⚠️ Action Required: Replace Deprecated gcr.io/kubebuilder/kube-rbac-proxy

[camilamacedo86]

This issue was raised because we found the imagegcr.io/kubebuilder/kube-rbac-proxyin the files of this repository.

Description

⚠️ The image gcr.io/kubebuilder/kube-rbac-proxy is deprecated and will become unavailable.
You must move as soon as possible, sometime from early 2025, the GCR will go away.

Unfortunately, we're unable to provide any guarantees regarding timelines or potential extensions at this time. Images provided under GRC will be unavailable from March 18, 2025, as per announcement. However, gcr.io/kubebuilder/ may be unavailable before this date due to efforts to deprecate infrastructure.

If your project is using gcr.io/kubebuilder/kube-rbac-proxy, it may fail to work when the image can no longer be pulled. If not, nothing is required, and you can close this issue.

Using the image gcr.io/kubebuilder/kube-rbac-proxy?

kube-rbac-proxy was historically used to protect the metrics endpoint. However, its usage has been discontinued in Kubebuilder. The default scaffold now leverages the WithAuthenticationAndAuthorization feature provided by Controller-Runtime.

This feature provides integrated support for securing metrics endpoints by embedding authentication (authn) and authorization (authz) mechanisms directly into the controller manager's metrics server, replacing the need for (https://github.com/brancz/kube-rbac-proxy) to secure metrics endpoints.

What To Do?

You must replace the deprecated image gcr.io/kubebuilder/kube-rbac-proxy with an alternative approach. For example:

• Update your project to use WithAuthenticationAndAuthorization:

  You can fully upgrade your project to use the latest scaffolding provided by the upstream versions of Operator-SDK or Kubebuilder tools or manually make the necessary changes. Refer to the FAQ and Discussion or migration guide for detailed instructions on how to manually update your project and test the changes.

• Alternatively, replace the image with another trusted source at your own risk, as its usage has been discontinued in Kubebuilder.

💡 The section How can I manually change my project to switch to Controller-Runtime's built-in auth protection? at FAQ provides guidance on how to manually update your projects and test it out.

For further information, suggestions, and guidance:

• 📖 FAQ and Discussion
• 💬 Join the Slack channel: #kubebuilder.

NOTE: This issue was opened automatically as part of our efforts to identify projects that might be affected and to raise awareness about this change within the community. If your project is no longer using this image, feel free to close this issue.

We sincerely apologize for any inconvenience this may cause.

Thank you for your cooperation and understanding! 🙏

[yaroslav-nakonechnikov]

just fyi: https://github.com/brancz/kube-rbac-proxy with this one splunk-operator still works.

[camilamacedo86]

HI @yaroslav-nakonechnikov

just fyi: https://github.com/brancz/kube-rbac-proxy with this one splunk-operator still works.

It still works because the image is deprecated and has not got away YET (gcr.io/kubebuilder/kube-rbac-proxy)
See; https://github.com/search?q=repo%3Asplunk%2Fsplunk-operator+gcr.io%2Fkubebuilder%2Fkube-rbac-proxy&type=code
You and your users will face problems when the image is unavailable. (as described above)

The issue was raised for you to be aware of, so change your solution and ensure that users do not use versions of it. Rely on this image before the problem is faced. If you do not make the required changes, you will see that your Operator will not work in ANY scenario where is required to fetch the image ( i.e. when it is not present in the node cache, new nodes, new deployments )

[yaroslav-nakonechnikov]

@camilamacedo86 please, don't mess official image with custom one.
as workaround you can still use custom one, i provided info for what we are using, as official is already too old and vulnerable.

i understand your ticket, it is absolutely valid.

[camilamacedo86]

Hi @yaroslav-nakonechnikov

Just to clarify The image gcr.io/kubebuilder/kube-rbac-proxy will go away
You are using it. See; https://github.com/search?q=repo%3Asplunk%2Fsplunk-operator+gcr.io%2Fkubebuilder%2Fkube-rbac-proxy&type=code

^ You indeed used IfNotPresent

repository: gcr.io/kubebuilder/kube-rbac-proxy
--
16 | pullPolicy: IfNotPresent
17 | tag: "v0.13.1"

For your helm charts. That means it will either break the working workload.

[yaroslav-nakonechnikov]

we are not using kubebuilder for several month already, we replaced it https://quay.io/repository/brancz/kube-rbac-proxy

[camilamacedo86]

Hi @yaroslav-nakonechnikov

I can see the image in the code base: See; https://github.com/search?q=repo%3Asplunk%2Fsplunk-operator+gcr.io%2Fkubebuilder%2Fkube-rbac-proxy&type=code

Either the path is enabled:

https://github.com/splunk/splunk-operator/blob/main/config/default/kustomization.yaml#L29-L34
https://github.com/splunk/splunk-operator/blob/main/config/default/manager_auth_proxy_patch.yaml#L28-L33

However, it is fine if you are confident that you will not be impacted by it and does not seem the reason for take any action, please feel free to close.

[vivekr-splunk]

Hello @camilamacedo86, thank you for raising this issue. we have plan to remove kube-rbac-proxy in 2.8.0 release