File tree Expand file tree Collapse file tree 9 files changed +19
-38
lines changed
charts/gardener-extension-acl/templates
cmd/gardener-extension-acl/app Expand file tree Collapse file tree 9 files changed +19
-38
lines changed Original file line number Diff line number Diff line change 23
23
24
24
vendor
25
25
out
26
- certs
Original file line number Diff line number Diff line change 42
42
./cmd/$(EXTENSION_PREFIX ) -$(NAME ) \
43
43
--kubeconfig=${KUBECONFIG} \
44
44
--ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION ) \
45
- --leader-election=$(LEADER_ELECTION ) \
46
- --webhook-config-mode=url \
47
- --webhook-config-url=" host.docker.internal:9443" \
48
- --webhook-config-cert-dir=example/certs \
49
- --webhook-config-server-port=9443
45
+ --leader-election=$(LEADER_ELECTION )
50
46
51
47
.PHONY : debug
52
48
debug :
Original file line number Diff line number Diff line change @@ -48,6 +48,8 @@ Broadly speaking, there are two different external traffic flows:
48
48
1. Kubernetes API Listener (via SNI name)
49
49
2. Apiserver-Proxy / Reversed-VPN Listener
50
50
51
+ *Please note that this changed with [GEP-30](https://github.com/gardener/gardener/blob/master/docs/proposals/30-apiserver-proxy.md) as the dedicated Kubernetes Service Listener for the apiserver-proxy was removed.*
52
+
51
53
These ways are described in more detail in the aforementioned GEP. Essentially,
52
54
these two ways are all represented by a specific Envoy listener with filters.
53
55
The extension needs to hook into each of these filters (and their filter chains)
@@ -67,10 +69,6 @@ require a unique way of handling them, respectively.
67
69
but also an "inverted" policy which matches all shoots that don't have ACL
68
70
enabled. All these policies are then put in a single EnvoyFilter patch.
69
71
70
- 
71
-
72
- *Please note that the `Kubernetes Service Listener` doesn't exist anymore in current versions of Gardener.*
73
-
74
72
Because of the last point, we currently see no way of allowing the user to
75
73
define multiple rules of different action types (`ALLOW` or `DENY`). Instead, we
76
74
only support a single `ALLOW` rule per shoot, which is in our opinion the best
Original file line number Diff line number Diff line change @@ -5,6 +5,7 @@ metadata:
5
5
name : {{ include "name" . }}
6
6
namespace : {{ .Release.Namespace }}
7
7
labels :
8
+ high-availability-config.resources.gardener.cloud/type : controller
8
9
{{ include "labels" . | indent 4 }}
9
10
spec :
10
11
revisionHistoryLimit : 0
Original file line number Diff line number Diff line change @@ -133,6 +133,7 @@ rules:
133
133
- create
134
134
- update
135
135
- patch
136
+ - delete
136
137
- apiGroups :
137
138
- networking.istio.io
138
139
resources :
Original file line number Diff line number Diff line change @@ -24,7 +24,9 @@ import (
24
24
"github.com/spf13/cobra"
25
25
istionetworkv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
26
26
istionetworkv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
27
+ admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
27
28
corev1 "k8s.io/api/core/v1"
29
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
28
30
componentbaseconfigv1alpha1 "k8s.io/component-base/config/v1alpha1"
29
31
"sigs.k8s.io/controller-runtime/pkg/client"
30
32
"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -103,6 +105,17 @@ func (o *Options) run(ctx context.Context) error {
103
105
return fmt .Errorf ("could not add controllers to manager: %s" , err )
104
106
}
105
107
108
+ // TODO(Wieneo): Remove this once a couple extension versions included the migration code
109
+ // migration code: remove mutating webhook from cluster as it is not served by this controller anymore
110
+ if err := mgr .Add (manager .RunnableFunc (func (ctx context.Context ) error {
111
+ if err := client .IgnoreNotFound (mgr .GetClient ().Delete (ctx , & admissionregistrationv1.MutatingWebhookConfiguration {ObjectMeta : metav1.ObjectMeta {Name : ExtensionName }})); err != nil {
112
+ return fmt .Errorf ("could not delete mutatingwebhook %s: %s" , ExtensionName , err )
113
+ }
114
+ return nil
115
+ })); err != nil {
116
+ return fmt .Errorf ("could not add runnable to manager: %s" , err )
117
+ }
118
+
106
119
if err := mgr .Start (ctx ); err != nil {
107
120
return fmt .Errorf ("error running manager: %s" , err )
108
121
}
Original file line number Diff line number Diff line change @@ -4,7 +4,7 @@ kind: ControllerDeployment
4
4
metadata :
5
5
name : acl
6
6
helm :
7
- rawChart: H4sIAAAAAAAAA+1b62/juBHfz/orWG+B2z2c5Ecc587AAs1l070FNg8k2xRFUQS0RNu8SKJKUvZ6H/3bOyT1siRHdpJNLq3mQyJR5HDImd9whqRnmHskJNwmnyQJBWWhjV2/++IhqQd0sL+v/wOV/+vn/t6wP9gfjEaqvD/s9/sv0P6DSrGBYiExR+gFZ0zeVq/p+zOlWb3+nTnxAzoLGSf370MpeDQcbtQ/qL2k/9FgOHqBevfvupn+z/X/Ep1jKQkPBZIMGY2j5ZyEaBJT36PhDEXYvcEzIhzrJfo4pwKJOIoYl/AAVuKjmc8mKMDSnUPtnxAnPpZ0QaCdnBfKcegBg5DM4CsL0auIkyn9RDy0pFDvT68ddBb6K8RC3VKJhCLCkU9D4ljO28vrSwmyAYsjFgTA4OroEnmUC8uZUdnVf434ljP5zLv6b1own3XVn/RVLMJuzmgC44sjNKU+EdaPjlhG8HeCb+CvDOD5P1D1CnPKYoHevz2GDiPOfieutBzqEdw19aDIchbCZR7pWk+t1e1pA/6P5phLZ4UD/wH6aML/oHdQxn9vb7/F/2MQjugV4UrvY7ToWziKstdO3+l1LI8Il9NI6qJD9BusC8hV1oGmjCM5J+hdYkLo8OgDyszIsUIckDGqNzBrkfbSc6CbZwSY/zHagH9JggjcOBEPEQnuHv+N+uAS2vjvEahR/9ewxsM6LBwZ3XUtaIz/9vbW9T/oDfcGrf9/DPryxUYeBGIQdXWUw+4g+9s3a4PTVpVJ6OkqVrGljyfEFw6sHs4NWRke+iWeQBxHwI4cyrqK/xqPDSwW2I8TQb58QTR0/djLxHNQ0vAWQaptywIqLmO0oUbSv+6pOgoagsWELtHNnQviEyyIcwrClSR7atVuRY34d1k4pbMARzYNIAtYQNzLuM1g/V5yKsk2MWIT/oejUvwHDwfDFv+PQcpe6RQ5V8rmwb6Vjq+0js9SFSuztm3bKoWKNzT0xpBDKfM4wZEVEIk9LPHYQsiEfvXgrbejpJGAZLMGWbpYyYGQwem4Bt2K/VcoBHuWaAi1v1mpPLpLcb1utWP0VXG5dehr/DJwPxNsb0ON+PdI5LNVAHNw53SwAf/7APwS/vv9/Xb/51GoDGxY70Q3Q/fbTPlbw/t7ANkSEXFVx5wsqJLzNyoApqsPNKASUkj9JfKpi4XpMoF0UnjEYmCkOxUgi0K4YobM5tSH7eQYGQYpMBIGhUlRhMOQSb2/JdKiLR0sSsidE/dGxEFh3c2RWes51xTxKuIUhP2z8zGR0/kVpv5c7cR1tlrKO6/1oMUcD/ZHIEcuW+78koJUganoECEtGQfDmTmpV3Fcn8VeVzLbgxlB2PfZknjbteCgNBoQG6xTEA5C5u0bVPVzKmNqNopgYhiMcnXkYyFO17cmxEqAXu1fer2ksuqQuuTQdZXpnN5u7lptLJQYIlCezYfdhBJDWhNrRqtLKlXOY98/Z2DNq2rl/FuxGeazgnJsZNsB/mSDoG7MOUyTzYl6Ubuebwoc1Ug4832V8uWVL1ehK4rcFb85wb6ca4vdnXehcVM/HhV44hO70LzINfl8lH8FU/id0RB1fuqUeZktYJtBSqtxaueQ3SSpaXKWtjjMGpR5g5vz1EqqXIyGq/dmQwhUqrnGRW+u2Wrz/E1XP4vsc8mXYM+jqjn2Dw0wjqjHK7OX17IT/Niuqlcc7gZO9dNYcQQVwTIwJ7t8ZZEy4CXfi6Lc1ramZxIuikZuMPfh+PDt8cX18Yfjo4/vz06vTw9Pji/PD4+Os5oI6STvr5wF40IhQlNKfO+CTNdLk3LlR8eZ03eydW7TPDQ5+1Te9yeH746vQNizi+uzq+OLv1+8/1iRdYwSc8jD2G5tXLuDojgRLOYuWTOarFCviZL9A3jWtPiKJKdB7nX7vd2MpGlyBAGfoBw2QBGWwKJCtB2fc7oABzMjx8LFPjYb1FPsi1wdC+bHATlRPlxUraRhXS30FygORvlVHRTqcYC1OsQaw9TEZPNc7DQTZhCVdWVb6d00QStO4J3ys5Q8MsWxL0+YBzyGg15hUMkonzqobWlrasz/IgZrg+CxPgGaxN6M7JwINu7/Dkvn/4O93kGb/z0KJa5oJtErlTjUZU6vUb9uCyjSEWeeK54z721mKL9qQ/ljJI0Qmv4txAtMfRUmavYinjSO997J4rNwiI345xPs3vMiQAP+h3vwbf387+BAnf+1+P/+VEa1VjeO5RyS5c86qHJuftbnHvmWrw9zRvgF88kuAN8Fujz2VcRjIxDtHWdxpMMfu7hhQAUIB3JBOcQok6SCcjrqvw+f9cNSoVY/RdlTHIHIRD+6ELIljx6gXT8W4l9VDhkGW02pD0MWVYky2IjSFkaVkWvmTZjeQqFyZO6ZVxpOORYQNboyhmZbDeo+suRVS69dgIOMtxOgdlYrUmU9NwoV4BAiTy8rbRCioLtlnW5z0RLVVkTrdKpCZOvQHZUArwU9GOzU2AKYAgvSQn16qRPwDZ0WhloZYHXCN0F4o0ly5hNRLpgAIAFopjyvUfq0o7C7aqMDWSAnUnTMG6QloXn5zoahtsHrxMlPQxqlyLu+64S4DPwDDW9XoQ6TSppIOrwnw7Rch2Dm29bbWQVhCkNO52gTdLyACoUbTmYwi/x2OYNY7cKFsyWZzBm7MXlubBpt7792Qlb98lOSawZMlni1pfu41/L7q8Hhd1uFoYtkKyydiFskhFrV+KBBHojD1UVavdSbxpdrO+/N49kmbXjqGOuPTI3xf3IUgo1C7pQJNOX/e/1+Kf8fQGEb/z8GbbzYUQLik2by4G6Y3oNdF+ojuyHZnu9TT+QzpUb8LyJ8398BNOC/vzcq//7nYH/U5v+PQqWjCKVtEqp9Mq9uz08BUZ22qAioHJdAJUnh2znzDpNqhD+03zB7ejVCp0FY8Rx8vczs4mUH9bqQFs9Vsk/mvP+HH3+wsgMgGiYHo8VTFDeKtaic/DumHGass1kiJ2fhQDtERdasc8tAys0K52Pq9knA+OpOIpimd5Eiabm+v4kQgAhC3OzgtO5KkSqvXCtqOo2CCiYuLyrRlJgDqMLRsRK8WNnJ6z2b/djHpg3+f2Fm9GF+ANbo/weDyu8/D9r7/49Cyf2j2dzlypvDZLg3VJpLWPW2MdZxgbQq15LeT0+ZPAfPoXBtFU9UxmigCgppsvI6wCTxvtqRdvZ7Qccq+rXOaHhCO5YFuFb1knUpO1yvc+9VR615A2tr3Wcq1o2+paMWMhCgcBtIVSpdVwL2ULjxllB+KaFw5SlbjMqMrOptpjH6578sq/6Kjvn2EtVdIVD3m1+i9PLzWD/ntwcwBHhElyFk5vGCRExQqadnLmUkxt2ucOdLzD9T+RePLBz8OebEcVmQl+dPjrgh3Wv1W9yEeeG+VtIPL/TAyczRu96qnUPiXt9JjC+5AqjYrYsp8Qx00nMGzi+glNQ6x2ajJfnNYqf17S211FJLLbXUUksttdRSSy21VKH/AhO14U4AUAAA
7
+ rawChart: H4sIAAAAAAAAA+1b62/juBHfz/orWG+B2z2c5GecOwMLNJdN9xbYPJBsUxRFEdASbfMiiSpJ2et99G/vkJQlWZIjO8k6TU/zIZFG5HDImd9w+PAUc4+EhNvkkyShoCy0seu3XzwmdYAODw70f6Dif/3c7Q+6vYPecKj43UG3232BDh5Viw0UC4k5Qi84Y/KucnXfnylNq+3vzIgf0GnIOHl4G8rAw8Fgo/3B7AX7D3uD4QvUeXjT9fQHt/9LdIGlJDwUSDJkLI4WMxKicUx9j4ZTFGH3Fk+JcKyX6OOMCiTiKGJcwgN4iY+mPhujAEt3BqV/Qpz4WNI5gXpyluPj0AMBIZnCVxaiVxEnE/qJeGhBodyfXjvoPPSXiIW6plIJRYQjn4bEsZy3VzdXEnQDEccsCEDA9fEV8igXljOlsq3/GvUtZ/yZt/XfFWM2bas/q1cxD9uZoDH0L47QhPpEWD86YhHB3zG+hb8ygOf/QNFrzCmLBXr/9gQajDj7nbjScqhHcNuUA5blzIXLPNK2ntqq29MG/B/PMJfOEgf+I7RRh/9e57CI/07/oMH/PghH9JpwZfcRmnctHEXpa6vrdFqWR4TLaSQ16wj9BvMCcpV3oAnjSM4Iepe4EDo6/oBSN3KsEAdkhKodzJqvWuk40MwzAsz/GW3AvyRBBGGciMfIBHfP/4ZdCAlN/rcHqrX/DczxMA8LR0b3nQtq879+f93+vc6g32vi/z7oyxcbeZCIQdbVUgG7hexv36wNQVsVJqGni1j5mj4eE184MHs4t2RpZOiXeAx5HAE/cihrK/lrMjaImGM/ThT58gXR0PVjL1XPQUnFOxQp1y0qqKSM0IYSSfu6pXIvaAgeE7pEV3cuiU+wIM4ZKFfQ7KlNuxXV4t9l4YROAxzZNIBVwBzyXsZtBvP3glNJtskR6/A/GBbyP3g4HDT43wcpf6UT5Fwrnwf/Vja+1jY+X5lYubVt21YhVbyloTeCNZRyj1McWQGR2MMSjyyETOpXDd5qP0oqCVhsViBLs5UeCBmcjirQrcR/BSb4s0QDKP3NWumjmxQ36147Ql+VlDu7viYvBfczwfY2VIt/j0Q+WwYwBvdeDtbg/6DXHxTw3+0eHDb43wcVgQ3znWin6H6bGn9reO8MZAQ0o9OZjeeYApP6VC5tM+04nAgWcxfguXJUx/VZ7LXlMgLxUEpy5vuEbxMPLBERVzXIyZyq7v5GBaB9+YEGVMJKVH+JfOpiYTRPIkPCPGYxCNK6C+iSChRGe73H9WG7uDQ0Alb4SgTkxlYRDkMm9TaZWLG2jNMoIXdG3FsRB7npOwN4ZQBes+eriFNQ9s/Ox0RP51ew4IXa0GttlRG0XutOixnuHQxBj0y3LIYmjLwfKIJEa8E4+N+0ZHNmezAiCPs+WxBvuxocjEYDYoOTC8JByax+jal+Xum4chtFMDAMerk89rEQZ+s7HGIpwK72L51OUlg1SF1y5LrKdc7uRo02G/gzhkSWp+Nh14HNkLbEmtNqTqnIRez7Fwy8eVkunH3LV8N8mjOOjWw7wJ8UPN2YcxgmmxP1ojZP3+QkZsjUz0nhq2Xoirx0JW9GsC9n2mN3l52rXNeORwUe+8TOVc9LTT4fZ1/BFX5nNEStn1pFWWYn2WawMtY4tTPIbtLUVDlf1ThKKxRlQ7T01ISsQoyGq/dmQyZVKLkmRe/R2WoP/k1bP4v0cyGWYM+jqjr2jwwwjqnHS6OXlbIT/NiuKpfv7gZJ1cNYCgQlxVIwJ5uFRZVS4CXf86rcVbeiZRLO805uMPfh5OjtyeXNyYeT44/vz89uzo5OT64ujo5P0pII6bXiXzkLRjkmQhNKfO+STNa5CV/F0VEa9J10utw0DnXBfqXv+9OjdyfXoOz55c359cnl3y/ffyzpOkKJO2TZcLsyPd7BUOksnS+TMvWcKNk/QGZFja9IchpkUbfb2c1J6gZHEIgJKmADFGEKzBtE+/EFp3MIMFNyIlzsY7PPPcG+yMwxZ34ckFMVw0XZS2rm1Vx7gZJgjF+2Qa4cB1irs7ARDE1MNo/FTiNhOlGaV7bV3l2t8/IDeK9l3oo8MsGxL0+ZBzIGvU6uU0kvnzo3/iNQ7fovYhDUBY/1CdA49qZk54Vg7f7voHD+3+t3Dpvz/71QEkOmEr1SGX/Vkuc16lZtAUU6VczWihfMe5s6yq/aUb7fonGX1R7klH8Lk8Wlb8SLeFzb3wev8p5FJKvFPx9j94EXAWrwP+gfFM//Dw+7/Qb/+6AiqrW5cSxnsMr9rLMh5/Znfe6Rbfn6MGaEXzKf7ALwXaDLY1+lKjYC1d5xFkc6b7HzK30qQDnQC/iQXIyTAiroqP8+fNYPC4Va/RSlT3EEKhP96EKulTx6gHb9mEtcFR+WBmw5oT50WZQ1SmFT3KEqC3LNuAnTWijU4pZ75pWGE44FpHuujKHaVp16iC5Z0cJrG+Ag4+0UqBzVklabtvDKSgU4hJTRS7k1SuRst6iybaZaYtqSaq1WWYl0HrqnEeA1ZweDnQpfAFdgwYqpTy/1ynlDo7muljpYHvBNEN7okpz5RBQZYwAkAM3wsxKFTzsqu6s1WrB840SKlnmD9URoXr6zY6ht8Cp1stOQWi2ypu87IC6D+EDDu02o06SCJZIGHyhwxdcpmPm29T5UTplcl1djtAk6XkCFwg0nUxhFfreeQay2z8LpgoxnjN2aBWpsKm0fv+5rm+qZqKDiFOQt8HLLSPKgmfhXA8nvNiFDE8l21mog7tAQSpVThRp9ICVXd2r1rG8qX63tntf3Z5sVxFOnW/9zVJv/J2cY2FjhXiuBuvV/v9strP97wGzy/33QxosdBfQ96UoeYgzTm6frSn1ktyTdrH3qgXymVIv/eYQf+juAGvx3+8Pi738OD4bN/Y+9UOEMQVmbhGqfzKva81NAVMckKu0pJiNQSFL4dsG8o6QY4Y8dN8yeXoXSq8wrf4C9zjO7eOkJu2bS/IFI+skc1P/w4w9WenJDw+REM3/84UaxVpWTf8eUw4i1NmvkZCIcqIeoSKu17uhIsVruYEtdGwkYX95LBVP1PlokNdf3NxECEEFem554Vl0pUvzStaK6YyQoYPLyvBENx5wc5c58leL5wk5W7tnsx+6bNsT/uRnRx/kBWG387/VKv/88bO7/74WSi0PTmctVNIfBcG+pNLenqn1jpPMCaZXuE72fnDF5AZFD4drKn6iMUE8xcmtjFXVASBJ9dSBtHXSClpWPa63h4JS2LAtwrcol81J6Kl4V3suBWssG0dZ6zFSia2NLS01koEDuGo8qVLhnBOKBufF6T3abIHdXKZ2MioKs8jWkEfrnvyyr+m6N+fYSVZ39q/vNL9Hq8vNIP2fH/hgSPKJ5CJlxvCQRE1Tq4ZlJGYlRuy3c2QLzz1T+xSNzB3+OOXFcFmT87MkRt6R9o36LmwjPXbRK2uG5FjiZOnrXW9VzSNzpOonzJXf3lLh1NSWegk06Ts/5BYyy8s6R2V1JfrPYamJ7Qw011FBDDTXUUEMNNdRQQw2V6L8xGdXJAFAAAA==
8
8
values :
9
9
image : ghcr.io/stackitcloud/gardener-extension-acl:latest
10
10
---
Load Diff This file was deleted.
Load Diff This file was deleted.
You can’t perform that action at this time.
0 commit comments