Pull requests #7867 and #7953 switched from the core Events API to the
new `events.k8s.io` API group but we forgot to update the RBAC
permissions of the prometheus-operator Service Account and the
verification which happens during the startup.
Closes #8076
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
This commit ensures that the operator's Service Account has the expected
permissions to manage status subresources when the
`StatusForConfigurationResources` feature gate is enabled.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
for admission webhook default is legacy validation
Assissted-By: Cursor
Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
Co-authored-by: Simon Pasquier <spasquie@redhat.com>
* feat: add configurable sync period for kubelet endpoints controller
Add --kubelet-sync-period flag to allow customization of how often
the kubelet endpoints controller syncs with the Kubernetes API.
Default remains 3 minutes to maintain backward compatibility.
---------
Co-authored-by: Donghee Jeong <danny253@naver.com>
Co-authored-by: 정동희 <danny253@neowiz.com>
This is for GitHub issue #7494.
Adds startup probe to the config-reloader sidecar for Prometheus containers.
Only takes affect if the --enable-config-reloader-probes flag is set on the
prometheus-operator pod for the config-reloader container.
* feat: support EndpointSlice for the kubelet controller
This change adds support for managing `EndpointSlice` objects for the
kubelet service. The controller can manage either one of `Endpoints` and
`EndpointSlice` or both.
The migration path can be:
1. Configure the operator to manage both objects in the kubelet
controller.
2. Verify that the generated `EndpointSlice` objects are correct.
3. Configure the Prometheus object to use the `EndpointSlice` role
instead of `Endpoints`.
1. Configure the operator to manage only `Endpoints` objects in the
kubelet controller.
The removal of the legacy `Endpoints` object is left to the user.
---------
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
PR #6890 removed the final bits from go-kit/log in the operator code
base but forgot to redirect the klog logs to the new slog logger.
`ResourceReconciler` has a dependency on klog because it uses
`utilruntime.HandleError()` when it fails to sync a resource. As a
consequence, the operator didn't log reconciliation failures anymore.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
This change introduces functional options for all 4 controllers
(previously only Prometheus used them).
It also reduces code duplication regarding API version checks.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* cmd: Add secret label selector to filter secrets to watch
This commit adds a flag for secret label selector so user can use label to filter secrets that prometheus-operator watches. This reduces calls to kube-apiserver.
Fixes Exclude irrelevant certs/tls secrets watch in monitoring namespace #6610
This change also moves the feature gates to the operator config struct.
It means that after a feature gate is enabled/disabled, the operator
will reconcile the managed Prometheus resources which should be the
right thing to do.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* operator cmd: check if controllers' crds are supplied
Only start each controller when its crd is provided, and fail the operator if no controllers start.
Fixes #6140
* Nit
* Resolve reviews
* Add a flag to set node address priority
Currently internal node addresses are prioritized over external addresses. This adds a flag to allow users to freely set node address priority (internal/external). This is helpful for use cases where node internal addresses exist but are not routable.
Fixes #3247
* feat: emit events for invalid configurations
Emit events when the controller rejects a resource, owing to an invalid
configuration.
Fixes: #3611
Signed-off-by: Pranshu Srivastava <rexagod@gmail.com>
* Decouple event recorder from operator metrics
Signed-off-by: Arthur Silva Sens <arthur.sens@coralogix.com>
* Only emit events if permissions were given
Signed-off-by: Arthur Silva Sens <arthur.sens@coralogix.com>
* Keep operator name consistent across telemetry
Signed-off-by: Arthur Silva Sens <arthur.sens@coralogix.com>
* Address comments
Signed-off-by: Arthur Silva Sens <arthur.sens@coralogix.com>
---------
Signed-off-by: Pranshu Srivastava <rexagod@gmail.com>
Signed-off-by: Arthur Silva Sens <arthur.sens@coralogix.com>
Co-authored-by: Pranshu Srivastava <rexagod@gmail.com>
This commit moves the Kubelet endpoints reconciliation loop from the
Prometheus controller to a separate controller.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* Share parsing for the logging flags across all binaries.
* Refactor and share the web server implementation between the operator
and the admission webhook.
* Refactor controller configuration structs to include only the required
parameters.
* Parse label and field selector arguments early instead of doing it in
each controller.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
This change mitigates CVE-2023-44487 by disabling HTTP2 by default and
forcing HTTP/1.1 until the Go standard library and golang.org/x/net are
fully fixed. Right now, it is possible for authenticated and
unauthenticated users to hold open HTTP2 connections and consume huge
amounts of memory.
It is possible to revert back the change by using the
`--web.enable-http2` argument.
Before this change:
```
curl -kv https://localhost:8443/metrics
* Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
[...]
* ALPN: server accepted h2
[...]
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /metrics]
* h2h3 [:scheme: https]
* h2h3 [:authority: localhost:8443]
* h2h3 [user-agent: curl/8.0.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5594d4614b10)
[...]
> GET /metrics HTTP/2
[...]
```
After this change:
```
curl -kv https://localhost:8443/metrics
* Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
[...]
* ALPN: server accepted http/1.1
[...]
* using HTTP/1.1
> GET /metrics HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/8.0.1
> Accept: */*
[...]
< HTTP/1.1 200 OK
[...]
```
See also:
* https://github.com/kubernetes/kubernetes/pull/121120
* https://github.com/kubernetes/kubernetes/issues/121197
* https://github.com/golang/go/issues/63417#issuecomment-1758858612
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
client-go functions can avoid costly logging evaluations by using this
pattern:
```
if klog.V(2).Enabled() { klog.Info("log this") }
```
With this change, the klog verbosity is set to zero (except at debug log
level where it is 6) to ensure that the performance optimization is
preserved.
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
