@@ -43,37 +43,22 @@ Istio configures an envoy proxy using a set of
4343We can hook into this mechanism and insert additional configuration, which
4444further limits the access to a specific cluster.
4545
46- Broadly speaking, there are three different external traffic flows :
46+ Broadly speaking, there are two different external traffic flows :
4747
48481. Kubernetes API Listener (via SNI name)
49- 1. Kubernetes Service Listener (internal flow)
50- 1. VPN Listener
49+ 2. Apiserver-Proxy / Reversed-VPN Listener
5150
5251These ways are described in more detail in the aforementioned GEP. Essentially,
53- these three ways are all represented by a specific Envoy listener with filters.
52+ these two ways are all represented by a specific Envoy listener with filters.
5453The extension needs to hook into each of these filters (and their filter chains)
55- to implement the desired behavior. Unfortunately, all three types of access
54+ to implement the desired behavior. Unfortunately, all types of access
5655require a unique way of handling them, respectively.
5756
58- 
59-
60571. **SNI Access** - The most straightforward approach. Wen can deploy one
6158 additional `EnvoyFilter` per shoot with enabled ACL extension. It contains a
6259 filter patch that matches on the shoot SNI name and specifies an `ALLOW` rule
6360 with the provided IPs.
64- 1. **Internal Flow** - Gardener creates one `EnvoyFilter` per shoot that defines
65- this listener. Unfortunately, it doesn't have any criteria we could use to
66- match it with an additional `EvnoyFilter` spec on a per-shoot basis, and
67- we've tried a lot of things to make it work. On top of that, a behavior that
68- we see as [a bug in Istio](https://github.com/istio/istio/issues/41536)
69- prevents us from working with priorities here, which was the closest we got
70- to make it work. Now instead, the extension deploys a `MutatingWebhook` that
71- intercepts creations and updates of `EnvoyFilter` resources starting with
72- ` shoot--` (which is their only common feature). We then insert our
73- rules. To make this work with updates to `Extension` objects, the controller
74- dealing with 1) also updates a hash annotation on these `EnvoyFilter`
75- resources every time the respective ACL extension object is updated.
76- 1. **VPN Access** - All VPN traffic moves through the same listener. This
61+ 2. **Apiserver-Proxy / VPN Access** - All apiserver-proxy and VPN traffic moves through the same listener. This
7762 requires us to create only a single `EnvoyFilter` for VPN that contains
7863 **all** rules of all shoots that have the extension enabled. And, conversely,
7964 we need to make sure that traffic of all shoots that don't have the
@@ -82,6 +67,10 @@ require a unique way of handling them, respectively.
8267 but also an "inverted" policy which matches all shoots that don't have ACL
8368 enabled. All these policies are then put in a single EnvoyFilter patch.
8469
70+ 
71+
72+ *Please note that the `Kubernetes Service Listener` doesn't exist anymore in current versions of Gardener.*
73+
8574Because of the last point, we currently see no way of allowing the user to
8675define multiple rules of different action types (`ALLOW` or `DENY`). Instead, we
8776only support a single `ALLOW` rule per shoot, which is in our opinion the best
0 commit comments