Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing ACL extension from Shoot leaves ACL config in EnvoyFilter #47

Open
timebertt opened this issue Apr 30, 2024 · 0 comments
Open

Removing ACL extension from Shoot leaves ACL config in EnvoyFilter #47

timebertt opened this issue Apr 30, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@timebertt
Copy link
Member

What happened:

When removing the ACL extension from the Shoot spec, it leaves the ACL config in the EnvoyFilter for the apiserver-proxy path (ingress-gateway/shoot--foo--bar) until the next shoot reconciliation.

What you expected to happen:

Removing the ACL extension from the Shoot spec should take effect on all paths immediately.

How to reproduce it (as minimally and precisely as possible):

  1. Create a shoot with the ACL extension enabled, e.g.:
kind: Shoot
# ...
spec:
  extensions:
    - type: acl
      providerConfig:
        rule:
          action: ALLOW
          cidrs:
            - 1.2.3.4/32
          type: remote_ip
  1. Remove the ACL extension from the shoot spec.
  2. The shoot--foo--bar EnvoyFilter in istio-ingress namespace is unchanged and still contains the ACL config injected by the webhook.
Expand me 
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: shoot--foo--bar
  namespace: istio-ingress
spec:
  configPatches:
  - applyTo: FILTER_CHAIN
    match:
      context: ANY
      listener:
        portNumber: 8443
    patch:
      operation: ADD
      value:
        filter_chain_match:
          destination_port: 443
          prefix_ranges:
          - address_prefix: 100.83.42.91
            prefix_len: 32
        filters:
        - name: acl-internal-remote_ip
          typed_config:
            '@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
            rules:
              action: ALLOW
              policies:
                acl-internal:
                  permissions:
                  - any: true
                  principals:
                  - remote_ip:
                      address_prefix: 1.2.3.4
                      prefix_len: 32
                  # always allowed CIDRs...
            stat_prefix: envoyrbac
  1. Reconcile the shoot once again.
  2. The ACL config is removed from the EnvoyFilter.

Anything else we need to know?:

When removing the ACL extension from the shoot, the Extension object is deleted after gardenlet applied the EnvoyFilter.
On extension deletion, the extension controller triggers the EnvoyFilter webhook with an empty patch.
However, the webhook doesn't actively remove the ACL config (it responds without a patch).
Hence, the config is left until gardenlet applies the desired state of the EnvoyFilter again and the webhook doesn't act on the object anymore.

Environment:

  • Gardener version: v1.85
  • Extension version: 72d7499
@timebertt timebertt added the bug Something isn't working label Apr 30, 2024
@timebertt timebertt changed the title Removing ACL extension from Shoot leaves ACL for kube-apiserver via SNI access Removing ACL extension from Shoot leaves ACL config in EnvoyFilter Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@timebertt