From 2d86bba2a9920871b070304b819a50acb134101c Mon Sep 17 00:00:00 2001 From: kkb0318 Date: Fri, 28 Jun 2024 20:27:01 +0900 Subject: [PATCH] remove unused proxy --- README.md | 2 +- charts/irsa-manager/README.md | 16 +------------ charts/irsa-manager/templates/deployment.yaml | 15 ------------ charts/irsa-manager/values.yaml | 23 ------------------- config/default/kustomization.yaml | 10 ++++---- 5 files changed, 7 insertions(+), 59 deletions(-) diff --git a/README.md b/README.md index d9226f1..70dec72 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ IRSA Manager allows you to easily set up IAM Roles for Service Accounts (IRSA) o IRSA (IAM Roles for Service Accounts) allows Kubernetes service accounts to assume AWS IAM roles. This is particularly useful for providing Kubernetes workloads with the necessary AWS permissions in a secure manner. -For detailed guidelines on how irsa-manager works, please refer to the [**blog post**](https://medium.com/@kkb0318/simplify-aws-irsa-for-self-hosted-kubernetes-with-irsa-manager-c2fb2ecf88c5) post. +For detailed guidelines on how irsa-manager works, please refer to the [**blog post**](https://medium.com/@kkb0318/simplify-aws-irsa-for-self-hosted-kubernetes-with-irsa-manager-c2fb2ecf88c5). ## Prerequisites diff --git a/charts/irsa-manager/README.md b/charts/irsa-manager/README.md index a244aa3..95ec85d 100644 --- a/charts/irsa-manager/README.md +++ b/charts/irsa-manager/README.md @@ -31,21 +31,7 @@ kubectl create secret generic aws-secret -n irsa-manager-system \ | Key | Type | Default | Description | |-----|------|---------|-------------| -| controllerManager.kubeRbacProxy.args[0] | string | `"--secure-listen-address=0.0.0.0:8443"` | | -| controllerManager.kubeRbacProxy.args[1] | string | `"--upstream=http://127.0.0.1:8080/"` | | -| controllerManager.kubeRbacProxy.args[2] | string | `"--logtostderr=true"` | | -| controllerManager.kubeRbacProxy.args[3] | string | `"--v=0"` | | -| controllerManager.kubeRbacProxy.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | -| controllerManager.kubeRbacProxy.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | -| controllerManager.kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | | -| controllerManager.kubeRbacProxy.image.tag | string | `"v0.15.0"` | | -| controllerManager.kubeRbacProxy.resources.limits.cpu | string | `"500m"` | | -| controllerManager.kubeRbacProxy.resources.limits.memory | string | `"128Mi"` | | -| controllerManager.kubeRbacProxy.resources.requests.cpu | string | `"5m"` | | -| controllerManager.kubeRbacProxy.resources.requests.memory | string | `"64Mi"` | | -| controllerManager.manager.args[0] | string | `"--health-probe-bind-address=:8081"` | | -| controllerManager.manager.args[1] | string | `"--metrics-bind-address=127.0.0.1:8080"` | | -| controllerManager.manager.args[2] | string | `"--leader-elect"` | | +| controllerManager.manager.args[0] | string | `"--leader-elect"` | | | controllerManager.manager.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controllerManager.manager.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | | controllerManager.manager.image.repository | string | `"ghcr.io/kkb0318/irsa-manager"` | | diff --git a/charts/irsa-manager/templates/deployment.yaml b/charts/irsa-manager/templates/deployment.yaml index e75b142..c75e3ce 100644 --- a/charts/irsa-manager/templates/deployment.yaml +++ b/charts/irsa-manager/templates/deployment.yaml @@ -23,21 +23,6 @@ spec: kubectl.kubernetes.io/default-container: manager spec: containers: - - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }} - env: - - name: KUBERNETES_CLUSTER_DOMAIN - value: {{ quote .Values.kubernetesClusterDomain }} - image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag - | default .Chart.AppVersion }} - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent - 10 }} - securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext - | nindent 10 }} - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }} command: - /manager diff --git a/charts/irsa-manager/values.yaml b/charts/irsa-manager/values.yaml index d34311f..0af4024 100644 --- a/charts/irsa-manager/values.yaml +++ b/charts/irsa-manager/values.yaml @@ -1,29 +1,6 @@ controllerManager: - kubeRbacProxy: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - image: - repository: gcr.io/kubebuilder/kube-rbac-proxy - tag: v0.15.0 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi manager: args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect containerSecurityContext: allowPrivilegeEscalation: false diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index b11224b..4f0ac00 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -15,9 +15,9 @@ namePrefix: irsa-manager- # someName: someValue resources: -- ../crd -- ../rbac -- ../manager + - ../crd + - ../rbac + - ../manager # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- ../webhook @@ -26,11 +26,11 @@ resources: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patches: +# patches: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# - path: manager_auth_proxy_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml