Skip to content

Replace kube-rbac-proxy with controller-runtime built-in metrics auth #341

New issue
New issue
Open
Open
Replace kube-rbac-proxy with controller-runtime built-in metrics auth#341
Assignees
slashpai
Labels
kind/enhancementpriority/P0Needed before next release
@slashpai

Description

@slashpai
slashpai
opened on Mar 5, 2026

Component(s)

Other (please comment)

What is missing? Please describe.

The operator currently uses kube-rbac-proxy as a sidecar to protect the /metrics endpoint.

Kubebuilder has discontinued kube-rbac-proxy from its default scaffolding starting with v3.15.0 due to:

  • The gcr.io/kubebuilder/kube-rbac-proxy registry being deprecated (Google Container Registry shutdown)
  • kube-rbac-proxy not yet being accepted under the Kubernetes umbrella
  • controller-runtime now providing built-in metrics authentication and authorization

Image recently migrated to quay.io/brancz/kube-rbac-proxy:v0.21.0 (#336) for cve fixes but we need to follow kubebuilder recommendation for better dependency management and aligning with ecosystem.

Describe alternatives you've considered.

The recommended replacement is to use controller-runtime's SecureServing and WithAuthenticationAndAuthorization for the metrics endpoint, which the project already has available via controller-runtime v0.23.1.

Environment Information

Environment

Kubernetes Version: NA
Perses-Operator Version: v0.3.1

Metadata

Metadata

Assignees

Labels

kind/enhancementpriority/P0Needed before next release

Type

No type

Projects

Perses Operator Roadmap

Status

Todo

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions