-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure NetworkPolicy for seed API server #2339
Ensure NetworkPolicy for seed API server #2339
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few comments:
- There should be only 1 workqueue in which you'll put the namespaces in which the networkpolicy is effective - shoot and garden NS.
- The controller should listen for changes on
Endpoints
,Namespaces
andNetworkPolicies
. - When
kubernetes
Endpoint
is updated then it will add to the namespaceQueue all namespaces in which this networkpolicy is effective - shoot and garden NS. It's better to don O(1)
thenO(n)
. - When
Namespace
is added, it will add its name to the queue. - When
NetworkPolicy
is added which is the one we'll reconcile, it will put the namespace in which it is in the naemspaceQueue. - The controller would simply do a get for the kubernetes endpoint (using a lister / cached client), then try to check if the policy is correct / needs updates. it'll only operate on a single namespace (
O(1)
).
pkg/gardenlet/controller/federatedseed/apiserver-networkpolicy/controller.go
Outdated
Show resolved
Hide resolved
pkg/gardenlet/controller/federatedseed/apiserver-networkpolicy/controller.go
Outdated
Show resolved
Hide resolved
Sure makes sense. Atm. the endpoint worker updates all NetworkPolicies - by putting it on the namespace queue we could spread the load on multiple workers.
I would rather have, like it is implemented now, the controller creating the NetworkPolicy instead of the shoot reconciliation creating an empty NetworkPolicy. What would be the advantage of the latter?
What is the use case for also watching NetworkPolicies?. As described above I would like to create and update it in the controller instead of applying it via helm chart in the reconcile. The only use case I see for that is when someone alters the NetworkPolicy so that we reconcile it back to the desired state. Is that a valid one or is the overhead to much because most likely that will not happen? EDIT: Updated to only work on one the namespace queue. |
5716ac6
to
f0f53ec
Compare
Well the idea is that it'll always react on changes. If for example someone deletes this network policy, nothing will re-create it as nothing will add it to the queue. The only option would be to restart the controller or edit the namespace or kubernetes endpoint. |
f0f53ec
to
39a9577
Compare
@mvladev I was asking because for the core Kubernetes controllers do not watch Endpoints resources - so a manual edit of an endpoints resource will not be reconciled back to its desired state. I have now added a NetworkPolicy watch here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice PR, looking forward to this feature! :)
pkg/gardenlet/controller/federatedseed/namespace/namespace_reconciler.go
Outdated
Show resolved
Hide resolved
pkg/gardenlet/controller/federatedseed/namespace/helper/helper.go
Outdated
Show resolved
Hide resolved
pkg/gardenlet/controller/federatedseed/namespace/helper/helper.go
Outdated
Show resolved
Hide resolved
pkg/gardenlet/controller/federatedseed/namespace/endpoints_controller.go
Outdated
Show resolved
Hide resolved
pkg/gardenlet/controller/federatedseed/namespace/endpoints_controller.go
Outdated
Show resolved
Hide resolved
Command "/ to keep the NetworkPolicy "allow-to-seed-apiserver" in sync." either unknown, wrongly parameterized or not permitted for issue/PR. |
/area networking |
39a9577
to
f25d6a4
Compare
/needs rebase |
f25d6a4
to
d2353c5
Compare
a0aaea5
to
d59b1ed
Compare
PTAL @mvladev |
d59b1ed
to
f4fed46
Compare
f4fed46
to
e8542c2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a small nit
pkg/gardenlet/controller/federatedseed/networkpolicy/namespace_reconciler.go
Outdated
Show resolved
Hide resolved
e8542c2
to
980d180
Compare
I think the test needs another test run - an unrelated test failed due to timeout. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
```improvement operator Required network policies for Cert-Management have been aligned with the latest changes from Gardener (gardener/gardener#2339). ```
What this PR does / why we need it:
The gardenlet deploys Network Policies that should isolate the workload in the Shoot namespace in the seed from the Seed components.
This PR creates two controllers that are responsible for the creation and update of the network policy "allow-to-seed-apiserver".
Which issue(s) this PR fixes:
Fixes #2287
Special notes for your reviewer:
The dependency watchdog prober was relying on the allow-to-seed-apiserver NetworkPolicy which allowed a too broad set of ip ranges including public IPs. Now that the allow-to-seed-apiserver Policy only allows the Seed API server ip, the dependency watchdog prober needs the NetworkPolicy "allow-to-public".
@mvladev
Release note:
How to categorize this PR?
/area networking
/kind enhancement
/priority critical