Merge pull request #2066 from rfranzke/feature/seed-admission

Gardener Seed Admission Controller

.ci/component_descriptor

@@ -8,7 +8,7 @@ images="$(yaml2json < $images_file)"
 echo "enriching creating component descriptor from ${BASE_DEFINITION_PATH}"
 
 eval "$(jq -r ".images |
-  map(select(.name != \"gardenlet\") |
+  map(select(.sourceRepository != \"github.com/gardener/gardener\") |
     if (.name == \"hyperkube\" or .name == \"kube-apiserver\" or .name == \"kube-controller-manager\" or .name == \"kube-scheduler\" or .name == \"kube-proxy\") then
       \"--generic-dependencies '{\\\"name\\\": \\\"\" + .name + \"\\\", \\\"version\\\": \\\"\" + .tag + \"\\\"}'\"
     elif (.repository | startswith(\"eu.gcr.io/gardener-project/gardener\")) then

Dockerfile

@@ -12,8 +12,11 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go install \
             -X github.com/gardener/gardener/pkg/version.buildDate=$(date --iso-8601=seconds)" \
   ./...
 
+############# base
+FROM alpine:3.11.3 AS base
+
 #############      apiserver     #############
-FROM alpine:3.11.3 AS apiserver
+FROM base AS apiserver
 
 RUN apk add --update tzdata
 
@@ -24,7 +27,7 @@ WORKDIR /
 ENTRYPOINT ["/gardener-apiserver"]
 
 ############# controller-manager #############
-FROM alpine:3.11.3 AS controller-manager
+FROM base AS controller-manager
 
 RUN apk add --update tzdata
 
@@ -36,7 +39,7 @@ WORKDIR /
 ENTRYPOINT ["/gardener-controller-manager"]
 
 ############# scheduler #############
-FROM alpine:3.11.3 AS scheduler
+FROM base AS scheduler
 
 COPY --from=builder /go/bin/gardener-scheduler /gardener-scheduler
 
@@ -45,7 +48,7 @@ WORKDIR /
 ENTRYPOINT ["/gardener-scheduler"]
 
 ############# gardenlet #############
-FROM alpine:3.11.3 AS gardenlet
+FROM base AS gardenlet
 
 RUN apk add --update openvpn tzdata
 
@@ -56,8 +59,17 @@ WORKDIR /
 
 ENTRYPOINT ["/gardenlet"]
 
+############# seed-admission-controller #############
+FROM base AS seed-admission-controller
+
+COPY --from=builder /go/bin/gardener-seed-admission-controller /gardener-seed-admission-controller
+
+WORKDIR /
+
+ENTRYPOINT ["/gardener-seed-admission-controller"]
+
 ############# registry-migrator #############
-FROM alpine:3.11.3 AS registry-migrator
+FROM base AS registry-migrator
 
 COPY --from=builder /go/bin/registry-migrator /registry-migrator
 

Makefile

@@ -16,6 +16,7 @@ REGISTRY                           := eu.gcr.io/gardener-project/gardener
 APISERVER_IMAGE_REPOSITORY         := $(REGISTRY)/apiserver
 CONROLLER_MANAGER_IMAGE_REPOSITORY := $(REGISTRY)/controller-manager
 SCHEDULER_IMAGE_REPOSITORY         := $(REGISTRY)/scheduler
+SEED_ADMISSION_IMAGE_REPOSITORY    := $(REGISTRY)/seed-admission-controller
 GARDENLET_IMAGE_REPOSITORY         := $(REGISTRY)/gardenlet
 IMAGE_TAG                          := $(shell cat VERSION)
 WORKDIR                            := $(shell pwd)
@@ -73,6 +74,10 @@ start-controller-manager:
 start-scheduler:
 	@./hack/start-scheduler
 
+.PHONY: start-seed-admission-controller
+start-seed-admission-controller:
+	@./hack/start-seed-admission-controller
+
 .PHONY: start-gardenlet
 start-gardenlet:
 	@./hack/start-gardenlet
@@ -103,6 +108,11 @@ build:
 		-ldflags "$(LD_FLAGS)" \
 		-o bin/gardener-scheduler \
 		cmd/gardener-scheduler/*.go
+	@CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build \
+		-mod=vendor \
+		-ldflags "$(LD_FLAGS)" \
+		-o bin/gardener-seed-admission-controller \
+		cmd/gardener-seed-admission-controller/*.go
 	@CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build \
 		-mod=vendor \
 		-ldflags "$(LD_FLAGS)" \
@@ -123,6 +133,7 @@ docker-images:
 	@docker build -t $(APISERVER_IMAGE_REPOSITORY):$(IMAGE_TAG)         -t $(APISERVER_IMAGE_REPOSITORY):latest         -f Dockerfile --target apiserver .
 	@docker build -t $(CONROLLER_MANAGER_IMAGE_REPOSITORY):$(IMAGE_TAG) -t $(CONROLLER_MANAGER_IMAGE_REPOSITORY):latest -f Dockerfile --target controller-manager .
 	@docker build -t $(SCHEDULER_IMAGE_REPOSITORY):$(IMAGE_TAG)         -t $(SCHEDULER_IMAGE_REPOSITORY):latest         -f Dockerfile --target scheduler .
+	@docker build -t $(SEED_ADMISSION_IMAGE_REPOSITORY):$(IMAGE_TAG)    -t $(SEED_ADMISSION_IMAGE_REPOSITORY):latest    -f Dockerfile --target seed-admission-controller .
 	@docker build -t $(GARDENLET_IMAGE_REPOSITORY):$(IMAGE_TAG)         -t $(GARDENLET_IMAGE_REPOSITORY):latest         -f Dockerfile --target gardenlet .
 
 .PHONY: docker-login
@@ -134,27 +145,19 @@ docker-push:
 	@if ! docker images $(APISERVER_IMAGE_REPOSITORY) | awk '{ print $$2 }' | grep -q -F $(IMAGE_TAG); then echo "$(APISERVER_IMAGE_REPOSITORY) version $(IMAGE_TAG) is not yet built. Please run 'make docker-images'"; false; fi
 	@if ! docker images $(CONROLLER_MANAGER_IMAGE_REPOSITORY) | awk '{ print $$2 }' | grep -q -F $(IMAGE_TAG); then echo "$(CONROLLER_MANAGER_IMAGE_REPOSITORY) version $(IMAGE_TAG) is not yet built. Please run 'make docker-images'"; false; fi
 	@if ! docker images $(SCHEDULER_IMAGE_REPOSITORY) | awk '{ print $$2 }' | grep -q -F $(IMAGE_TAG); then echo "$(SCHEDULER_IMAGE_REPOSITORY) version $(IMAGE_TAG) is not yet built. Please run 'make docker-images'"; false; fi
+	@if ! docker images $(SEED_ADMISSION_IMAGE_REPOSITORY) | awk '{ print $$2 }' | grep -q -F $(IMAGE_TAG); then echo "$(SEED_ADMISSION_IMAGE_REPOSITORY) version $(IMAGE_TAG) is not yet built. Please run 'make docker-images'"; false; fi
 	@if ! docker images $(GARDENLET_IMAGE_REPOSITORY) | awk '{ print $$2 }' | grep -q -F $(IMAGE_TAG); then echo "$(GARDENLET_IMAGE_REPOSITORY) version $(IMAGE_TAG) is not yet built. Please run 'make docker-images'"; false; fi
 	@gcloud docker -- push $(APISERVER_IMAGE_REPOSITORY):$(IMAGE_TAG)
 	@if [[ "$(PUSH_LATEST)" == "true" ]]; then gcloud docker -- push $(APISERVER_IMAGE_REPOSITORY):latest; fi
 	@gcloud docker -- push $(CONROLLER_MANAGER_IMAGE_REPOSITORY):$(IMAGE_TAG)
 	@if [[ "$(PUSH_LATEST)" == "true" ]]; then gcloud docker -- push $(CONROLLER_MANAGER_IMAGE_REPOSITORY):latest; fi
 	@gcloud docker -- push $(SCHEDULER_IMAGE_REPOSITORY):$(IMAGE_TAG)
 	@if [[ "$(PUSH_LATEST)" == "true" ]]; then gcloud docker -- push $(SCHEDULER_IMAGE_REPOSITORY):latest; fi
+	@gcloud docker -- push $(SEED_ADMISSION_IMAGE_REPOSITORY):$(IMAGE_TAG)
+	@if [[ "$(PUSH_LATEST)" == "true" ]]; then gcloud docker -- push $(SEED_ADMISSION_IMAGE_REPOSITORY):latest; fi
 	@gcloud docker -- push $(GARDENLET_IMAGE_REPOSITORY):$(IMAGE_TAG)
 	@if [[ "$(PUSH_LATEST)" == "true" ]]; then gcloud docker -- push $(GARDENLET_IMAGE_REPOSITORY):latest; fi
 
-.PHONY: rename-binaries
-rename-binaries:
-	@if [[ -f bin/gardener-apiserver ]]; then cp bin/gardener-apiserver gardener-apiserver-darwin-amd64; fi
-	@if [[ -f bin/gardener-controller-manager ]]; then cp bin/gardener-controller-manager gardener-controller-manager-darwin-amd64; fi
-	@if [[ -f bin/gardener-scheduler ]]; then cp bin/gardener-scheduler gardener-scheduler-darwin-amd64; fi
-	@if [[ -f bin/gardenlet ]]; then cp bin/gardenlet gardenlet-darwin-amd64; fi
-	@if [[ -f bin/rel/gardener-apiserver ]]; then cp bin/rel/gardener-apiserver gardener-apiserver-linux-amd64; fi
-	@if [[ -f bin/rel/gardener-controller-manager ]]; then cp bin/rel/gardener-controller-manager gardener-controller-manager-linux-amd64; fi
-	@if [[ -f bin/rel/gardener-scheduler ]]; then cp bin/rel/gardener-scheduler gardener-scheduler-linux-amd64; fi
-	@if [[ -f bin/rel/gardenlet ]]; then cp bin/rel/gardenlet gardenlet-linux-amd64; fi
-
 .PHONY: clean
 clean:
 	@rm -rf bin/

charts/images.yaml

@@ -4,10 +4,13 @@
 # the respective tag can be used. The syntax must be as described in the
 # Masterminds/semver package: https://github.com/Masterminds/semver#hyphen-range-comparisons.
 images:
-# Gardenlet
+# Gardener components
 - name: gardenlet
   sourceRepository: github.com/gardener/gardener
   repository: eu.gcr.io/gardener-project/gardener/gardenlet
+- name: gardener-seed-admission-controller
+  sourceRepository: github.com/gardener/gardener
+  repository: eu.gcr.io/gardener-project/gardener/seed-admission-controller
 
 # Seed bootstrap
 - name: pause-container

charts/seed-bootstrap/charts/etcd-druid/templates/etcd-crd.yaml

@@ -2,9 +2,11 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
+  name: etcds.druid.gardener.cloud
   annotations:
     controller-gen.kubebuilder.io/version: v0.2.4
-  name: etcds.druid.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: druid.gardener.cloud
   names:

charts/seed-bootstrap/charts/fluentd-es/templates/fluent-bit-configmap.yaml

@@ -103,7 +103,7 @@ data:
         Name                parser
         Match               kubernetes.etcd*backup-restore*
         Key_Name            log
-        Parser              geacParser
+        Parser              gsacParser
         Reserve_Data        True
 
     [FILTER]
@@ -198,6 +198,13 @@ data:
         Parser              curatorParser
         Reserve_Data        True
 
+    [FILTER]
+        Name                parser
+        Match               kubernetes.gardener-seed-admission-controller*gardener-seed-admission-controller*
+        Key_Name            log
+        Parser              gsacParser
+        Reserve_Data        True
+
     [FILTER]
         Name                parser
         Match               kubernetes.prometheus*prometheus*
@@ -357,7 +364,7 @@ data:
         Time_Format %Y-%m-%d %H:%M:%S.%L
 
     [PARSER]
-        Name        geacParser
+        Name        gsacParser
         Format      regex
         Regex       ^time="(?<time>\d{4}-\d{2}-\d{2}T[^"]*)"\s+level=(?<severity>\w+)\smsg="(?<log>.*)"
         Time_Key    time

charts/seed-bootstrap/templates/extensions/crd-backupbucket.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: backupbuckets.extensions.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: extensions.gardener.cloud
   versions:

charts/seed-bootstrap/templates/extensions/crd-backupentry.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: backupentries.extensions.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: extensions.gardener.cloud
   versions:

charts/seed-bootstrap/templates/extensions/crd-controlplane.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: controlplanes.extensions.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: extensions.gardener.cloud
   versions:

charts/seed-bootstrap/templates/extensions/crd-dnsentry.yaml

@@ -3,6 +3,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: dnsentries.dns.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   scope: Namespaced
   group: dns.gardener.cloud

charts/seed-bootstrap/templates/extensions/crd-dnsprovider.yaml

@@ -3,6 +3,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: dnsproviders.dns.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: dns.gardener.cloud
   scope: Namespaced

charts/seed-bootstrap/templates/extensions/crd-extension.yaml

@@ -3,6 +3,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: extensions.extensions.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: extensions.gardener.cloud
   versions:

charts/seed-bootstrap/templates/extensions/crd-infrastructure.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: infrastructures.extensions.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: extensions.gardener.cloud
   versions:

charts/seed-bootstrap/templates/extensions/crd-managedresources.yaml

@@ -3,6 +3,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: managedresources.resources.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: resources.gardener.cloud
   versions:

charts/seed-bootstrap/templates/extensions/crd-network.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: networks.extensions.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: extensions.gardener.cloud
   versions:

charts/seed-bootstrap/templates/extensions/crd-operatingsystemconfig.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: operatingsystemconfigs.extensions.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: extensions.gardener.cloud
   versions:

charts/seed-bootstrap/templates/extensions/crd-worker.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: workers.extensions.gardener.cloud
+  labels:
+    gardener.cloud/deletion-protected: "true"
 spec:
   group: extensions.gardener.cloud
   versions:

charts/seed-bootstrap/templates/gardener-seed-admission-controller/deployment.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: {{ include "deploymentversion" . }}
+kind: Deployment
+metadata:
+  name: gardener-seed-admission-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: gardener
+    role: seed-admission-controller
+spec:
+  revisionHistoryLimit: 0
+  replicas: {{ .Values.gardenerSeedAdmissionController.replicas }}
+  selector:
+    matchLabels:
+      app: gardener
+      role: seed-admission-controller
+  template:
+    metadata:
+      labels:
+        app: gardener
+        role: seed-admission-controller
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: labels
+                operator: In
+                values:
+                - gardener
+              - key: role
+                operator: In
+                values:
+                - seed-admission-controller
+            topologyKey: kubernetes.io/hostname
+      containers:
+      - name: gardener-seed-admission-controller
+        image: {{ index .Values.global.images "gardener-seed-admission-controller" }}
+        imagePullPolicy: IfNotPresent
+        command:
+        - /gardener-seed-admission-controller
+        - --port=9443
+        - --tls-cert-path=/srv/gardener-seed-admission-controller/tls.crt
+        - --tls-private-key-path=/srv/gardener-seed-admission-controller/tls.key
+        {{- if .Values.gardenerSeedAdmissionController.resources }}
+        resources:
+{{ toYaml .Values.gardenerSeedAdmissionController.resources | indent 10 }}
+        {{- end }}
+        volumeMounts:
+          - mountPath: /srv/gardener-seed-admission-controller
+            name: gardener-seed-admission-controller-tls
+            readOnly: true
+      serviceAccountName: gardener-seed-admission-controller
+      volumes:
+        - name: gardener-seed-admission-controller-tls
+          secret:
+            secretName: gardener-seed-admission-controller-tls

charts/seed-bootstrap/templates/gardener-seed-admission-controller/poddisruptionbudget.yaml

@@ -0,0 +1,16 @@
+{{- if gt (int .Values.gardenerSeedAdmissionController.replicas) 1 }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: gardener-seed-admission-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: gardener
+    role: seed-admission-controller
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: gardener
+      role: seed-admission-controller
+{{- end }}