🚨 [Action Required] Transition Away from gcr.io/kubebuilder/kube-rbac-proxy

[Camila Macedo]

Hi Everyone,

The gcr.io/kubebuilder/kube-rbac-proxy image, historically used to secure metrics endpoints, will become unavailable.

Sometime in early 2025, the GCR will go away. Projects relying on it must migrate to avoid disruptions and ensure metrics endpoint security.

Key Update

• kube-rbac-proxy usage is discontinued from Kubebuilder and Operator-SDK.

• It’s replaced by the WithAuthenticationAndAuthorization feature in Controller-Runtime.

Why This Matters

• If your project depends on this image, it may no longer work if you need to pull the image once it becomes unavailable.

• Unprotected metrics endpoints may expose sensitive data, like system performance and app behaviour, creating security risks.

What You Need to Do

1. If you want to continue with kube-rbac-proxy:

• You can use an alternative image source at your own risk, e.g. kube-rbac-proxy repository.

2. If you want to switch to use WithAuthenticationAndAuthorization:

• Option 1: Upgrade your project using the latest release version of the tools. By default secure metrics handling (similar to kube-rbac-proxy).

Additionally, there are options to improve production readiness, such as configuring certificates.

This approach also allows you to take advantage of other improvements, bug fixes, and embrace the advancements.

• Option 2: Manually change it (details here).

For more information and guidance, see the FAQ and discussion.

Thank you for your attention, 

CAMILA MACEDO

Principal Software Engineer 

RED HAT Operator framework

Red Hat UK

She / Her / Hers

IM: cmacedo

I respect your work-life balance. Therefore, you do not need to answer this email outside of your office hours.