Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create an internal NetworkPolicy for konnectivity+apiserver to communicate with itself #12348

Merged
merged 1 commit into from
Jun 7, 2023
Merged

Create an internal NetworkPolicy for konnectivity+apiserver to communicate with itself #12348

merged 1 commit into from
Jun 7, 2023

Conversation

embik
Copy link
Member

@embik embik commented Jun 7, 2023
edited

What this PR does / why we need it:
#12344 changed the way konnectivity-server talks to the kube-apiserver - from using the external endpoint to the internal one. This was unfortunately not covered by existing NetworkPolicies, so this PR adds a NetworkPolicy that allows apiserver to apiserver Pod communication (since konnectivity-server is part of that Pod).

I've been trying really hard to figure out why the external endpoint was chosen in the first place and went through the following PRs:

Not one of them explains or discusses why the external endpoint is necessary here. I don't see any reason for this other than this was the initially chosen design and subsequent PRs did not question it but tried to fix the as-is situation.

I was wondering if this could be something related to token validation, but looking at the same file in upstream examples, it even uses localhost there: https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/a38752dc9884a1fc1c32652eacb38aed21e4ab25/examples/kubernetes/kubeconfig#L11

Subsequently, I believe that this PR simplifies things a lot without having impact on functionality.

Which issue(s) this PR fixes:

Fixes #

What type of PR is this?
/kind bug
/kind regression

Special notes for your reviewer:

Does this PR introduce a user-facing change? Then add your Release Note here:

An internal NetworkPolicy for apiserver communication is now being created and the previous NetworkPolicy `cluster-external-addr-allow` is cleaned up

Documentation:

NONE

@embik
Create an internal NetworkPolicy for apiserver to communicate with it…
1a0c062 
…self

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
@embik embik requested a review from mate4st June 7, 2023 08:58
@embik embik self-assigned this Jun 7, 2023
@kubermatic-bot kubermatic-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. docs/none Denotes a PR that doesn't need documentation (changes). dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. kind/regression Categorizes issue or PR as related to a regression from a prior release. do-not-merge/code-freeze Indicates that a PR should not merge because it has not been approved for code freeze yet. sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 7, 2023
@kubermatic-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: embik

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubermatic-bot kubermatic-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 7, 2023
This was referenced Jun 7, 2023
Merged
Merged
@embik embik added the kind/bug Categorizes issue or PR as related to a bug. label Jun 7, 2023
@embik embik requested a review from xrstf June 7, 2023 09:13
@embik embik added this to the KKP 2.23 milestone Jun 7, 2023
@mate4st
Copy link
Contributor

mate4st commented Jun 7, 2023

/lgtm

@kubermatic-bot kubermatic-bot added the lgtm Indicates that a PR is ready to be merged. label Jun 7, 2023
@kubermatic-bot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 5d6ad1b6997ea0a24168f6741e649f496ee0c615

@embik embik added the code-freeze-approved Indicates a PR has been approved by release managers during code freeze. label Jun 7, 2023
@kubermatic-bot kubermatic-bot removed the do-not-merge/code-freeze Indicates that a PR should not merge because it has not been approved for code freeze yet. label Jun 7, 2023
@kubermatic-bot kubermatic-bot merged commit 875fbe4 into kubermatic:main Jun 7, 2023
21 checks passed
@embik embik deleted the internal-apiserver-networkpolicy branch June 7, 2023 14:01
embik added a commit to kubermatic-bot/kubermatic that referenced this pull request Jun 12, 2023
@embik
Create an internal NetworkPolicy for apiserver to communicate with it…
b364a94 
…self (kubermatic#12348)

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
embik added a commit to embik/kubermatic that referenced this pull request Jun 12, 2023
@embik
Create an internal NetworkPolicy for apiserver to communicate with it…
1844352 
…self (kubermatic#12348)

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
kubermatic-bot added a commit that referenced this pull request Jun 12, 2023
@kubermatic-bot @embik
[release/v2.22] Use internal kubeconfig reconciler to generate konnec…
e2ed9ab 
…tivity-server's kubeconfig (#12345)

* use internal kubeconfig reconciler to generate konnectivity-server's kubeconfig

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

* Create an internal NetworkPolicy for apiserver to communicate with itself (#12348)

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

---------

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
Co-authored-by: Marvin Beckers <marvin@kubermatic.com>
kubermatic-bot pushed a commit that referenced this pull request Jun 13, 2023
@embik
[release/v2.21] use internal kubeconfig reconciler to generate konnec…
bfcdca9 
…tivity-server's kubeconfig (#12346)

* [release/v2.21] use internal kubeconfig reconciler to generate konnectivity-server's kubeconfig (#12344)

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

* Create an internal NetworkPolicy for apiserver to communicate with itself (#12348)

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

---------

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mate4st mate4st Awaiting requested review from mate4st

@xrstf xrstf Awaiting requested review from xrstf

Assignees

@embik embik

@mate4st mate4st

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. code-freeze-approved Indicates a PR has been approved by release managers during code freeze. dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. docs/none Denotes a PR that doesn't need documentation (changes). kind/bug Categorizes issue or PR as related to a bug. kind/regression Categorizes issue or PR as related to a regression from a prior release. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
KKP 2.23
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@embik @kubermatic-bot @mate4st