perses · slashpai · Mar 19, 2026
@@ -10595,7 +10595,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: perses-operator
     app.kubernetes.io/instance: metrics-reader
     app.kubernetes.io/name: clusterrole
@@ -10611,7 +10611,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: perses-operator
     app.kubernetes.io/instance: proxy-role
     app.kubernetes.io/name: clusterrole
@@ -10674,7 +10674,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: perses-operator
     app.kubernetes.io/instance: proxy-rolebinding
     app.kubernetes.io/name: clusterrolebinding
@@ -10693,7 +10693,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: perses-operator
     app.kubernetes.io/instance: controller-manager-metrics-service
     app.kubernetes.io/name: service
@@ -10770,7 +10770,8 @@ spec:
       containers:
       - args:
         - --health-probe-bind-address=:8081
-        - --metrics-bind-address=127.0.0.1:8082
+        - --metrics-bind-address=:8443
+        - --metrics-secure=true
         - --leader-elect
         image: docker.io/persesdev/perses-operator:v0.3.2
         imagePullPolicy: Always
@@ -10785,6 +10786,9 @@ spec:
         - containerPort: 9443
           name: webhook-server
           protocol: TCP
+        - containerPort: 8443
+          name: https
+          protocol: TCP
         readinessProbe:
           httpGet:
             path: /readyz
@@ -10807,29 +10811,6 @@ spec:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
           readOnly: true
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8082/
-        - --logtostderr=true
-        - --v=0
-        image: quay.io/brancz/kube-rbac-proxy:v0.21.0
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
       serviceAccountName: perses-operator-controller-manager
       terminationGracePeriodSeconds: 10
       volumes:

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -28,7 +28,7 @@ patches:
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-- path: manager_auth_proxy_patch.yaml
+- path: manager_metrics_patch.yaml
 
 
 

diff --git a/config/default/manager_auth_proxy_patch.yaml → config/default/manager_metrics_patch.yaml b/config/default/manager_auth_proxy_patch.yaml → config/default/manager_metrics_patch.yaml
@@ -1,5 +1,6 @@
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+# This patch configures the manager to serve the /metrics endpoint
+# with authentication and authorization using controller-runtime's
+# built-in SecureServing and FilterProvider.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -25,31 +26,13 @@ spec:
                   values:
                     - linux
       containers:
-      - name: kube-rbac-proxy
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - "ALL"
-        image: quay.io/brancz/kube-rbac-proxy:v0.21.0
+      - name: manager
         args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8082/"
-        - "--logtostderr=true"
-        - "--v=0"
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=:8443"
+        - "--metrics-secure=true"
+        - "--leader-elect"
         ports:
         - containerPort: 8443
           protocol: TCP
           name: https
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
-      - name: manager
-        args:
-        - "--health-probe-bind-address=:8081"
-        - "--metrics-bind-address=127.0.0.1:8082"
-        - "--leader-elect"
diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrole
     app.kubernetes.io/instance: metrics-reader
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: perses-operator
     app.kubernetes.io/part-of: perses-operator
   name: metrics-reader

diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml
@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrole
     app.kubernetes.io/instance: proxy-role
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: perses-operator
     app.kubernetes.io/part-of: perses-operator
   name: proxy-role

diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: clusterrolebinding
     app.kubernetes.io/instance: proxy-rolebinding
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: perses-operator
     app.kubernetes.io/part-of: perses-operator
   name: proxy-rolebinding

diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml
@@ -5,7 +5,7 @@ metadata:
     control-plane: controller-manager
     app.kubernetes.io/name: service
     app.kubernetes.io/instance: controller-manager-metrics-service
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: metrics
     app.kubernetes.io/created-by: perses-operator
     app.kubernetes.io/part-of: perses-operator
   name: controller-manager-metrics-service

diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -10,8 +10,7 @@ resources:
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 # Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
+# the authn/authz protection of the /metrics endpoint.
 - auth_proxy_service.yaml
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml