Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider using NetworkPolicies to allow/deny access to the CSI-driver sidecar #643

Open
Madhu-1 opened this issue Aug 16, 2024 · 1 comment · May be fixed by #721
Open

Consider using NetworkPolicies to allow/deny access to the CSI-driver sidecar #643

Madhu-1 opened this issue Aug 16, 2024 · 1 comment · May be fixed by #721

Comments

@Madhu-1
Copy link
Member

Madhu-1 commented Aug 16, 2024

the kube-proxy container has a warning for insecure access kubernetes-sigs/kubebuilder#3899, we need to adopt as per https://github.com/kubernetes-sigs/kubebuilder/blob/master/designs/discontinue_usage_of_kube_rbac_proxy.md

@nixpanic
Copy link
Collaborator

Fome rge summary:

Existing users are encouraged to switch to images hosted by the project on quay.io OR to adapt their projects to utilize Network Policies, following the updated scaffold guidelines.

NetworkPolicies would require additional configuration on the deployment by users. They need to open-up the port of the CSI-Addons sidecar that is running as part of their CSI-driver. This requires a bit more consideration than replacing the container-image repository.

nixpanic added a commit to nixpanic/kubernetes-csi-addons that referenced this issue Aug 16, 2024
kube-rbac-proxy was pulled from the Google Container Registry, and
Kubernetes managed projects prefer not to use that anymore.

The container-image is (for now, still) maintained outside of the
Kubernetes project, and it is recommended to pull it from quay.io.

While validating the container-image location, it seems that there is a
new version available. Now also using the latest v0.18.0.

Updates: csi-addons#643
Signed-off-by: Niels de Vos <[email protected]>
@nixpanic nixpanic changed the title adopt to new kube-proxy changes Consider using NetworkPolicies to allow/deny access to the CSI-driver sidecar Aug 16, 2024
mergify bot pushed a commit that referenced this issue Aug 16, 2024
kube-rbac-proxy was pulled from the Google Container Registry, and
Kubernetes managed projects prefer not to use that anymore.

The container-image is (for now, still) maintained outside of the
Kubernetes project, and it is recommended to pull it from quay.io.

While validating the container-image location, it seems that there is a
new version available. Now also using the latest v0.18.0.

Updates: #643
Signed-off-by: Niels de Vos <[email protected]>
Rakshith-R pushed a commit to Rakshith-R/kubernetes-csi-addons that referenced this issue Sep 13, 2024
kube-rbac-proxy was pulled from the Google Container Registry, and
Kubernetes managed projects prefer not to use that anymore.

The container-image is (for now, still) maintained outside of the
Kubernetes project, and it is recommended to pull it from quay.io.

While validating the container-image location, it seems that there is a
new version available. Now also using the latest v0.18.0.

Updates: csi-addons#643
Signed-off-by: Niels de Vos <[email protected]>
black-dragon74 added a commit to black-dragon74/kubernetes-csi-addons that referenced this issue Dec 4, 2024
This patch drops support for kube-rbac-proxy
and uses controller manager's
WithAuthenticationAndAuthorization.

Closes: csi-addons#643

Signed-off-by: Niraj Yadav <[email protected]>
@black-dragon74 black-dragon74 linked a pull request Dec 4, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants