Skip to content

Commit

Permalink
Merge pull request #394 from metal-stack/fix-initial-dns
Browse files Browse the repository at this point in the history
Fix DNS based CWNPs for network-isolated Clusters
  • Loading branch information
vknabel authored Apr 22, 2024
2 parents 9f84afd + 5d1e38e commit b1f4c56
Showing 1 changed file with 20 additions and 0 deletions.
20 changes: 20 additions & 0 deletions pkg/controller/worker/firewall_reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ package worker
import (
"context"
"fmt"
"strconv"
"strings"

extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
Expand Down Expand Up @@ -136,6 +138,24 @@ func (a *actuator) ensureFirewallDeployment(ctx context.Context, log logr.Logger
deploy.Spec.Template.Spec.LogAcceptedConnections = d.infrastructureConfig.Firewall.LogAcceptedConnections
deploy.Spec.Template.Spec.SSHPublicKeys = []string{sshKey}

if d.partition.NetworkIsolation != nil &&
len(d.partition.NetworkIsolation.DNSServers) > 0 &&
networkAccessType != apismetal.NetworkAccessBaseline {
dnsAddr, portStr, ok := strings.Cut(d.partition.NetworkIsolation.DNSServers[0], ":")
deploy.Spec.Template.Spec.DNSServerAddress = dnsAddr

if ok {
p, err := strconv.ParseUint(portStr, 10, 64)
if err != nil {
return fmt.Errorf("invalid dns port:%q", portStr)
}
port := uint(p)
deploy.Spec.Template.Spec.DNSPort = &port
}
} else {
deploy.Spec.Template.Spec.DNSServerAddress = ""
}

if networkAccessType == apismetal.NetworkAccessForbidden {
if d.partition.NetworkIsolation == nil || len(d.partition.NetworkIsolation.AllowedNetworks.Egress) == 0 {
// we need at least some egress rules to reach our own registry etcpp, so no single egress rule MUST be an error
Expand Down

0 comments on commit b1f4c56

Please sign in to comment.