Fix Bastion deletion when SSHAccess is disabled (gardener#8421)

* allow bastion deletion if SSH access is disabled

* add suggested improvements

plugin/pkg/bastion/validator/admission.go

@@ -26,6 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/admission"
 
+	gardencorehelper "github.com/gardener/gardener/pkg/apis/core/helper"
 	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	"github.com/gardener/gardener/pkg/apis/operations"
@@ -150,7 +151,7 @@ func (v *Bastion) Admit(ctx context.Context, a admission.Attributes, _ admission
 	}
 
 	// ensure shoot SSH access is not disabled
-	if shoot.Spec.Provider.WorkersSettings != nil && shoot.Spec.Provider.WorkersSettings.SSHAccess != nil && !shoot.Spec.Provider.WorkersSettings.SSHAccess.Enabled {
+	if bastion.DeletionTimestamp == nil && !gardencorehelper.ShootEnablesSSHAccess(shoot) {
 		fieldErr := field.Invalid(shootPath, shootName, "ssh access is disabled for worker nodes")
 		return apierrors.NewInvalid(gk, bastion.Name, field.ErrorList{fieldErr})
 	}

plugin/pkg/bastion/validator/admission_test.go

@@ -44,6 +44,7 @@ const (
 	bastionName = "foo"
 	shootName   = "foo"
 	seedName    = "foo"
+	workerName  = "foo"
 	namespace   = "garden"
 	provider    = "foo-provider"
 	region      = "foo-region"
@@ -71,6 +72,11 @@ var _ = Describe("Bastion", func() {
 					SeedName: pointer.String(seedName),
 					Provider: gardencore.Provider{
 						Type: provider,
+						Workers: []gardencore.Worker{
+							{
+								Name: workerName,
+							},
+						},
 					},
 					Region: region,
 				},
@@ -259,7 +265,26 @@ var _ = Describe("Bastion", func() {
 
 			oldBastion := bastion.DeepCopy()
 			oldBastion.ObjectMeta.Finalizers = []string{"foo"}
-			bastion.ObjectMeta.Finalizers = []string{""}
+			bastion.ObjectMeta.Finalizers = nil
+
+			err := admissionHandler.Admit(context.TODO(), getBastionAttributes(bastion, oldBastion, admission.Update), nil)
+			Expect(err).To(Succeed())
+		})
+
+		It("should allow the Bastion update on finalizers even if the Shoot's SSH access is disabled", func() {
+			shoot.Spec.Provider.WorkersSettings = &gardencore.WorkersSettings{
+				SSHAccess: &gardencore.SSHAccess{Enabled: false},
+			}
+			now := metav1.Now()
+			bastion.DeletionTimestamp = &now
+
+			coreClient.AddReactor("get", "shoots", func(action testing.Action) (bool, runtime.Object, error) {
+				return true, shoot, nil
+			})
+
+			oldBastion := bastion.DeepCopy()
+			oldBastion.ObjectMeta.Finalizers = []string{"foo"}
+			bastion.ObjectMeta.Finalizers = nil
 
 			err := admissionHandler.Admit(context.TODO(), getBastionAttributes(bastion, oldBastion, admission.Update), nil)
 			Expect(err).To(Succeed())