ apiVersion: zora.undistro.io/v1alpha1 kind: Plugin metadata: labels: - app.kubernetes.io/name: plugin - app.kubernetes.io/instance: trivy - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: zora name: trivy spec: type: vulnerability diff --git a/config/samples/zora_v1alpha2_customcheck_labels.yaml b/config/samples/zora_v1alpha2_customcheck_labels.yaml index dedc75b1..510fee87 100644 --- a/config/samples/zora_v1alpha2_customcheck_labels.yaml +++ b/config/samples/zora_v1alpha2_customcheck_labels.yaml @@ -2,11 +2,8 @@ apiVersion: zora.undistro.io/v1alpha2 kind: CustomCheck metadata: labels: - app.kubernetes.io/name: customcheck - app.kubernetes.io/instance: custom-002 - app.kubernetes.io/part-of: zora + app.kubernetes.io/name: zora app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: zora name: custom-002 spec: message: "Required labels" diff --git a/go.mod b/go.mod index b904bd5b..09165851 100644 --- a/go.mod +++ b/go.mod @@ -53,6 +53,7 @@ require ( github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect + github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect github.com/cloudflare/circl v1.3.8 // indirect github.com/containerd/containerd v1.7.22 // indirect @@ -88,6 +89,7 @@ require ( github.com/gorilla/mux v1.8.1 // indirect github.com/gorilla/websocket v1.5.0 // indirect github.com/gosuri/uitable v0.0.4 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-getter v1.7.6 // indirect @@ -153,9 +155,12 @@ require ( go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 // indirect go.opentelemetry.io/otel/metric v1.28.0 // indirect go.opentelemetry.io/otel/sdk v1.28.0 // indirect go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/proto/otlp v1.3.1 // indirect golang.org/x/crypto v0.27.0 // indirect golang.org/x/mod v0.21.0 // indirect google.golang.org/api v0.172.0 // indirect @@ -168,6 +173,7 @@ require ( k8s.io/kubectl v0.31.2 // indirect mvdan.cc/sh/v3 v3.10.0 // indirect oras.land/oras-go v1.2.5 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect ) require ( diff --git a/go.sum b/go.sum index 98dfece4..8057147d 100644 --- a/go.sum +++ b/go.sum @@ -712,7 +712,6 @@ github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= @@ -1779,6 +1778,8 @@ oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=