Skip to content

Commit

Permalink
Adapt NetworkPolicys according to recent refactorings (#581)
Browse files Browse the repository at this point in the history 
* Revendor gardener/gardener@1.66

* Pass webhook server namespace to ControlPlane controller

* Allow extension to talk to its runtime cluster

* Allow extension to talk to all shoot kube-apiservers

This is needed for the health check of the `Worker` resource.

* Allow extension to reach out to provider-specific APIs

* Allow access to extension webhook port from world

* Allow extension to be scraped from `seed-prometheus`

* [make generate]

* Adapt `to-shoot-apiserver` policy

* Adapt `to-runtime` policy

* Adapt `from-shoot-apiserver` policy

* Adapt `from-prometheus`  policy
  • Loading branch information
@ScheererJ
ScheererJ authored Mar 14, 2023
1 parent e49d4e0 commit 62c8f28
Show file tree
Hide file tree
Showing 118 changed files with 6,682 additions and 5,452 deletions.
5 changes: 5 additions & 0 deletions charts/gardener-extension-provider-alicloud/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,11 @@ spec:
prometheus.io/port: "{{ .Values.metricsPort }}"
{{- end }}
labels:
networking.gardener.cloud/to-runtime-apiserver: allowed
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.gardener.cloud/to-private-networks: allowed
networking.resources.gardener.cloud/to-all-shoots-kube-apiserver-tcp-443: allowed
{{ include "labels" . | indent 8 }}
spec:
priorityClassName: gardener-system-900
Expand Down
7 changes: 6 additions & 1 deletion charts/gardener-extension-provider-alicloud/templates/service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,13 @@ kind: Service
metadata:
name: {{ include "name" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.ignoreResources }}
annotations:
networking.resources.gardener.cloud/from-world-to-ports: '[{"protocol":"TCP","port":{{ .Values.webhookConfig.serverPort }}}]'
networking.resources.gardener.cloud/from-policy-pod-label-selector: all-seed-scrape-targets
networking.resources.gardener.cloud/from-policy-allowed-ports: '[{"port":{{ .Values.metricsPort }},"protocol":"TCP"}]'
networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"kubernetes.io/metadata.name":"garden"}}]'
networking.resources.gardener.cloud/pod-label-selector-namespace-alias: extensions
{{- if .Values.ignoreResources }}
resources.gardener.cloud/ignore: "true"
{{- end }}
labels:
Expand Down
5 changes: 2 additions & 3 deletions charts/internal/machine-controller-manager/seed/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,8 @@ spec:
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.gardener.cloud/to-private-networks: allowed
networking.gardener.cloud/to-seed-apiserver: allowed
networking.gardener.cloud/to-shoot-apiserver: allowed
networking.gardener.cloud/from-prometheus: allowed
networking.gardener.cloud/to-runtime-apiserver: allowed
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
Expand Down
3 changes: 3 additions & 0 deletions charts/internal/machine-controller-manager/seed/templates/service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ metadata:
labels:
app: kubernetes
role: machine-controller-manager
annotations:
networking.resources.gardener.cloud/from-policy-pod-label-selector: all-scrape-targets
networking.resources.gardener.cloud/from-policy-allowed-ports: '[{"port":{{ .Values.metricsPort }},"protocol":"TCP"}]'
spec:
type: ClusterIP
clusterIP: None
Expand Down
3 changes: 3 additions & 0 deletions ...controlplane/charts/alicloud-cloud-controller-manager/templates/alicloud-ccm-service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ metadata:
labels:
app: kubernetes
role: cloud-controller-manager
annotations:
networking.resources.gardener.cloud/from-policy-pod-label-selector: all-scrape-targets
networking.resources.gardener.cloud/from-policy-allowed-ports: '[{"port":"10258","protocol":"TCP"}]'
spec:
type: ClusterIP
clusterIP: None
Expand Down
3 changes: 1 addition & 2 deletions ...rnal/seed-controlplane/charts/alicloud-cloud-controller-manager/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,8 @@ spec:
role: cloud-controller-manager
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.gardener.cloud/to-shoot-apiserver: allowed
networking.gardener.cloud/to-alicloud-networks: allowed
networking.gardener.cloud/from-prometheus: allowed
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
Expand Down
2 changes: 1 addition & 1 deletion charts/internal/seed-controlplane/charts/csi-alicloud/templates/csi-plugin-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ spec:
role: csi-plugin-controller
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.gardener.cloud/to-shoot-apiserver: allowed
networking.gardener.cloud/to-alicloud-networks: allowed
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
spec:
automountServiceAccountToken: false
priorityClassName: gardener-system-300
Expand Down
2 changes: 1 addition & 1 deletion charts/internal/seed-controlplane/charts/csi-alicloud/templates/csi-snapshot-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ spec:
app: csi-snapshot-controller
role: controller
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-shoot-apiserver: allowed
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
spec:
automountServiceAccountToken: false
priorityClassName: gardener-system-200
Expand Down
1 change: 0 additions & 1 deletion ...ontrolplane/charts/csi-alicloud/templates/csi-snapshot-validation-webhook-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ spec:
{{- end }}
labels:
app: snapshot-validation
networking.gardener.cloud/from-shoot-apiserver: allowed
spec:
priorityClassName: gardener-system-200
containers:
Expand Down
26 changes: 0 additions & 26 deletions ...rolplane/charts/csi-alicloud/templates/csi-snapshot-validation-webhook-networkpolicy.yaml
View file

This file was deleted.

1 change: 1 addition & 0 deletions cmd/gardener-extension-provider-alicloud/app/app.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,7 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command {
return fmt.Errorf("could not add webhooks to manager: %w", err)
}
alicloudcontrolplane.DefaultAddOptions.ShootWebhookConfig = atomicShootWebhookConfig
alicloudcontrolplane.DefaultAddOptions.WebhookServerNamespace = webhookOptions.Server.Namespace

if err := controllerSwitches.Completed().AddToManager(mgr); err != nil {
return fmt.Errorf("could not add controllers to manager: %w", err)
Expand Down
Loading

0 comments on commit 62c8f28

Please sign in to comment.