Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adapt NetworkPolicys according to recent refactorings #581

Merged
merged 12 commits into from
Mar 14, 2023
Merged

Adapt NetworkPolicys according to recent refactorings #581

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
ad98f66
Revendor gardener/gardener@1.66
ScheererJ Mar 3, 2023
64041ee
Pass webhook server namespace to ControlPlane controller
ScheererJ Mar 3, 2023
7707285
Allow extension to talk to its runtime cluster
ScheererJ Mar 3, 2023
c577af9
Allow extension to talk to all shoot kube-apiservers
ScheererJ Mar 3, 2023
430407e
Allow extension to reach out to provider-specific APIs
ScheererJ Mar 3, 2023
80bc4be
Allow access to extension webhook port from world
ScheererJ Mar 3, 2023
0f114b6
Allow extension to be scraped from `seed-prometheus`
ScheererJ Mar 3, 2023
e9328a1
[make generate]
ScheererJ Mar 3, 2023
0cf681a
Adapt `to-shoot-apiserver` policy
ScheererJ Mar 3, 2023
baecd26
Adapt `to-runtime` policy
ScheererJ Mar 3, 2023
3f1780c
Adapt `from-shoot-apiserver` policy
ScheererJ Mar 3, 2023
c3456f0
Adapt `from-prometheus` policy
ScheererJ Mar 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions charts/gardener-extension-provider-alicloud/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,11 @@ spec:
prometheus.io/port: "{{ .Values.metricsPort }}"
{{- end }}
labels:
networking.gardener.cloud/to-runtime-apiserver: allowed
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.gardener.cloud/to-private-networks: allowed
networking.resources.gardener.cloud/to-all-shoots-kube-apiserver-tcp-443: allowed
shaoyongfeng marked this conversation as resolved.
Show resolved Hide resolved
{{ include "labels" . | indent 8 }}
spec:
priorityClassName: gardener-system-900
Expand Down
7 changes: 6 additions & 1 deletion charts/gardener-extension-provider-alicloud/templates/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,13 @@ kind: Service
metadata:
name: {{ include "name" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.ignoreResources }}
annotations:
networking.resources.gardener.cloud/from-world-to-ports: '[{"protocol":"TCP","port":{{ .Values.webhookConfig.serverPort }}}]'
networking.resources.gardener.cloud/from-policy-pod-label-selector: all-seed-scrape-targets
networking.resources.gardener.cloud/from-policy-allowed-ports: '[{"port":{{ .Values.metricsPort }},"protocol":"TCP"}]'
networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"kubernetes.io/metadata.name":"garden"}}]'
networking.resources.gardener.cloud/pod-label-selector-namespace-alias: extensions
{{- if .Values.ignoreResources }}
shaoyongfeng marked this conversation as resolved.
Show resolved Hide resolved
resources.gardener.cloud/ignore: "true"
{{- end }}
labels:
Expand Down
5 changes: 2 additions & 3 deletions charts/internal/machine-controller-manager/seed/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,8 @@ spec:
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.gardener.cloud/to-private-networks: allowed
networking.gardener.cloud/to-seed-apiserver: allowed
networking.gardener.cloud/to-shoot-apiserver: allowed
networking.gardener.cloud/from-prometheus: allowed
networking.gardener.cloud/to-runtime-apiserver: allowed
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
Expand Down
3 changes: 3 additions & 0 deletions charts/internal/machine-controller-manager/seed/templates/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ metadata:
labels:
app: kubernetes
role: machine-controller-manager
annotations:
networking.resources.gardener.cloud/from-policy-pod-label-selector: all-scrape-targets
networking.resources.gardener.cloud/from-policy-allowed-ports: '[{"port":{{ .Values.metricsPort }},"protocol":"TCP"}]'
spec:
type: ClusterIP
clusterIP: None
Expand Down
3 changes: 3 additions & 0 deletions ...controlplane/charts/alicloud-cloud-controller-manager/templates/alicloud-ccm-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ metadata:
labels:
app: kubernetes
role: cloud-controller-manager
annotations:
networking.resources.gardener.cloud/from-policy-pod-label-selector: all-scrape-targets
networking.resources.gardener.cloud/from-policy-allowed-ports: '[{"port":"10258","protocol":"TCP"}]'
spec:
type: ClusterIP
clusterIP: None
Expand Down
3 changes: 1 addition & 2 deletions ...rnal/seed-controlplane/charts/alicloud-cloud-controller-manager/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,8 @@ spec:
role: cloud-controller-manager
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.gardener.cloud/to-shoot-apiserver: allowed
networking.gardener.cloud/to-alicloud-networks: allowed
networking.gardener.cloud/from-prometheus: allowed
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
Expand Down
2 changes: 1 addition & 1 deletion charts/internal/seed-controlplane/charts/csi-alicloud/templates/csi-plugin-controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ spec:
role: csi-plugin-controller
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.gardener.cloud/to-shoot-apiserver: allowed
networking.gardener.cloud/to-alicloud-networks: allowed
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
spec:
automountServiceAccountToken: false
priorityClassName: gardener-system-300
Expand Down
2 changes: 1 addition & 1 deletion charts/internal/seed-controlplane/charts/csi-alicloud/templates/csi-snapshot-controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ spec:
app: csi-snapshot-controller
role: controller
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-shoot-apiserver: allowed
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
spec:
automountServiceAccountToken: false
priorityClassName: gardener-system-200
Expand Down
1 change: 0 additions & 1 deletion ...ontrolplane/charts/csi-alicloud/templates/csi-snapshot-validation-webhook-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ spec:
{{- end }}
labels:
app: snapshot-validation
networking.gardener.cloud/from-shoot-apiserver: allowed
shaoyongfeng marked this conversation as resolved.
Show resolved Hide resolved
spec:
priorityClassName: gardener-system-200
containers:
Expand Down
26 changes: 0 additions & 26 deletions ...rolplane/charts/csi-alicloud/templates/csi-snapshot-validation-webhook-networkpolicy.yaml
View file
Open in desktop

This file was deleted.

1 change: 1 addition & 0 deletions cmd/gardener-extension-provider-alicloud/app/app.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,7 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command {
return fmt.Errorf("could not add webhooks to manager: %w", err)
}
alicloudcontrolplane.DefaultAddOptions.ShootWebhookConfig = atomicShootWebhookConfig
alicloudcontrolplane.DefaultAddOptions.WebhookServerNamespace = webhookOptions.Server.Namespace

if err := controllerSwitches.Completed().AddToManager(mgr); err != nil {
return fmt.Errorf("could not add controllers to manager: %w", err)
Expand Down
Loading