File tree Expand file tree Collapse file tree 9 files changed +19
-38
lines changed
charts/gardener-extension-acl/templates
cmd/gardener-extension-acl/app Expand file tree Collapse file tree 9 files changed +19
-38
lines changed Original file line number Diff line number Diff line change 2323
2424vendor
2525out
26- certs
Original file line number Diff line number Diff line change 4242 ./cmd/$(EXTENSION_PREFIX ) -$(NAME ) \
4343 --kubeconfig=${KUBECONFIG} \
4444 --ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION ) \
45- --leader-election=$(LEADER_ELECTION ) \
46- --webhook-config-mode=url \
47- --webhook-config-url=" host.docker.internal:9443" \
48- --webhook-config-cert-dir=example/certs \
49- --webhook-config-server-port=9443
45+ --leader-election=$(LEADER_ELECTION )
5046
5147.PHONY : debug
5248debug :
Original file line number Diff line number Diff line change @@ -48,6 +48,8 @@ Broadly speaking, there are two different external traffic flows:
48481. Kubernetes API Listener (via SNI name)
49492. Apiserver-Proxy / Reversed-VPN Listener
5050
51+ *Please note that this changed with [GEP-30](https://github.com/gardener/gardener/blob/master/docs/proposals/30-apiserver-proxy.md) as the dedicated Kubernetes Service Listener for the apiserver-proxy was removed.*
52+
5153These ways are described in more detail in the aforementioned GEP. Essentially,
5254these two ways are all represented by a specific Envoy listener with filters.
5355The extension needs to hook into each of these filters (and their filter chains)
@@ -67,10 +69,6 @@ require a unique way of handling them, respectively.
6769 but also an "inverted" policy which matches all shoots that don't have ACL
6870 enabled. All these policies are then put in a single EnvoyFilter patch.
6971
70- 
71-
72- *Please note that the `Kubernetes Service Listener` doesn't exist anymore in current versions of Gardener.*
73-
7472Because of the last point, we currently see no way of allowing the user to
7573define multiple rules of different action types (`ALLOW` or `DENY`). Instead, we
7674only support a single `ALLOW` rule per shoot, which is in our opinion the best
Original file line number Diff line number Diff line change @@ -5,6 +5,7 @@ metadata:
55 name : {{ include "name" . }}
66 namespace : {{ .Release.Namespace }}
77 labels :
8+ high-availability-config.resources.gardener.cloud/type : controller
89{{ include "labels" . | indent 4 }}
910spec :
1011 revisionHistoryLimit : 0
Original file line number Diff line number Diff line change @@ -133,6 +133,7 @@ rules:
133133 - create
134134 - update
135135 - patch
136+ - delete
136137- apiGroups :
137138 - networking.istio.io
138139 resources :
Original file line number Diff line number Diff line change @@ -24,7 +24,9 @@ import (
2424 "github.com/spf13/cobra"
2525 istionetworkv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
2626 istionetworkv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
27+ admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
2728 corev1 "k8s.io/api/core/v1"
29+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2830 componentbaseconfigv1alpha1 "k8s.io/component-base/config/v1alpha1"
2931 "sigs.k8s.io/controller-runtime/pkg/client"
3032 "sigs.k8s.io/controller-runtime/pkg/manager"
@@ -103,6 +105,17 @@ func (o *Options) run(ctx context.Context) error {
103105 return fmt .Errorf ("could not add controllers to manager: %s" , err )
104106 }
105107
108+ // TODO(Wieneo): Remove this once a couple extension versions included the migration code
109+ // migration code: remove mutating webhook from cluster as it is not served by this controller anymore
110+ if err := mgr .Add (manager .RunnableFunc (func (ctx context.Context ) error {
111+ if err := client .IgnoreNotFound (mgr .GetClient ().Delete (ctx , & admissionregistrationv1.MutatingWebhookConfiguration {ObjectMeta : metav1.ObjectMeta {Name : ExtensionName }})); err != nil {
112+ return fmt .Errorf ("could not delete mutatingwebhook %s: %s" , ExtensionName , err )
113+ }
114+ return nil
115+ })); err != nil {
116+ return fmt .Errorf ("could not add runnable to manager: %s" , err )
117+ }
118+
106119 if err := mgr .Start (ctx ); err != nil {
107120 return fmt .Errorf ("error running manager: %s" , err )
108121 }
Original file line number Diff line number Diff line change @@ -4,7 +4,7 @@ kind: ControllerDeployment
44metadata :
55 name : acl
66helm :
7- rawChart: H4sIAAAAAAAAA+1b62/juBHfz/orWG+B2z2c5Ecc587AAs1l070FNg8k2xRFUQS0RNu8SKJKUvZ6H/3bOyT1siRHdpJNLq3mQyJR5HDImd9whqRnmHskJNwmnyQJBWWhjV2/++IhqQd0sL+v/wOV/+vn/t6wP9gfjEaqvD/s9/sv0P6DSrGBYiExR+gFZ0zeVq/p+zOlWb3+nTnxAzoLGSf370MpeDQcbtQ/qL2k/9FgOHqBevfvupn+z/X/Ep1jKQkPBZIMGY2j5ZyEaBJT36PhDEXYvcEzIhzrJfo4pwKJOIoYl/AAVuKjmc8mKMDSnUPtnxAnPpZ0QaCdnBfKcegBg5DM4CsL0auIkyn9RDy0pFDvT68ddBb6K8RC3VKJhCLCkU9D4ljO28vrSwmyAYsjFgTA4OroEnmUC8uZUdnVf434ljP5zLv6b1own3XVn/RVLMJuzmgC44sjNKU+EdaPjlhG8HeCb+CvDOD5P1D1CnPKYoHevz2GDiPOfieutBzqEdw19aDIchbCZR7pWk+t1e1pA/6P5phLZ4UD/wH6aML/oHdQxn9vb7/F/2MQjugV4UrvY7ToWziKstdO3+l1LI8Il9NI6qJD9BusC8hV1oGmjCM5J+hdYkLo8OgDyszIsUIckDGqNzBrkfbSc6CbZwSY/zHagH9JggjcOBEPEQnuHv+N+uAS2vjvEahR/9ewxsM6LBwZ3XUtaIz/9vbW9T/oDfcGrf9/DPryxUYeBGIQdXWUw+4g+9s3a4PTVpVJ6OkqVrGljyfEFw6sHs4NWRke+iWeQBxHwI4cyrqK/xqPDSwW2I8TQb58QTR0/djLxHNQ0vAWQaptywIqLmO0oUbSv+6pOgoagsWELtHNnQviEyyIcwrClSR7atVuRY34d1k4pbMARzYNIAtYQNzLuM1g/V5yKsk2MWIT/oejUvwHDwfDFv+PQcpe6RQ5V8rmwb6Vjq+0js9SFSuztm3bKoWKNzT0xpBDKfM4wZEVEIk9LPHYQsiEfvXgrbejpJGAZLMGWbpYyYGQwem4Bt2K/VcoBHuWaAi1v1mpPLpLcb1utWP0VXG5dehr/DJwPxNsb0ON+PdI5LNVAHNw53SwAf/7APwS/vv9/Xb/51GoDGxY70Q3Q/fbTPlbw/t7ANkSEXFVx5wsqJLzNyoApqsPNKASUkj9JfKpi4XpMoF0UnjEYmCkOxUgi0K4YobM5tSH7eQYGQYpMBIGhUlRhMOQSb2/JdKiLR0sSsidE/dGxEFh3c2RWes51xTxKuIUhP2z8zGR0/kVpv5c7cR1tlrKO6/1oMUcD/ZHIEcuW+78koJUganoECEtGQfDmTmpV3Fcn8VeVzLbgxlB2PfZknjbteCgNBoQG6xTEA5C5u0bVPVzKmNqNopgYhiMcnXkYyFO17cmxEqAXu1fer2ksuqQuuTQdZXpnN5u7lptLJQYIlCezYfdhBJDWhNrRqtLKlXOY98/Z2DNq2rl/FuxGeazgnJsZNsB/mSDoG7MOUyTzYl6Ubuebwoc1Ug4832V8uWVL1ehK4rcFb85wb6ca4vdnXehcVM/HhV44hO70LzINfl8lH8FU/id0RB1fuqUeZktYJtBSqtxaueQ3SSpaXKWtjjMGpR5g5vz1EqqXIyGq/dmQwhUqrnGRW+u2Wrz/E1XP4vsc8mXYM+jqjn2Dw0wjqjHK7OX17IT/Niuqlcc7gZO9dNYcQQVwTIwJ7t8ZZEy4CXfi6Lc1ramZxIuikZuMPfh+PDt8cX18Yfjo4/vz06vTw9Pji/PD4+Os5oI6STvr5wF40IhQlNKfO+CTNdLk3LlR8eZ03eydW7TPDQ5+1Te9yeH746vQNizi+uzq+OLv1+8/1iRdYwSc8jD2G5tXLuDojgRLOYuWTOarFCviZL9A3jWtPiKJKdB7nX7vd2MpGlyBAGfoBw2QBGWwKJCtB2fc7oABzMjx8LFPjYb1FPsi1wdC+bHATlRPlxUraRhXS30FygORvlVHRTqcYC1OsQaw9TEZPNc7DQTZhCVdWVb6d00QStO4J3ys5Q8MsWxL0+YBzyGg15hUMkonzqobWlrasz/IgZrg+CxPgGaxN6M7JwINu7/Dkvn/4O93kGb/z0KJa5oJtErlTjUZU6vUb9uCyjSEWeeK54z721mKL9qQ/ljJI0Qmv4txAtMfRUmavYinjSO997J4rNwiI345xPs3vMiQAP+h3vwbf387+BAnf+1+P/+VEa1VjeO5RyS5c86qHJuftbnHvmWrw9zRvgF88kuAN8Fujz2VcRjIxDtHWdxpMMfu7hhQAUIB3JBOcQok6SCcjrqvw+f9cNSoVY/RdlTHIHIRD+6ELIljx6gXT8W4l9VDhkGW02pD0MWVYky2IjSFkaVkWvmTZjeQqFyZO6ZVxpOORYQNboyhmZbDeo+suRVS69dgIOMtxOgdlYrUmU9NwoV4BAiTy8rbRCioLtlnW5z0RLVVkTrdKpCZOvQHZUArwU9GOzU2AKYAgvSQn16qRPwDZ0WhloZYHXCN0F4o0ly5hNRLpgAIAFopjyvUfq0o7C7aqMDWSAnUnTMG6QloXn5zoahtsHrxMlPQxqlyLu+64S4DPwDDW9XoQ6TSppIOrwnw7Rch2Dm29bbWQVhCkNO52gTdLyACoUbTmYwi/x2OYNY7cKFsyWZzBm7MXlubBpt7792Qlb98lOSawZMlni1pfu41/L7q8Hhd1uFoYtkKyydiFskhFrV+KBBHojD1UVavdSbxpdrO+/N49kmbXjqGOuPTI3xf3IUgo1C7pQJNOX/e/1+Kf8fQGEb/z8GbbzYUQLik2by4G6Y3oNdF+ojuyHZnu9TT+QzpUb8LyJ8398BNOC/vzcq//7nYH/U5v+PQqWjCKVtEqp9Mq9uz08BUZ22qAioHJdAJUnh2znzDpNqhD+03zB7ejVCp0FY8Rx8vczs4mUH9bqQFs9Vsk/mvP+HH3+wsgMgGiYHo8VTFDeKtaic/DumHGass1kiJ2fhQDtERdasc8tAys0K52Pq9knA+OpOIpimd5Eiabm+v4kQgAhC3OzgtO5KkSqvXCtqOo2CCiYuLyrRlJgDqMLRsRK8WNnJ6z2b/djHpg3+f2Fm9GF+ANbo/weDyu8/D9r7/49Cyf2j2dzlypvDZLg3VJpLWPW2MdZxgbQq15LeT0+ZPAfPoXBtFU9UxmigCgppsvI6wCTxvtqRdvZ7Qccq+rXOaHhCO5YFuFb1knUpO1yvc+9VR615A2tr3Wcq1o2+paMWMhCgcBtIVSpdVwL2ULjxllB+KaFw5SlbjMqMrOptpjH6578sq/6Kjvn2EtVdIVD3m1+i9PLzWD/ntwcwBHhElyFk5vGCRExQqadnLmUkxt2ucOdLzD9T+RePLBz8OebEcVmQl+dPjrgh3Wv1W9yEeeG+VtIPL/TAyczRu96qnUPiXt9JjC+5AqjYrYsp8Qx00nMGzi+glNQ6x2ajJfnNYqf17S211FJLLbXUUksttdRSSy21VKH/AhO14U4AUAAA
7+ rawChart: H4sIAAAAAAAAA+1b62/juBHfz/orWG+B2z2c5GecOwMLNJdN9xbYPJBsUxRFEdASbfMiiSpJ2et99G/vkJQlWZIjO8k6TU/zIZFG5HDImd9w+PAUc4+EhNvkkyShoCy0seu3XzwmdYAODw70f6Dif/3c7Q+6vYPecKj43UG3232BDh5Viw0UC4k5Qi84Y/KucnXfnylNq+3vzIgf0GnIOHl4G8rAw8Fgo/3B7AX7D3uD4QvUeXjT9fQHt/9LdIGlJDwUSDJkLI4WMxKicUx9j4ZTFGH3Fk+JcKyX6OOMCiTiKGJcwgN4iY+mPhujAEt3BqV/Qpz4WNI5gXpyluPj0AMBIZnCVxaiVxEnE/qJeGhBodyfXjvoPPSXiIW6plIJRYQjn4bEsZy3VzdXEnQDEccsCEDA9fEV8igXljOlsq3/GvUtZ/yZt/XfFWM2bas/q1cxD9uZoDH0L47QhPpEWD86YhHB3zG+hb8ygOf/QNFrzCmLBXr/9gQajDj7nbjScqhHcNuUA5blzIXLPNK2ntqq29MG/B/PMJfOEgf+I7RRh/9e57CI/07/oMH/PghH9JpwZfcRmnctHEXpa6vrdFqWR4TLaSQ16wj9BvMCcpV3oAnjSM4Iepe4EDo6/oBSN3KsEAdkhKodzJqvWuk40MwzAsz/GW3AvyRBBGGciMfIBHfP/4ZdCAlN/rcHqrX/DczxMA8LR0b3nQtq879+f93+vc6g32vi/z7oyxcbeZCIQdbVUgG7hexv36wNQVsVJqGni1j5mj4eE184MHs4t2RpZOiXeAx5HAE/cihrK/lrMjaImGM/ThT58gXR0PVjL1XPQUnFOxQp1y0qqKSM0IYSSfu6pXIvaAgeE7pEV3cuiU+wIM4ZKFfQ7KlNuxXV4t9l4YROAxzZNIBVwBzyXsZtBvP3glNJtskR6/A/GBbyP3g4HDT43wcpf6UT5Fwrnwf/Vja+1jY+X5lYubVt21YhVbyloTeCNZRyj1McWQGR2MMSjyyETOpXDd5qP0oqCVhsViBLs5UeCBmcjirQrcR/BSb4s0QDKP3NWumjmxQ36147Ql+VlDu7viYvBfczwfY2VIt/j0Q+WwYwBvdeDtbg/6DXHxTw3+0eHDb43wcVgQ3znWin6H6bGn9reO8MZAQ0o9OZjeeYApP6VC5tM+04nAgWcxfguXJUx/VZ7LXlMgLxUEpy5vuEbxMPLBERVzXIyZyq7v5GBaB9+YEGVMJKVH+JfOpiYTRPIkPCPGYxCNK6C+iSChRGe73H9WG7uDQ0Alb4SgTkxlYRDkMm9TaZWLG2jNMoIXdG3FsRB7npOwN4ZQBes+eriFNQ9s/Ox0RP51ew4IXa0GttlRG0XutOixnuHQxBj0y3LIYmjLwfKIJEa8E4+N+0ZHNmezAiCPs+WxBvuxocjEYDYoOTC8JByax+jal+Xum4chtFMDAMerk89rEQZ+s7HGIpwK72L51OUlg1SF1y5LrKdc7uRo02G/gzhkSWp+Nh14HNkLbEmtNqTqnIRez7Fwy8eVkunH3LV8N8mjOOjWw7wJ8UPN2YcxgmmxP1ojZP3+QkZsjUz0nhq2Xoirx0JW9GsC9n2mN3l52rXNeORwUe+8TOVc9LTT4fZ1/BFX5nNEStn1pFWWYn2WawMtY4tTPIbtLUVDlf1ThKKxRlQ7T01ISsQoyGq/dmQyZVKLkmRe/R2WoP/k1bP4v0cyGWYM+jqjr2jwwwjqnHS6OXlbIT/NiuKpfv7gZJ1cNYCgQlxVIwJ5uFRZVS4CXf86rcVbeiZRLO805uMPfh5OjtyeXNyYeT44/vz89uzo5OT64ujo5P0pII6bXiXzkLRjkmQhNKfO+STNa5CV/F0VEa9J10utw0DnXBfqXv+9OjdyfXoOz55c359cnl3y/ffyzpOkKJO2TZcLsyPd7BUOksnS+TMvWcKNk/QGZFja9IchpkUbfb2c1J6gZHEIgJKmADFGEKzBtE+/EFp3MIMFNyIlzsY7PPPcG+yMwxZ34ckFMVw0XZS2rm1Vx7gZJgjF+2Qa4cB1irs7ARDE1MNo/FTiNhOlGaV7bV3l2t8/IDeK9l3oo8MsGxL0+ZBzIGvU6uU0kvnzo3/iNQ7fovYhDUBY/1CdA49qZk54Vg7f7voHD+3+t3Dpvz/71QEkOmEr1SGX/Vkuc16lZtAUU6VczWihfMe5s6yq/aUb7fonGX1R7klH8Lk8Wlb8SLeFzb3wev8p5FJKvFPx9j94EXAWrwP+gfFM//Dw+7/Qb/+6AiqrW5cSxnsMr9rLMh5/Znfe6Rbfn6MGaEXzKf7ALwXaDLY1+lKjYC1d5xFkc6b7HzK30qQDnQC/iQXIyTAiroqP8+fNYPC4Va/RSlT3EEKhP96EKulTx6gHb9mEtcFR+WBmw5oT50WZQ1SmFT3KEqC3LNuAnTWijU4pZ75pWGE44FpHuujKHaVp16iC5Z0cJrG+Ag4+0UqBzVklabtvDKSgU4hJTRS7k1SuRst6iybaZaYtqSaq1WWYl0HrqnEeA1ZweDnQpfAFdgwYqpTy/1ynlDo7muljpYHvBNEN7okpz5RBQZYwAkAM3wsxKFTzsqu6s1WrB840SKlnmD9URoXr6zY6ht8Cp1stOQWi2ypu87IC6D+EDDu02o06SCJZIGHyhwxdcpmPm29T5UTplcl1djtAk6XkCFwg0nUxhFfreeQay2z8LpgoxnjN2aBWpsKm0fv+5rm+qZqKDiFOQt8HLLSPKgmfhXA8nvNiFDE8l21mog7tAQSpVThRp9ICVXd2r1rG8qX63tntf3Z5sVxFOnW/9zVJv/J2cY2FjhXiuBuvV/v9strP97wGzy/33QxosdBfQ96UoeYgzTm6frSn1ktyTdrH3qgXymVIv/eYQf+juAGvx3+8Pi738OD4bN/Y+9UOEMQVmbhGqfzKva81NAVMckKu0pJiNQSFL4dsG8o6QY4Y8dN8yeXoXSq8wrf4C9zjO7eOkJu2bS/IFI+skc1P/w4w9WenJDw+REM3/84UaxVpWTf8eUw4i1NmvkZCIcqIeoSKu17uhIsVruYEtdGwkYX95LBVP1PlokNdf3NxECEEFem554Vl0pUvzStaK6YyQoYPLyvBENx5wc5c58leL5wk5W7tnsx+6bNsT/uRnRx/kBWG387/VKv/88bO7/74WSi0PTmctVNIfBcG+pNLenqn1jpPMCaZXuE72fnDF5AZFD4drKn6iMUE8xcmtjFXVASBJ9dSBtHXSClpWPa63h4JS2LAtwrcol81J6Kl4V3suBWssG0dZ6zFSia2NLS01koEDuGo8qVLhnBOKBufF6T3abIHdXKZ2MioKs8jWkEfrnvyyr+m6N+fYSVZ39q/vNL9Hq8vNIP2fH/hgSPKJ5CJlxvCQRE1Tq4ZlJGYlRuy3c2QLzz1T+xSNzB3+OOXFcFmT87MkRt6R9o36LmwjPXbRK2uG5FjiZOnrXW9VzSNzpOonzJXf3lLh1NSWegk06Ts/5BYyy8s6R2V1JfrPYamJ7Qw011FBDDTXUUEMNNdRQQw2V6L8xGdXJAFAAAA==
88 values :
99 image : ghcr.io/stackitcloud/gardener-extension-acl:latest
1010---
Load Diff This file was deleted.
Load Diff This file was deleted.
You can’t perform that action at this time.
0 commit comments