Remove dependency on kube-rbac-proxy.

config/default/manager_auth_proxy_patch.yaml

@@ -1,5 +1,5 @@
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+# This patch configures the controller manager to expose metrics securely
+# using controller-runtime's built-in authentication and authorization.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -25,31 +25,13 @@ spec:
                   values:
                     - linux
       containers:
-      - name: kube-rbac-proxy
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
+      - name: manager
         args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=0"
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=:8443"
+        - "--metrics-secure"
+        - "--leader-elect"
         ports:
         - containerPort: 8443
           protocol: TCP
           name: https
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
-      - name: manager
-        args:
-        - "--health-probe-bind-address=:8081"
-        - "--metrics-bind-address=127.0.0.1:8080"
-        - "--leader-elect"

config/rbac/auth_proxy_service.yaml

@@ -5,7 +5,7 @@ metadata:
     control-plane: controller-manager
     app.kubernetes.io/name: service
     app.kubernetes.io/instance: controller-manager-metrics-service
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: manager
     app.kubernetes.io/created-by: jobs-manager-operator
     app.kubernetes.io/part-of: jobs-manager-operator
     app.kubernetes.io/managed-by: kustomize

config/rbac/kustomization.yaml

@@ -9,9 +9,8 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
+# The following resources configure RBAC for secure metrics
+# using controller-runtime's built-in authentication/authorization.
 - auth_proxy_service.yaml
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml