Skip to content

Commit

Permalink
Revendor g/g v1.71 and implement FullNetworkPolicies. (#354)
Browse files Browse the repository at this point in the history
  • Loading branch information
Gerrit91 authored Nov 17, 2023
1 parent 56f1007 commit cb0e5eb
Show file tree
Hide file tree
Showing 21 changed files with 115 additions and 321 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ check: $(GOIMPORTS) $(GOLANGCI_LINT) $(HELM)
@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/check-charts.sh ./charts

.PHONY: generate
generate: $(HELM)
generate: $(HELM) $(YQ)
@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/generate.sh ./charts/... ./cmd/... ./pkg/...

.PHONY: generate-in-docker
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,17 @@ spec:
{{- end }}
checksum/configmap-{{ include "name" . }}-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- if and .Values.metrics.enableScraping }}
prometheus.io/name: "{{ .Release.Name }}"
prometheus.io/scrape: "true"
# default metrics endpoint in controller-runtime
prometheus.io/port: "8080"
prometheus.io/port: "{{ .Values.metricsPort }}"
{{- end }}
labels:
networking.gardener.cloud/to-runtime-apiserver: allowed
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.gardener.cloud/to-private-networks: allowed
networking.resources.gardener.cloud/to-all-shoots-kube-apiserver-tcp-443: allowed
{{ include "labels" . | indent 8 }}
spec:
containers:
Expand All @@ -44,6 +50,9 @@ spec:
- --webhook-config-server-port={{ .Values.webhookConfig.serverPort }}
- --disable-controllers={{ .Values.disableControllers | join "," }}
- --disable-webhooks={{ .Values.disableWebhooks | join "," }}
{{- if .Values.metricsPort }}
- --metrics-bind-address=:{{ .Values.metricsPort }}
{{- end }}
- --health-bind-address=:{{ .Values.healthPort }}
- --gardener-version={{ .Values.gardener.version }}
env:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ rules:
- configmaps
- endpoints
- deployments
- deployments/scale
- services
- serviceaccounts
- clusterroles
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,15 @@ kind: Service
metadata:
name: {{ include "name" . }}
namespace: {{ .Release.Namespace }}
annotations:
networking.resources.gardener.cloud/from-world-to-ports: '[{"protocol":"TCP","port":{{ .Values.webhookConfig.serverPort }}}]'
networking.resources.gardener.cloud/from-all-seed-scrape-targets-allowed-ports: '[{"port":{{ .Values.metricsPort }},"protocol":"TCP"}]'
networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"protocol":"TCP","port":{{ .Values.webhookConfig.serverPort }}}]'
networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"kubernetes.io/metadata.name":"garden"}},{"matchLabels":{"gardener.cloud/role":"shoot"}}]'
networking.resources.gardener.cloud/pod-label-selector-namespace-alias: extensions
# TODO: This label approach is deprecated and no longer needed in the future. Remove them as soon as gardener/[email protected] has been released.
networking.resources.gardener.cloud/from-policy-pod-label-selector: all-seed-scrape-targets
networking.resources.gardener.cloud/from-policy-allowed-ports: '[{"port":{{ .Values.metricsPort }},"protocol":"TCP"}]'
labels:
{{ include "labels" . | indent 4 }}
spec:
Expand Down
1 change: 1 addition & 0 deletions charts/gardener-extension-provider-metal/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ image:
replicaCount: 1
resources: {}

metricsPort: 8080
healthPort: 8081

controllers:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ spec:
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-shoot-apiserver: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: "allowed"
spec:
tolerations:
- effect: NoExecute
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ rules:
- update
- patch
- create

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
Expand Down Expand Up @@ -87,6 +86,12 @@ spec:
metadata:
labels:
app: duros-controller
networking.gardener.cloud/from-prometheus: "allowed"
networking.gardener.cloud/to-dns: "allowed"
networking.gardener.cloud/to-shoot-apiserver: "allowed"
networking.gardener.cloud/to-public-networks: "allowed"
networking.gardener.cloud/to-runtime-apiserver: "allowed"
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: "allowed"
spec:
# required to be able to read the duros cr from the seed
automountServiceAccountToken: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,12 @@ spec:
metadata:
labels:
app: firewall-controller-manager
networking.gardener.cloud/from-prometheus: "allowed"
networking.gardener.cloud/to-dns: "allowed"
networking.gardener.cloud/to-public-networks: "allowed"
networking.gardener.cloud/to-shoot-apiserver: "allowed"
networking.gardener.cloud/to-runtime-apiserver: "allowed"
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: "allowed"
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
Expand All @@ -114,6 +120,7 @@ spec:
- -log-level=info
- -seed-api-url={{ .Values.firewallControllerManager.seedApiURL }}
- -shoot-api-url={{ .Values.firewallControllerManager.shootApiURL }}
- -internal-shoot-api-url=https://kube-apiserver
- -cluster-id={{ .Values.firewallControllerManager.clusterID }}
- -enable-leader-election
- -metal-api-url={{ .Values.firewallControllerManager.metalapi.url }}
Expand Down Expand Up @@ -167,6 +174,10 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app: firewall-controller-manager
annotations:
networking.resources.gardener.cloud/from-world-to-ports: '[{"protocol":"TCP","port":9443}]'
networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"protocol":"TCP","port":9443}]'
networking.resources.gardener.cloud/from-all-seed-scrape-targets-allowed-ports: '[{"protocol":"TCP","port":2112}]'
spec:
type: ClusterIP
clusterIP: None
Expand Down Expand Up @@ -338,20 +349,3 @@ webhooks:
resources:
- firewalldeployments
sideEffects: None
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
name: allow-to-firewall-controller-manager-webhook
namespace: {{ .Release.Namespace }}
spec:
ingress:
- ports:
- port: 9443
protocol: TCP
podSelector:
matchLabels:
app: firewall-controller-manager
policyTypes:
- Ingress
102 changes: 0 additions & 102 deletions charts/internal/control-plane/templates/network-policies.yaml

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,8 @@ spec:
networking.gardener.cloud/to-dns: allowed
networking.gardener.cloud/to-public-networks: allowed
networking.gardener.cloud/to-private-networks: allowed
networking.gardener.cloud/to-seed-apiserver: allowed
networking.gardener.cloud/to-shoot-apiserver: allowed
networking.gardener.cloud/from-prometheus: allowed
networking.gardener.cloud/to-runtime-apiserver: allowed
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
Expand Down

This file was deleted.

Loading

0 comments on commit cb0e5eb

Please sign in to comment.