stackitcloud · Wieneo · Mar 27, 2025 · Mar 31, 2025 · Apr 17, 2025 · Apr 29, 2025
@@ -23,4 +23,3 @@ TODO
 
 vendor
 out
-certs
@@ -42,11 +42,7 @@ run:
 		./cmd/$(EXTENSION_PREFIX)-$(NAME) \
 		--kubeconfig=${KUBECONFIG} \
 		--ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION) \
-		--leader-election=$(LEADER_ELECTION) \
-		--webhook-config-mode=url \
-		--webhook-config-url="host.docker.internal:9443" \
-		--webhook-config-cert-dir=example/certs \
-		--webhook-config-server-port=9443
+		--leader-election=$(LEADER_ELECTION)
 
 .PHONY: debug
 debug:

@@ -43,37 +43,24 @@ Istio configures an envoy proxy using a set of
 We can hook into this mechanism and insert additional configuration, which
 further limits the access to a specific cluster.
 
-Broadly speaking, there are three different external traffic flows:
+Broadly speaking, there are two different external traffic flows:
 
 1. Kubernetes API Listener (via SNI name)
-1. Kubernetes Service Listener (internal flow)
-1. VPN Listener
+2. Apiserver-Proxy / Reversed-VPN Listener
+
+*Please note that this changed with [GEP-30](https://github.com/gardener/gardener/blob/master/docs/proposals/30-apiserver-proxy.md) as the dedicated Kubernetes Service Listener for the apiserver-proxy was removed.*
 
 These ways are described in more detail in the aforementioned GEP. Essentially,
-these three ways are all represented by a specific Envoy listener with filters.
+these two ways are all represented by a specific Envoy listener with filters.
 The extension needs to hook into each of these filters (and their filter chains)
-to implement the desired behavior. Unfortunately, all three types of access
+to implement the desired behavior. Unfortunately, all types of access
 require a unique way of handling them, respectively.
 
-![Listener Overview](./docs/listener-overview.svg)
-
 1. **SNI Access** - The most straightforward approach. Wen can deploy one
    additional `EnvoyFilter` per shoot with enabled ACL extension. It contains a
    filter patch that matches on the shoot SNI name and specifies an `ALLOW` rule
    with the provided IPs.
-1. **Internal Flow** - Gardener creates one `EnvoyFilter` per shoot that defines
-   this listener. Unfortunately, it doesn't have any criteria we could use to
-   match it with an additional `EvnoyFilter` spec on a per-shoot basis, and
-   we've tried a lot of things to make it work. On top of that, a behavior that
-   we see as [a bug in Istio](https://github.com/istio/istio/issues/41536)
-   prevents us from working with priorities here, which was the closest we got
-   to make it work. Now instead, the extension deploys a `MutatingWebhook` that
-   intercepts creations and updates of `EnvoyFilter` resources starting with
-   `shoot--` (which is their only common feature). We then insert our
-   rules. To make this work with updates to `Extension` objects, the controller
-   dealing with 1) also updates a hash annotation on these `EnvoyFilter`
-   resources every time the respective ACL extension object is updated.
-1. **VPN Access** - All VPN traffic moves through the same listener. This
+2. **Apiserver-Proxy / VPN Access** - All apiserver-proxy and VPN traffic moves through the same listener. This
    requires us to create only a single `EnvoyFilter` for VPN that contains
    **all** rules of all shoots that have the extension enabled. And, conversely,
    we need to make sure that traffic of all shoots that don't have the

@@ -5,7 +5,7 @@ metadata:
   name: {{ include "name" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    high-availability-config.resources.gardener.cloud/type: webhook
+    high-availability-config.resources.gardener.cloud/type: controller
 {{ include "labels" . | indent 4 }}
 spec:
   revisionHistoryLimit: 0
@@ -43,10 +43,6 @@ spec:
         {{- if .Values.gardener.version }}
         - --gardener-version={{ .Values.gardener.version }}
         {{- end }}
-        - --webhook-config-namespace={{ .Release.Namespace }}
-        - --webhook-config-service-port={{ .Values.webhookConfig.servicePort }}
-        - --webhook-config-server-port={{ .Values.webhookConfig.serverPort }}
-        - --disable-webhooks={{ .Values.disableWebhooks | join "," }}
         env:
         - name: LEADER_ELECTION_NAMESPACE
           valueFrom:

@@ -133,6 +133,7 @@ rules:
   - create
   - update
   - patch
+  - delete
 - apiGroups:
   - networking.istio.io
   resources:

@@ -25,12 +25,6 @@ controllers:
 
 disableControllers: []
 
-webhookConfig:
-  servicePort: 443
-  serverPort: 10250
-
-disableWebhooks: []
-
 additionalAllowedCidrs: []
 
 # imageVectorOverwrite: |

@@ -24,14 +24,15 @@ import (
 	"github.com/spf13/cobra"
 	istionetworkv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
 	istionetworkv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	componentbaseconfigv1alpha1 "k8s.io/component-base/config/v1alpha1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
 	"github.com/stackitcloud/gardener-extension-acl/pkg/controller"
 	"github.com/stackitcloud/gardener-extension-acl/pkg/controller/healthcheck"
-	"github.com/stackitcloud/gardener-extension-acl/pkg/webhook"
 )
 
 // NewControllerManagerCommand creates a new command that is used to start the service controller.
@@ -95,7 +96,6 @@ func (o *Options) run(ctx context.Context) error {
 	ctrlConfig := o.extensionOptions.Completed()
 	ctrlConfig.ApplyHealthCheckConfig(&healthcheck.DefaultAddOptions.HealthCheckConfig)
 	ctrlConfig.Apply(&controller.DefaultAddOptions.ExtensionConfig)
-	webhook.DefaultAddOptions.AllowedCIDRs = ctrlConfig.AdditionalAllowedCIDRs
 
 	o.controllerOptions.Completed().Apply(&controller.DefaultAddOptions.ControllerOptions)
 	o.healthOptions.Completed().Apply(&healthcheck.DefaultAddOptions.Controller)
@@ -105,11 +105,19 @@ func (o *Options) run(ctx context.Context) error {
 		return fmt.Errorf("could not add controllers to manager: %s", err)
 	}
 
-	if err := o.webhookOptions.Completed().AddToManager(ctx, mgr); err != nil {
-		return fmt.Errorf("could not add controllers to manager: %s", err)
+	// TODO(Wieneo): Remove this once a couple extension versions included the migration code
+	// migration code: remove mutating webhook from cluster as it is not served by this controller anymore
+	if err := mgr.Add(manager.RunnableFunc(func(ctx context.Context) error {
+		if err := client.IgnoreNotFound(mgr.GetClient().Delete(ctx, &admissionregistrationv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: ExtensionName}})); err != nil {
+			return fmt.Errorf("could not delete mutatingwebhook %s: %w", ExtensionName, err)
+		}
+		return nil
+	})); err != nil {
+		return fmt.Errorf("could not add runnable to manager: %w", err)
 	}
+
 	if err := mgr.Start(ctx); err != nil {
-		return fmt.Errorf("error running manager: %s", err)
+		return fmt.Errorf("error running manager: %w", err)
 	}
 
 	return nil

@@ -19,7 +19,6 @@ import (
 	"os"
 
 	extensionscmdcontroller "github.com/gardener/gardener/extensions/pkg/controller/cmd"
-	extensionscmdwebhook "github.com/gardener/gardener/extensions/pkg/webhook/cmd"
 
 	extensioncmd "github.com/stackitcloud/gardener-extension-acl/pkg/cmd"
 )
@@ -36,7 +35,6 @@ type Options struct {
 	controllerOptions  *extensionscmdcontroller.ControllerOptions
 	healthOptions      *extensionscmdcontroller.ControllerOptions
 	controllerSwitches *extensionscmdcontroller.SwitchOptions
-	webhookOptions     *extensioncmd.AddToManagerOptions
 	reconcileOptions   *extensionscmdcontroller.ReconcilerOptions
 	optionAggregator   extensionscmdcontroller.OptionAggregator
 }
@@ -65,14 +63,7 @@ func NewOptions() *Options {
 			MaxConcurrentReconciles: 5,
 		},
 		controllerSwitches: extensioncmd.ControllerSwitches(),
-		webhookOptions: extensioncmd.NewAddToManagerOptions(
-			ExtensionName,
-			&extensionscmdwebhook.ServerOptions{
-				Namespace: os.Getenv("WEBHOOK_CONFIG_NAMESPACE"),
-			},
-			extensioncmd.WebhookSwitchOptions(),
-		),
-		reconcileOptions: &extensionscmdcontroller.ReconcilerOptions{},
+		reconcileOptions:   &extensionscmdcontroller.ReconcilerOptions{},
 	}
 
 	options.optionAggregator = extensionscmdcontroller.NewOptionAggregator(
@@ -83,7 +74,6 @@ func NewOptions() *Options {
 		options.extensionOptions,
 		extensionscmdcontroller.PrefixOption("healthcheck-", options.healthOptions),
 		options.controllerSwitches,
-		options.webhookOptions,
 		options.reconcileOptions,
 	)
 

@@ -4,7 +4,7 @@ kind: ControllerDeployment
 metadata:
   name: acl
 helm:
-  rawChart: H4sIAAAAAAAAA+0ca2/bOLKf9St46gFtF5X8iOPsGihw2TTXDdA2RtLL4rBYBLRE29xIoo6UnLqP++03fOhhSY7sJE22e54PjkwNh0POm6Qzw9wnEeEO+ZiQSFAWOdgLOk/uE7oAB/v76i9A9a967u0Nev39/nAo23uDXq/3BO3fKxdrIBUJ5gg94YwlN+G1vf9OYdYsf3dOgpDOIsbJ3ceQAh4OBmvlD2KvyH/YHwyfoO7dh26H/3P5P0VjnCSERwIlDGmJo+s5idAkpYFPoxmKsXeFZ0S41lP0YU4FEmkcM57AA2hJgGYBm6AQJ94csF8iTgKc0AWBfsm81I4jHwhEZAZvWYSex5xM6Ufio2sKeH974aLTKFgiFqmekiUUE44CGhHXcl+fX54nwBuQOGJhCAQujs6RT7mw3BlNOupTs2+5k0+8oz6zhvmsIz+yr2IRdQpCE5hfGqMpDYiwfnDFdQyfE3wFn0kIz/8F1AvMKUsFOnl9DAPGnP1BvMRyqU9wR+NBk+UuhMd80rEeW6qbwxr7P5pjnrhLHAb3MEab/fe7B1X77+7t7+z/IQDH9IJwKfcRWvQsHMf5V7vndm3LJ8LjNE5U0yH6BeIC8qR2oCnjKJkT9MaoEDo8eotyNXKtCIdkhJoVzFpko3RdGOY7Mpi/GKyx/4SEMbhxIu4jE9w+/xv2wCXs8r8HgFb5X0KMhzgs3CS+bSxozf/29lbl3+8O9vo7//8Q8Pmzg3xIxCDrsqXDtpHz9au1xmlLZBL5CsUq9wzwhATChejhXpGlpqG+pBPI4wjokUtZR9JfobGGxAIHqWHk82dEIy9I/Zw9F5mONzBS71tlUFIZoTUYZnw1Un0WNAKNiTyiurtnJCBYEPc9MFfh7LFFuxG02r/HoimdhTh2aAhVwALyXsYdBvH7mtOEbJIjttn/YFjJ/+DhYLCz/4cAqa90itwLqfOg31LGF0rGp5mIpVo7jmNVUsUrGvkjqKGkerzDsRWSBPs4wSMLIZ36NRtvsx6ZTgKKzQbLUs2SD4S0nY4arFuS/wKNoM8JGgD2VyvjRw0pLle1doS+SCo3Tn2FXm7c34ltbwKt9u+TOGDLENbg1uVgi/3vDw+q8b/XG+72fx4EqoYN8U50cut+nQt/Y/Pe2pARwJzO5g5eYAqNNKDJ0tFhx+VEsJR7YJ6ZorpewFK/kyxjIH9NJnPGrjZxBpaIiSdH42RB5Vx/oQJMffmWhjSBMlS9iQPqYaHZNm7BNB6xFAgpxgXMR3oJzbra4Hq7mVMaagKZcRkCpYWVgKOIJWqPTGRNGzppZMCbE+9KpGEpdhfW3eh9V4T5POYUmP27+8Hw6f4M4hvL3Tx7o3TAfqEmLea4vz8EPgreCgdqGspKIAGyrGvGQflmNYEzx4cVQTgI2DXxN+vBQWg0JA5ouCAcmCz6t4jqx4zHTG0kwMIwmOXyKMBCvF/d3hBLAXJ1fup2DbIckHrk0POk6ry/2WSU2FiUYMhieb4eTpulaVCSWFFa1VJDGadBMGagzcs6cvGu3A3zWUk4DnKcEH+UtumlnMMyOZzIL3Ln9FWJopwJZ0Egy8YC+XwZeaJMXdKbExwkc6Wx29MudW4bx6cCTwLilLqXqZrXR8VbUIU/GI2Q/dKu0tLbyA6DsljZqVOY7DpOdZfTrMdh3qFKG1ylL6OxdDHKXP1Xa9KoCuYKFbVB58gN+Fcd9Szy1xVfgn2fyu44ONSGcUR9Xlu9Assx9uN4Eq883TWUmpex5ghqjOXGbHYKqyzlhmfel1m5qW/DyJKciSQm7jh5CHt1QwRb29uYviNPScp8GTSdM7sGawxIG9CDmbaTI7yJWqb7Br9J8X81r9aIi0SLshvQXunt8eHr47PL47fHRx9OTt9fvj98d3w+Pjw6zjERUqX0PzkLR6VGhKaUBP4Zma62mnYZaUZ5WHRzUazTlLZwmPF78u7wzfEFMHt6dnl6cXz269nJhxqvI2QMpigWOo3VwxaqnCcxZZy8UWUNCfs30Gzo8QUlnIZFXOp1tzOjtsURBLymDGngrCBJKAtEWfqY0wW44Bk5Fh4OsD4GmOJAFOJYsCANyTsZ5URdS1oyj9J4oaSghV+XQQmPg+OTR4UjWJqUrF+LrVZCT6IWeTfl3svK4PIC3qoKzsAnU5wGyTvmA41Bv1ualJnlveT/rfVfzMCvC56qE6BJ6s/I1oVg6/7voHL+39/rHuzqvwcBYySzBD2XSX9T1fMC9Zq2gGKVLRa14pj5r3NF+VkpyrcrGrcp+CCt/FdkistAkxfppHW+dy707ttUvwm02j+fYO+OFwFa7H+wB+9Wz/8ODuT5387+vz1UrVqJG6fJHArdTyrcu1c/qnOPYss3gDUj/IwFZBsD38Z0eRrIWOwgYO0NZ2msArNTLvapAOaAL2iH6DkxCNLpyL8BvFYP19Jq1VOcP6UxsEzUowfJhHn0wdrVYykzk+2Q+7LllAYwZVHnKDeb6g5VnZCn103o0SIh61vu6680mnIsIJ/xkhS6bTSpu/BSoFa+dsAcknQzBhpXtcbVui28OlMhjiAn8vPWFiZKsrtukm3BmhFtjTXbrjORx6FbCgG+luSgbadBF0AVWJg1qtNLVTyvGbQ01doE6wu+zoTXqiRnARHVhgkYJBiabi8wKq+2ZHZbadhQn3CSCFt/g4Q50l++sWLIbfAmdorTkFYuiqFvuyAeA/9Ao5tFqNKkiiTMgHckmLWrFEy/23grqsRMacrZGq0zHT+kQtoNJzNYRX4zn2Eqd9CimdnV0BVYqjtt7r+2sqzm8FPhawZErvFyQ/dxp/D7s7bDbxaFYQizSZMtxA0cAlY9P2jhB/JweZFWhXrd+Xxl17x9PpuUDY+dY/2ZoTX/N7uUdykBWvJ/SP2r9z+6g0F3l/8/BKy92GEM8f5L+Nr5Zsmrrj3unXIWOoAV+E7C1Ea4GKFnv322Y84S5rHAHtkfjsb2S1u+s0eb7ZJ//f3ZdhzgIMj35kFtwKmL/EDkMZiKme8o7+1kexXFyQUwRuVZ9kqqf5v9E33Ubrz6ydgqb4xsQgchvTQ6ssLjyulj65lItpgjBGupWvTKj9spFcchj21mf1rY1P9jHZBvFQba9n/3er2K/+9D487/PwS0+f8sEXvUnVxIN5k6HVpl6gO7Ivlp1GMv5HcKrfa/iPFdfwfWmv8Nq7//PNgf7vZ/HwQqh6RS2iSS5yR+05mPNER5DiyTkmpdCkgJhXdj5h8aNMLv22/onKSB6SxFKt9hWm3TyWZ+yUo10vKJb/5K39V69sMzKz+appG51FI+3/XiVLHKyX9SymHF7PUcuQUJF/ohKvJu9g0TqXYrndzLm4Mh48tbsaC73oYL03P1fCvLyfIrHU1XSmV77Vpp2zk5IOh9mbIQdYs+Gi8lgJLxMrJb4H0353EPDWv8/0Kv6P38ALjN/w/2ar//3+vu6v8HAXN3dDb3uPTmsBjeFU10ddmsGyOVFyRW7UrpyfQ9S8bgOaRdW+UT9RHqy4bSNqn0OkDEeF/lSO39bmhbZb9mDwfvqG1ZYNcSz8Sl/NpPk3uvO2pFG0hbqz5Tkm71LbYMZMBA6SanRKpcNQXy0Lj2hmdxXap0XTUPRlVCVv0m6gj99rtlrVS3Iyu/X6zL4MFgzzTpmneEet3+fjcnl93v07Sar2rqd09R00Up+VuZpyj7Ic1IPRd3pDAki0S1AQ9KJmckZoImaqnnSRKLUacjvPk15p9o8g+fLFz8KeXE9VhYtBdPrrginUv5fx0M8dK9XTMOL43AycxVJ6iyn0vSbs81imz2SSS5VTYTPAP5dt2++xMIONP0kd60N79/t3dxYgc72MEOdrCDHfwF4X81ogeBAFAAAA==
+  rawChart: H4sIAAAAAAAAA+1b62/juBHfz/orWG+B2z2c5GecOwMLNJdN9xbYPJBsUxRFEdASbfMiiSpJ2et99G/vkJQlWZIjO8k6TU/zIZFG5HDImd9w+PAUc4+EhNvkkyShoCy0seu3XzwmdYAODw70f6Dif/3c7Q+6vYPecKj43UG3232BDh5Viw0UC4k5Qi84Y/KucnXfnylNq+3vzIgf0GnIOHl4G8rAw8Fgo/3B7AX7D3uD4QvUeXjT9fQHt/9LdIGlJDwUSDJkLI4WMxKicUx9j4ZTFGH3Fk+JcKyX6OOMCiTiKGJcwgN4iY+mPhujAEt3BqV/Qpz4WNI5gXpyluPj0AMBIZnCVxaiVxEnE/qJeGhBodyfXjvoPPSXiIW6plIJRYQjn4bEsZy3VzdXEnQDEccsCEDA9fEV8igXljOlsq3/GvUtZ/yZt/XfFWM2bas/q1cxD9uZoDH0L47QhPpEWD86YhHB3zG+hb8ygOf/QNFrzCmLBXr/9gQajDj7nbjScqhHcNuUA5blzIXLPNK2ntqq29MG/B/PMJfOEgf+I7RRh/9e57CI/07/oMH/PghH9JpwZfcRmnctHEXpa6vrdFqWR4TLaSQ16wj9BvMCcpV3oAnjSM4Iepe4EDo6/oBSN3KsEAdkhKodzJqvWuk40MwzAsz/GW3AvyRBBGGciMfIBHfP/4ZdCAlN/rcHqrX/DczxMA8LR0b3nQtq879+f93+vc6g32vi/z7oyxcbeZCIQdbVUgG7hexv36wNQVsVJqGni1j5mj4eE184MHs4t2RpZOiXeAx5HAE/cihrK/lrMjaImGM/ThT58gXR0PVjL1XPQUnFOxQp1y0qqKSM0IYSSfu6pXIvaAgeE7pEV3cuiU+wIM4ZKFfQ7KlNuxXV4t9l4YROAxzZNIBVwBzyXsZtBvP3glNJtskR6/A/GBbyP3g4HDT43wcpf6UT5Fwrnwf/Vja+1jY+X5lYubVt21YhVbyloTeCNZRyj1McWQGR2MMSjyyETOpXDd5qP0oqCVhsViBLs5UeCBmcjirQrcR/BSb4s0QDKP3NWumjmxQ36147Ql+VlDu7viYvBfczwfY2VIt/j0Q+WwYwBvdeDtbg/6DXHxTw3+0eHDb43wcVgQ3znWin6H6bGn9reO8MZAQ0o9OZjeeYApP6VC5tM+04nAgWcxfguXJUx/VZ7LXlMgLxUEpy5vuEbxMPLBERVzXIyZyq7v5GBaB9+YEGVMJKVH+JfOpiYTRPIkPCPGYxCNK6C+iSChRGe73H9WG7uDQ0Alb4SgTkxlYRDkMm9TaZWLG2jNMoIXdG3FsRB7npOwN4ZQBes+eriFNQ9s/Ox0RP51ew4IXa0GttlRG0XutOixnuHQxBj0y3LIYmjLwfKIJEa8E4+N+0ZHNmezAiCPs+WxBvuxocjEYDYoOTC8JByax+jal+Xum4chtFMDAMerk89rEQZ+s7HGIpwK72L51OUlg1SF1y5LrKdc7uRo02G/gzhkSWp+Nh14HNkLbEmtNqTqnIRez7Fwy8eVkunH3LV8N8mjOOjWw7wJ8UPN2YcxgmmxP1ojZP3+QkZsjUz0nhq2Xoirx0JW9GsC9n2mN3l52rXNeORwUe+8TOVc9LTT4fZ1/BFX5nNEStn1pFWWYn2WawMtY4tTPIbtLUVDlf1ThKKxRlQ7T01ISsQoyGq/dmQyZVKLkmRe/R2WoP/k1bP4v0cyGWYM+jqjr2jwwwjqnHS6OXlbIT/NiuKpfv7gZJ1cNYCgQlxVIwJ5uFRZVS4CXf86rcVbeiZRLO805uMPfh5OjtyeXNyYeT44/vz89uzo5OT64ujo5P0pII6bXiXzkLRjkmQhNKfO+STNa5CV/F0VEa9J10utw0DnXBfqXv+9OjdyfXoOz55c359cnl3y/ffyzpOkKJO2TZcLsyPd7BUOksnS+TMvWcKNk/QGZFja9IchpkUbfb2c1J6gZHEIgJKmADFGEKzBtE+/EFp3MIMFNyIlzsY7PPPcG+yMwxZ34ckFMVw0XZS2rm1Vx7gZJgjF+2Qa4cB1irs7ARDE1MNo/FTiNhOlGaV7bV3l2t8/IDeK9l3oo8MsGxL0+ZBzIGvU6uU0kvnzo3/iNQ7fovYhDUBY/1CdA49qZk54Vg7f7voHD+3+t3Dpvz/71QEkOmEr1SGX/Vkuc16lZtAUU6VczWihfMe5s6yq/aUb7fonGX1R7klH8Lk8Wlb8SLeFzb3wev8p5FJKvFPx9j94EXAWrwP+gfFM//Dw+7/Qb/+6AiqrW5cSxnsMr9rLMh5/Znfe6Rbfn6MGaEXzKf7ALwXaDLY1+lKjYC1d5xFkc6b7HzK30qQDnQC/iQXIyTAiroqP8+fNYPC4Va/RSlT3EEKhP96EKulTx6gHb9mEtcFR+WBmw5oT50WZQ1SmFT3KEqC3LNuAnTWijU4pZ75pWGE44FpHuujKHaVp16iC5Z0cJrG+Ag4+0UqBzVklabtvDKSgU4hJTRS7k1SuRst6iybaZaYtqSaq1WWYl0HrqnEeA1ZweDnQpfAFdgwYqpTy/1ynlDo7muljpYHvBNEN7okpz5RBQZYwAkAM3wsxKFTzsqu6s1WrB840SKlnmD9URoXr6zY6ht8Cp1stOQWi2ypu87IC6D+EDDu02o06SCJZIGHyhwxdcpmPm29T5UTplcl1djtAk6XkCFwg0nUxhFfreeQay2z8LpgoxnjN2aBWpsKm0fv+5rm+qZqKDiFOQt8HLLSPKgmfhXA8nvNiFDE8l21mog7tAQSpVThRp9ICVXd2r1rG8qX63tntf3Z5sVxFOnW/9zVJv/J2cY2FjhXiuBuvV/v9strP97wGzy/33QxosdBfQ96UoeYgzTm6frSn1ktyTdrH3qgXymVIv/eYQf+juAGvx3+8Pi738OD4bN/Y+9UOEMQVmbhGqfzKva81NAVMckKu0pJiNQSFL4dsG8o6QY4Y8dN8yeXoXSq8wrf4C9zjO7eOkJu2bS/IFI+skc1P/w4w9WenJDw+REM3/84UaxVpWTf8eUw4i1NmvkZCIcqIeoSKu17uhIsVruYEtdGwkYX95LBVP1PlokNdf3NxECEEFem554Vl0pUvzStaK6YyQoYPLyvBENx5wc5c58leL5wk5W7tnsx+6bNsT/uRnRx/kBWG387/VKv/88bO7/74WSi0PTmctVNIfBcG+pNLenqn1jpPMCaZXuE72fnDF5AZFD4drKn6iMUE8xcmtjFXVASBJ9dSBtHXSClpWPa63h4JS2LAtwrcol81J6Kl4V3suBWssG0dZ6zFSia2NLS01koEDuGo8qVLhnBOKBufF6T3abIHdXKZ2MioKs8jWkEfrnvyyr+m6N+fYSVZ39q/vNL9Hq8vNIP2fH/hgSPKJ5CJlxvCQRE1Tq4ZlJGYlRuy3c2QLzz1T+xSNzB3+OOXFcFmT87MkRt6R9o36LmwjPXbRK2uG5FjiZOnrXW9VzSNzpOonzJXf3lLh1NSWegk06Ts/5BYyy8s6R2V1JfrPYamJ7Qw011FBDDTXUUEMNNdRQQw2V6L8xGdXJAFAAAA==
   values:
     image: ghcr.io/stackitcloud/gardener-extension-acl:latest
 ---

@@ -15,9 +15,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
-	github.com/tidwall/gjson v1.18.0
 	golang.org/x/tools v0.32.0
-	gomodules.xyz/jsonpatch/v2 v2.5.0
 	gopkg.in/yaml.v3 v3.0.1
 	istio.io/api v1.25.2
 	istio.io/client-go v1.25.1
@@ -98,8 +96,6 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/afero v1.14.0 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
-	github.com/tidwall/match v1.1.1 // indirect
-	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@@ -118,6 +114,7 @@ require (
 	golang.org/x/term v0.31.0 // indirect
 	golang.org/x/text v0.24.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect

@@ -332,12 +332,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
-github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
-github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
-github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
-github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
-Original file line number
+Diff line change
@@ Expand Up / @@ -133,6 +133,7 @@ rules: @@
       - create
       - update
       - patch
+      - delete
     - apiGroups:
       - networking.istio.io
       resources:
@@ Expand Down @@