Skip to content

Commit 120d4e4

Browse files
committed
address PR feedback
1 parent 75ece5c commit 120d4e4

File tree

9 files changed

+19
-38
lines changed

9 files changed

+19
-38
lines changed

.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,4 +23,3 @@ TODO
2323

2424
vendor
2525
out
26-
certs

Makefile

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -42,11 +42,7 @@ run:
4242
./cmd/$(EXTENSION_PREFIX)-$(NAME) \
4343
--kubeconfig=${KUBECONFIG} \
4444
--ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION) \
45-
--leader-election=$(LEADER_ELECTION) \
46-
--webhook-config-mode=url \
47-
--webhook-config-url="host.docker.internal:9443" \
48-
--webhook-config-cert-dir=example/certs \
49-
--webhook-config-server-port=9443
45+
--leader-election=$(LEADER_ELECTION)
5046

5147
.PHONY: debug
5248
debug:

README.md

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,8 @@ Broadly speaking, there are two different external traffic flows:
4848
1. Kubernetes API Listener (via SNI name)
4949
2. Apiserver-Proxy / Reversed-VPN Listener
5050

51+
*Please note that this changed with [GEP-30](https://github.com/gardener/gardener/blob/master/docs/proposals/30-apiserver-proxy.md) as the dedicated Kubernetes Service Listener for the apiserver-proxy was removed.*
52+
5153
These ways are described in more detail in the aforementioned GEP. Essentially,
5254
these two ways are all represented by a specific Envoy listener with filters.
5355
The extension needs to hook into each of these filters (and their filter chains)
@@ -67,10 +69,6 @@ require a unique way of handling them, respectively.
6769
but also an "inverted" policy which matches all shoots that don't have ACL
6870
enabled. All these policies are then put in a single EnvoyFilter patch.
6971

70-
![Listener Overview](./docs/listener-overview.svg)
71-
72-
*Please note that the `Kubernetes Service Listener` doesn't exist anymore in current versions of Gardener.*
73-
7472
Because of the last point, we currently see no way of allowing the user to
7573
define multiple rules of different action types (`ALLOW` or `DENY`). Instead, we
7674
only support a single `ALLOW` rule per shoot, which is in our opinion the best

charts/gardener-extension-acl/templates/deployment.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ metadata:
55
name: {{ include "name" . }}
66
namespace: {{ .Release.Namespace }}
77
labels:
8+
high-availability-config.resources.gardener.cloud/type: controller
89
{{ include "labels" . | indent 4 }}
910
spec:
1011
revisionHistoryLimit: 0

charts/gardener-extension-acl/templates/rbac.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,7 @@ rules:
133133
- create
134134
- update
135135
- patch
136+
- delete
136137
- apiGroups:
137138
- networking.istio.io
138139
resources:

cmd/gardener-extension-acl/app/app.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,9 @@ import (
2424
"github.com/spf13/cobra"
2525
istionetworkv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
2626
istionetworkv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
27+
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
2728
corev1 "k8s.io/api/core/v1"
29+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2830
componentbaseconfigv1alpha1 "k8s.io/component-base/config/v1alpha1"
2931
"sigs.k8s.io/controller-runtime/pkg/client"
3032
"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -103,6 +105,17 @@ func (o *Options) run(ctx context.Context) error {
103105
return fmt.Errorf("could not add controllers to manager: %s", err)
104106
}
105107

108+
// TODO(Wieneo): Remove this once a couple extension versions included the migration code
109+
// migration code: remove mutating webhook from cluster as it is not served by this controller anymore
110+
if err := mgr.Add(manager.RunnableFunc(func(ctx context.Context) error {
111+
if err := client.IgnoreNotFound(mgr.GetClient().Delete(ctx, &admissionregistrationv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: ExtensionName}})); err != nil {
112+
return fmt.Errorf("could not delete mutatingwebhook %s: %s", ExtensionName, err)
113+
}
114+
return nil
115+
})); err != nil {
116+
return fmt.Errorf("could not add runnable to manager: %s", err)
117+
}
118+
106119
if err := mgr.Start(ctx); err != nil {
107120
return fmt.Errorf("error running manager: %s", err)
108121
}

deploy/extension/base/controller-registration.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ kind: ControllerDeployment
44
metadata:
55
name: acl
66
helm:
7-
rawChart: H4sIAAAAAAAAA+1b62/juBHfz/orWG+B2z2c5Ecc587AAs1l070FNg8k2xRFUQS0RNu8SKJKUvZ6H/3bOyT1siRHdpJNLq3mQyJR5HDImd9whqRnmHskJNwmnyQJBWWhjV2/++IhqQd0sL+v/wOV/+vn/t6wP9gfjEaqvD/s9/sv0P6DSrGBYiExR+gFZ0zeVq/p+zOlWb3+nTnxAzoLGSf370MpeDQcbtQ/qL2k/9FgOHqBevfvupn+z/X/Ep1jKQkPBZIMGY2j5ZyEaBJT36PhDEXYvcEzIhzrJfo4pwKJOIoYl/AAVuKjmc8mKMDSnUPtnxAnPpZ0QaCdnBfKcegBg5DM4CsL0auIkyn9RDy0pFDvT68ddBb6K8RC3VKJhCLCkU9D4ljO28vrSwmyAYsjFgTA4OroEnmUC8uZUdnVf434ljP5zLv6b1own3XVn/RVLMJuzmgC44sjNKU+EdaPjlhG8HeCb+CvDOD5P1D1CnPKYoHevz2GDiPOfieutBzqEdw19aDIchbCZR7pWk+t1e1pA/6P5phLZ4UD/wH6aML/oHdQxn9vb7/F/2MQjugV4UrvY7ToWziKstdO3+l1LI8Il9NI6qJD9BusC8hV1oGmjCM5J+hdYkLo8OgDyszIsUIckDGqNzBrkfbSc6CbZwSY/zHagH9JggjcOBEPEQnuHv+N+uAS2vjvEahR/9ewxsM6LBwZ3XUtaIz/9vbW9T/oDfcGrf9/DPryxUYeBGIQdXWUw+4g+9s3a4PTVpVJ6OkqVrGljyfEFw6sHs4NWRke+iWeQBxHwI4cyrqK/xqPDSwW2I8TQb58QTR0/djLxHNQ0vAWQaptywIqLmO0oUbSv+6pOgoagsWELtHNnQviEyyIcwrClSR7atVuRY34d1k4pbMARzYNIAtYQNzLuM1g/V5yKsk2MWIT/oejUvwHDwfDFv+PQcpe6RQ5V8rmwb6Vjq+0js9SFSuztm3bKoWKNzT0xpBDKfM4wZEVEIk9LPHYQsiEfvXgrbejpJGAZLMGWbpYyYGQwem4Bt2K/VcoBHuWaAi1v1mpPLpLcb1utWP0VXG5dehr/DJwPxNsb0ON+PdI5LNVAHNw53SwAf/7APwS/vv9/Xb/51GoDGxY70Q3Q/fbTPlbw/t7ANkSEXFVx5wsqJLzNyoApqsPNKASUkj9JfKpi4XpMoF0UnjEYmCkOxUgi0K4YobM5tSH7eQYGQYpMBIGhUlRhMOQSb2/JdKiLR0sSsidE/dGxEFh3c2RWes51xTxKuIUhP2z8zGR0/kVpv5c7cR1tlrKO6/1oMUcD/ZHIEcuW+78koJUganoECEtGQfDmTmpV3Fcn8VeVzLbgxlB2PfZknjbteCgNBoQG6xTEA5C5u0bVPVzKmNqNopgYhiMcnXkYyFO17cmxEqAXu1fer2ksuqQuuTQdZXpnN5u7lptLJQYIlCezYfdhBJDWhNrRqtLKlXOY98/Z2DNq2rl/FuxGeazgnJsZNsB/mSDoG7MOUyTzYl6Ubuebwoc1Ug4832V8uWVL1ehK4rcFb85wb6ca4vdnXehcVM/HhV44hO70LzINfl8lH8FU/id0RB1fuqUeZktYJtBSqtxaueQ3SSpaXKWtjjMGpR5g5vz1EqqXIyGq/dmQwhUqrnGRW+u2Wrz/E1XP4vsc8mXYM+jqjn2Dw0wjqjHK7OX17IT/Niuqlcc7gZO9dNYcQQVwTIwJ7t8ZZEy4CXfi6Lc1ramZxIuikZuMPfh+PDt8cX18Yfjo4/vz06vTw9Pji/PD4+Os5oI6STvr5wF40IhQlNKfO+CTNdLk3LlR8eZ03eydW7TPDQ5+1Te9yeH746vQNizi+uzq+OLv1+8/1iRdYwSc8jD2G5tXLuDojgRLOYuWTOarFCviZL9A3jWtPiKJKdB7nX7vd2MpGlyBAGfoBw2QBGWwKJCtB2fc7oABzMjx8LFPjYb1FPsi1wdC+bHATlRPlxUraRhXS30FygORvlVHRTqcYC1OsQaw9TEZPNc7DQTZhCVdWVb6d00QStO4J3ys5Q8MsWxL0+YBzyGg15hUMkonzqobWlrasz/IgZrg+CxPgGaxN6M7JwINu7/Dkvn/4O93kGb/z0KJa5oJtErlTjUZU6vUb9uCyjSEWeeK54z721mKL9qQ/ljJI0Qmv4txAtMfRUmavYinjSO997J4rNwiI345xPs3vMiQAP+h3vwbf387+BAnf+1+P/+VEa1VjeO5RyS5c86qHJuftbnHvmWrw9zRvgF88kuAN8Fujz2VcRjIxDtHWdxpMMfu7hhQAUIB3JBOcQok6SCcjrqvw+f9cNSoVY/RdlTHIHIRD+6ELIljx6gXT8W4l9VDhkGW02pD0MWVYky2IjSFkaVkWvmTZjeQqFyZO6ZVxpOORYQNboyhmZbDeo+suRVS69dgIOMtxOgdlYrUmU9NwoV4BAiTy8rbRCioLtlnW5z0RLVVkTrdKpCZOvQHZUArwU9GOzU2AKYAgvSQn16qRPwDZ0WhloZYHXCN0F4o0ly5hNRLpgAIAFopjyvUfq0o7C7aqMDWSAnUnTMG6QloXn5zoahtsHrxMlPQxqlyLu+64S4DPwDDW9XoQ6TSppIOrwnw7Rch2Dm29bbWQVhCkNO52gTdLyACoUbTmYwi/x2OYNY7cKFsyWZzBm7MXlubBpt7792Qlb98lOSawZMlni1pfu41/L7q8Hhd1uFoYtkKyydiFskhFrV+KBBHojD1UVavdSbxpdrO+/N49kmbXjqGOuPTI3xf3IUgo1C7pQJNOX/e/1+Kf8fQGEb/z8GbbzYUQLik2by4G6Y3oNdF+ojuyHZnu9TT+QzpUb8LyJ8398BNOC/vzcq//7nYH/U5v+PQqWjCKVtEqp9Mq9uz08BUZ22qAioHJdAJUnh2znzDpNqhD+03zB7ejVCp0FY8Rx8vczs4mUH9bqQFs9Vsk/mvP+HH3+wsgMgGiYHo8VTFDeKtaic/DumHGass1kiJ2fhQDtERdasc8tAys0K52Pq9knA+OpOIpimd5Eiabm+v4kQgAhC3OzgtO5KkSqvXCtqOo2CCiYuLyrRlJgDqMLRsRK8WNnJ6z2b/djHpg3+f2Fm9GF+ANbo/weDyu8/D9r7/49Cyf2j2dzlypvDZLg3VJpLWPW2MdZxgbQq15LeT0+ZPAfPoXBtFU9UxmigCgppsvI6wCTxvtqRdvZ7Qccq+rXOaHhCO5YFuFb1knUpO1yvc+9VR615A2tr3Wcq1o2+paMWMhCgcBtIVSpdVwL2ULjxllB+KaFw5SlbjMqMrOptpjH6578sq/6Kjvn2EtVdIVD3m1+i9PLzWD/ntwcwBHhElyFk5vGCRExQqadnLmUkxt2ucOdLzD9T+RePLBz8OebEcVmQl+dPjrgh3Wv1W9yEeeG+VtIPL/TAyczRu96qnUPiXt9JjC+5AqjYrYsp8Qx00nMGzi+glNQ6x2ajJfnNYqf17S211FJLLbXUUksttdRSSy21VKH/AhO14U4AUAAA
7+
rawChart: H4sIAAAAAAAAA+1b62/juBHfz/orWG+B2z2c5GecOwMLNJdN9xbYPJBsUxRFEdASbfMiiSpJ2et99G/vkJQlWZIjO8k6TU/zIZFG5HDImd9w+PAUc4+EhNvkkyShoCy0seu3XzwmdYAODw70f6Dif/3c7Q+6vYPecKj43UG3232BDh5Viw0UC4k5Qi84Y/KucnXfnylNq+3vzIgf0GnIOHl4G8rAw8Fgo/3B7AX7D3uD4QvUeXjT9fQHt/9LdIGlJDwUSDJkLI4WMxKicUx9j4ZTFGH3Fk+JcKyX6OOMCiTiKGJcwgN4iY+mPhujAEt3BqV/Qpz4WNI5gXpyluPj0AMBIZnCVxaiVxEnE/qJeGhBodyfXjvoPPSXiIW6plIJRYQjn4bEsZy3VzdXEnQDEccsCEDA9fEV8igXljOlsq3/GvUtZ/yZt/XfFWM2bas/q1cxD9uZoDH0L47QhPpEWD86YhHB3zG+hb8ygOf/QNFrzCmLBXr/9gQajDj7nbjScqhHcNuUA5blzIXLPNK2ntqq29MG/B/PMJfOEgf+I7RRh/9e57CI/07/oMH/PghH9JpwZfcRmnctHEXpa6vrdFqWR4TLaSQ16wj9BvMCcpV3oAnjSM4Iepe4EDo6/oBSN3KsEAdkhKodzJqvWuk40MwzAsz/GW3AvyRBBGGciMfIBHfP/4ZdCAlN/rcHqrX/DczxMA8LR0b3nQtq879+f93+vc6g32vi/z7oyxcbeZCIQdbVUgG7hexv36wNQVsVJqGni1j5mj4eE184MHs4t2RpZOiXeAx5HAE/cihrK/lrMjaImGM/ThT58gXR0PVjL1XPQUnFOxQp1y0qqKSM0IYSSfu6pXIvaAgeE7pEV3cuiU+wIM4ZKFfQ7KlNuxXV4t9l4YROAxzZNIBVwBzyXsZtBvP3glNJtskR6/A/GBbyP3g4HDT43wcpf6UT5Fwrnwf/Vja+1jY+X5lYubVt21YhVbyloTeCNZRyj1McWQGR2MMSjyyETOpXDd5qP0oqCVhsViBLs5UeCBmcjirQrcR/BSb4s0QDKP3NWumjmxQ36147Ql+VlDu7viYvBfczwfY2VIt/j0Q+WwYwBvdeDtbg/6DXHxTw3+0eHDb43wcVgQ3znWin6H6bGn9reO8MZAQ0o9OZjeeYApP6VC5tM+04nAgWcxfguXJUx/VZ7LXlMgLxUEpy5vuEbxMPLBERVzXIyZyq7v5GBaB9+YEGVMJKVH+JfOpiYTRPIkPCPGYxCNK6C+iSChRGe73H9WG7uDQ0Alb4SgTkxlYRDkMm9TaZWLG2jNMoIXdG3FsRB7npOwN4ZQBes+eriFNQ9s/Ox0RP51ew4IXa0GttlRG0XutOixnuHQxBj0y3LIYmjLwfKIJEa8E4+N+0ZHNmezAiCPs+WxBvuxocjEYDYoOTC8JByax+jal+Xum4chtFMDAMerk89rEQZ+s7HGIpwK72L51OUlg1SF1y5LrKdc7uRo02G/gzhkSWp+Nh14HNkLbEmtNqTqnIRez7Fwy8eVkunH3LV8N8mjOOjWw7wJ8UPN2YcxgmmxP1ojZP3+QkZsjUz0nhq2Xoirx0JW9GsC9n2mN3l52rXNeORwUe+8TOVc9LTT4fZ1/BFX5nNEStn1pFWWYn2WawMtY4tTPIbtLUVDlf1ThKKxRlQ7T01ISsQoyGq/dmQyZVKLkmRe/R2WoP/k1bP4v0cyGWYM+jqjr2jwwwjqnHS6OXlbIT/NiuKpfv7gZJ1cNYCgQlxVIwJ5uFRZVS4CXf86rcVbeiZRLO805uMPfh5OjtyeXNyYeT44/vz89uzo5OT64ujo5P0pII6bXiXzkLRjkmQhNKfO+STNa5CV/F0VEa9J10utw0DnXBfqXv+9OjdyfXoOz55c359cnl3y/ffyzpOkKJO2TZcLsyPd7BUOksnS+TMvWcKNk/QGZFja9IchpkUbfb2c1J6gZHEIgJKmADFGEKzBtE+/EFp3MIMFNyIlzsY7PPPcG+yMwxZ34ckFMVw0XZS2rm1Vx7gZJgjF+2Qa4cB1irs7ARDE1MNo/FTiNhOlGaV7bV3l2t8/IDeK9l3oo8MsGxL0+ZBzIGvU6uU0kvnzo3/iNQ7fovYhDUBY/1CdA49qZk54Vg7f7voHD+3+t3Dpvz/71QEkOmEr1SGX/Vkuc16lZtAUU6VczWihfMe5s6yq/aUb7fonGX1R7klH8Lk8Wlb8SLeFzb3wev8p5FJKvFPx9j94EXAWrwP+gfFM//Dw+7/Qb/+6AiqrW5cSxnsMr9rLMh5/Znfe6Rbfn6MGaEXzKf7ALwXaDLY1+lKjYC1d5xFkc6b7HzK30qQDnQC/iQXIyTAiroqP8+fNYPC4Va/RSlT3EEKhP96EKulTx6gHb9mEtcFR+WBmw5oT50WZQ1SmFT3KEqC3LNuAnTWijU4pZ75pWGE44FpHuujKHaVp16iC5Z0cJrG+Ag4+0UqBzVklabtvDKSgU4hJTRS7k1SuRst6iybaZaYtqSaq1WWYl0HrqnEeA1ZweDnQpfAFdgwYqpTy/1ynlDo7muljpYHvBNEN7okpz5RBQZYwAkAM3wsxKFTzsqu6s1WrB840SKlnmD9URoXr6zY6ht8Cp1stOQWi2ypu87IC6D+EDDu02o06SCJZIGHyhwxdcpmPm29T5UTplcl1djtAk6XkCFwg0nUxhFfreeQay2z8LpgoxnjN2aBWpsKm0fv+5rm+qZqKDiFOQt8HLLSPKgmfhXA8nvNiFDE8l21mog7tAQSpVThRp9ICVXd2r1rG8qX63tntf3Z5sVxFOnW/9zVJv/J2cY2FjhXiuBuvV/v9strP97wGzy/33QxosdBfQ96UoeYgzTm6frSn1ktyTdrH3qgXymVIv/eYQf+juAGvx3+8Pi738OD4bN/Y+9UOEMQVmbhGqfzKva81NAVMckKu0pJiNQSFL4dsG8o6QY4Y8dN8yeXoXSq8wrf4C9zjO7eOkJu2bS/IFI+skc1P/w4w9WenJDw+REM3/84UaxVpWTf8eUw4i1NmvkZCIcqIeoSKu17uhIsVruYEtdGwkYX95LBVP1PlokNdf3NxECEEFem554Vl0pUvzStaK6YyQoYPLyvBENx5wc5c58leL5wk5W7tnsx+6bNsT/uRnRx/kBWG387/VKv/88bO7/74WSi0PTmctVNIfBcG+pNLenqn1jpPMCaZXuE72fnDF5AZFD4drKn6iMUE8xcmtjFXVASBJ9dSBtHXSClpWPa63h4JS2LAtwrcol81J6Kl4V3suBWssG0dZ6zFSia2NLS01koEDuGo8qVLhnBOKBufF6T3abIHdXKZ2MioKs8jWkEfrnvyyr+m6N+fYSVZ39q/vNL9Hq8vNIP2fH/hgSPKJ5CJlxvCQRE1Tq4ZlJGYlRuy3c2QLzz1T+xSNzB3+OOXFcFmT87MkRt6R9o36LmwjPXbRK2uG5FjiZOnrXW9VzSNzpOonzJXf3lLh1NSWegk06Ts/5BYyy8s6R2V1JfrPYamJ7Qw011FBDDTXUUEMNNdRQQw2V6L8xGdXJAFAAAA==
88
values:
99
image: ghcr.io/stackitcloud/gardener-extension-acl:latest
1010
---

docs/listener-overview.svg

Lines changed: 0 additions & 4 deletions
This file was deleted.

hack/gen-certs.sh

Lines changed: 0 additions & 23 deletions
This file was deleted.

0 commit comments

Comments
 (0)