From 48d5495329fca0f804772c6e28d51b98dbaf7db6 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Tue, 21 Nov 2023 13:50:06 +0100 Subject: [PATCH] Allow egress to duros-storage API and duros-proxy. (#359) --- .../templates/duros-controller.yaml | 26 +++++++++++++++++++ pkg/controller/controlplane/valuesprovider.go | 1 + 2 files changed, 27 insertions(+) diff --git a/charts/internal/control-plane/templates/duros-controller.yaml b/charts/internal/control-plane/templates/duros-controller.yaml index 79e66322a..00d7644a1 100644 --- a/charts/internal/control-plane/templates/duros-controller.yaml +++ b/charts/internal/control-plane/templates/duros-controller.yaml @@ -89,6 +89,7 @@ spec: networking.gardener.cloud/from-prometheus: "allowed" networking.gardener.cloud/to-dns: "allowed" networking.gardener.cloud/to-shoot-apiserver: "allowed" + networking.gardener.cloud/to-private-networks: "allowed" networking.gardener.cloud/to-public-networks: "allowed" networking.gardener.cloud/to-runtime-apiserver: "allowed" networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: "allowed" @@ -148,6 +149,31 @@ spec: name: shoot-access-duros-controller optional: false --- +# for shooted seeds we typically talk to a grpc-proxy deployed to a namespace where we do not use gardener annotations +# so for this special use-case, we create a dedicated network policy that allows talking to the grpc-proxy from +# inside the cluster and through the internet such that communications works everywhere +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-from-duros-controller-to-storage + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: duros-controller + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 443 + # this is the duros-proxy that we typically deploy + - protocol: TCP + port: 25005 +--- apiVersion: storage.metal-stack.io/v1 kind: Duros metadata: diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go index 7d6ec1964..2372cfbd9 100644 --- a/pkg/controller/controlplane/valuesprovider.go +++ b/pkg/controller/controlplane/valuesprovider.go @@ -304,6 +304,7 @@ func NewValuesProvider(logger logr.Logger, controllerConfig config.ControllerCon {Type: &appsv1.Deployment{}, Name: "duros-controller"}, {Type: &durosv1.Duros{}, Name: metal.DurosResourceName}, {Type: &firewallv1.ClusterwideNetworkPolicy{}, Name: "allow-to-storage"}, + {Type: &networkingv1.NetworkPolicy{}, Name: "egress-from-duros-controller-to-storage"}, }...) cpShootChart.Objects = append(cpShootChart.Objects, []*chart.Object{ {Type: &rbacv1.ClusterRole{}, Name: "system:duros-controller"},