Remove kube-rbac-proxy from cluster-api

bootstrap/kubeadm/config/default/kustomization.yaml

@@ -20,10 +20,6 @@ patchesStrategicMerge:
   # Provide customizable hook for make targets.
   - manager_image_patch.yaml
   - manager_pull_policy.yaml
-  # Protect the /metrics endpoint by putting it behind auth.
-  # Only one of manager_auth_proxy_patch.yaml and
-  # manager_prometheus_metrics_patch.yaml should be enabled.
-  - manager_auth_proxy_patch.yaml
   # Enable webhook.
   - manager_webhook_patch.yaml
   # Inject certificate in the webhook definition.

bootstrap/kubeadm/config/manager/manager.yaml

@@ -20,7 +20,6 @@ spec:
         - /manager
         args:
         - "--leader-elect"
-        - "--metrics-bind-addr=127.0.0.1:8080"
         - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false}"
         image: controller:latest
         name: manager

bootstrap/kubeadm/config/rbac/kustomization.yaml

@@ -4,6 +4,3 @@ resources:
 - service_account.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml

bootstrap/kubeadm/main.go

@@ -79,7 +79,7 @@ var (
 
 // InitFlags initializes this manager's flags.
 func InitFlags(fs *pflag.FlagSet) {
-	fs.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8080",
+	fs.StringVar(&metricsBindAddr, "metrics-bind-addr", "localhost:8080",
 		"The address the metric endpoint binds to.")
 
 	fs.BoolVar(&enableLeaderElection, "leader-elect", false,

cmd/clusterctl/client/init_test.go

@@ -80,7 +80,6 @@ func Test_clusterctlClient_InitImages(t *testing.T) {
 				kubeconfigContext:      "mgmt-context",
 			},
 			expectedImages: []string{
-				"gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0",
 				"k8s.gcr.io/cluster-api-aws/cluster-api-aws-controller:v0.5.3",
 			},
 			wantErr: false,
@@ -796,8 +795,6 @@ spec:
   template:
     spec:
       containers:
-      - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
-        name: kube-rbac-proxy
       - image: k8s.gcr.io/cluster-api-aws/cluster-api-aws-controller:v0.5.3
         name: manager
         volumeMounts:

cmd/clusterctl/internal/util/objs_test.go

@@ -78,10 +78,6 @@ func Test_inspectImages(t *testing.T) {
 												"name":  controllerContainerName,
 												"image": "gcr.io/k8s-staging-cluster-api/cluster-api-controller:master",
 											},
-											{
-												"name":  "kube-rbac-proxy",
-												"image": "gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0",
-											},
 										},
 									},
 								},
@@ -90,7 +86,7 @@ func Test_inspectImages(t *testing.T) {
 					},
 				},
 			},
-			want:    []string{"gcr.io/k8s-staging-cluster-api/cluster-api-controller:master", "gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0"},
+			want:    []string{"gcr.io/k8s-staging-cluster-api/cluster-api-controller:master"},
 			wantErr: false,
 		},
 		{

config/default/kustomization.yaml

@@ -19,10 +19,6 @@ patchesStrategicMerge:
 # Provide customizable hook for make targets.
 - manager_image_patch.yaml
 - manager_pull_policy.yaml
-# Protect the /metrics endpoint by putting it behind auth.
-# Only one of manager_auth_proxy_patch.yaml and
-# manager_prometheus_metrics_patch.yaml should be enabled.
-- manager_auth_proxy_patch.yaml
 # Enable webhook.
 - manager_webhook_patch.yaml
 # Inject certificate in the webhook definition.

config/manager/manager.yaml

@@ -21,7 +21,6 @@ spec:
         - /manager
         args:
         - "--leader-elect"
-        - "--metrics-bind-addr=127.0.0.1:8080"
         - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false}"
         image: controller:latest
         name: manager

config/rbac/kustomization.yaml

@@ -7,6 +7,3 @@ resources:
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 - aggregated_role.yaml
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml

controlplane/kubeadm/config/default/kustomization.yaml

@@ -19,10 +19,6 @@ patchesStrategicMerge:
   # Provide customizable hook for make targets.
   - manager_image_patch.yaml
   - manager_pull_policy.yaml
-  # Protect the /metrics endpoint by putting it behind auth.
-  # Only one of manager_auth_proxy_patch.yaml and
-  # manager_prometheus_metrics_patch.yaml should be enabled.
-  - manager_auth_proxy_patch.yaml
   # Enable webhook.
   - manager_webhook_patch.yaml
   # Inject certificate in the webhook definition.

controlplane/kubeadm/config/manager/manager.yaml

@@ -20,7 +20,6 @@ spec:
         - /manager
         args:
         - "--leader-elect"
-        - "--metrics-bind-addr=127.0.0.1:8080"
         image: controller:latest
         name: manager
         ports:

controlplane/kubeadm/config/rbac/kustomization.yaml

@@ -4,10 +4,4 @@ resources:
 - service_account.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 3 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
 - aggregated_role.yaml

controlplane/kubeadm/main.go

@@ -79,7 +79,7 @@ var (
 
 // InitFlags initializes the flags.
 func InitFlags(fs *pflag.FlagSet) {
-	fs.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8080",
+	fs.StringVar(&metricsBindAddr, "metrics-bind-addr", "localhost:8080",
 		"The address the metric endpoint binds to.")
 
 	fs.BoolVar(&enableLeaderElection, "leader-elect", false,

docs/book/src/developer/providers/implementers-guide/configure.md

@@ -43,15 +43,6 @@ And then, we have to add that patch to [`config/kustomization.yaml`][kustomizeya
 ```yaml
 patchesStrategicMerge
 - manager_image_patch.yaml
-# Protect the /metrics endpoint by putting it behind auth.
-# Only one of manager_auth_proxy_patch.yaml and
-# manager_prometheus_metrics_patch.yaml should be enabled.
-- manager_auth_proxy_patch.yaml
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, uncomment the following line and
-# comment manager_auth_proxy_patch.yaml.
-# Only one of manager_auth_proxy_patch.yaml and
-# manager_prometheus_metrics_patch.yaml should be enabled.
 - manager_config.yaml
 ```