[Deprecation] Removal of options and features that don't fit with upstream

[ibihim]

What

We will remove the following options in the v1 release:

1. --tls-reload-interval as this option is not supported by upstream,
2. insecure-listen-addresss won't work anymore and
3. tls-cert-file == nil and tls-private-key-file == nil won't work any more, TLS is now mandatory.

Why

1.

We were asked to use the upstream cert loader, which doesn't support custom intervals.

2. and 3.

We are aware that we create obstacles in running kube-rbac-proxy for testing or debugging purposes.
But we reduce the probability for an insecure set up of kube-rbac-proxy, which is a security relevant component.

Running kube-rbac-proxy without TLS certificates, makes it possible to impersonate kube-rbac-proxy.

The reason that we remove that capability is a pre-acceptance requirement for kube-rbac-proxy, before we can donate the project so sig-auth of k8s.

Reference

• Sig-Auth Pre-Acceptance TODOs #169
• main.go: warning for --tls-reload-interval #197
• Sig-Auth Pre-Acceptance TODOs #169
• main.go: add warn logs when insecure opts in use #188
• [wip] remove insecure listen address #186
• [Deprecation] Removal of insecure options: --insecure-listen-addresss and unset --tls-cert-file, --tls-private-key-file #187

[camilamacedo86]

HI @ibihim,

Could you please add here how we should replace those flags to sort out the deprecation?

See that we are using:

- "--secure-listen-address=0.0.0.0:8443"
        - "--upstream=http://127.0.0.1:8080/"
        - "--logtostderr=true"
        - "--v=0" 

So, how it should be done now?

[ibihim]

I will add a README.md entry for this.