-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create an internal NetworkPolicy for konnectivity+apiserver to communicate with itself #12348
Merged
kubermatic-bot
merged 1 commit into
kubermatic:main
from
embik:internal-apiserver-networkpolicy
Jun 7, 2023
Merged
Create an internal NetworkPolicy for konnectivity+apiserver to communicate with itself #12348
kubermatic-bot
merged 1 commit into
kubermatic:main
from
embik:internal-apiserver-networkpolicy
Jun 7, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…self Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
kubermatic-bot
added
release-note
Denotes a PR that will be considered when it comes time to generate release notes.
docs/none
Denotes a PR that doesn't need documentation (changes).
dco-signoff: yes
Denotes that all commits in the pull request have the valid DCO signoff message.
kind/regression
Categorizes issue or PR as related to a regression from a prior release.
do-not-merge/code-freeze
Indicates that a PR should not merge because it has not been approved for code freeze yet.
sig/cluster-management
Denotes a PR or issue as being assigned to SIG Cluster Management.
size/M
Denotes a PR that changes 30-99 lines, ignoring generated files.
labels
Jun 7, 2023
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: embik The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubermatic-bot
added
the
approved
Indicates a PR has been approved by an approver from all required OWNERS files.
label
Jun 7, 2023
/lgtm |
LGTM label has been added. Git tree hash: 5d6ad1b6997ea0a24168f6741e649f496ee0c615
|
embik
added
the
code-freeze-approved
Indicates a PR has been approved by release managers during code freeze.
label
Jun 7, 2023
kubermatic-bot
removed
the
do-not-merge/code-freeze
Indicates that a PR should not merge because it has not been approved for code freeze yet.
label
Jun 7, 2023
embik
added a commit
to kubermatic-bot/kubermatic
that referenced
this pull request
Jun 12, 2023
…self (kubermatic#12348) Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
embik
added a commit
to embik/kubermatic
that referenced
this pull request
Jun 12, 2023
…self (kubermatic#12348) Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
kubermatic-bot
added a commit
that referenced
this pull request
Jun 12, 2023
…tivity-server's kubeconfig (#12345) * use internal kubeconfig reconciler to generate konnectivity-server's kubeconfig Signed-off-by: Marvin Beckers <marvin@kubermatic.com> * Create an internal NetworkPolicy for apiserver to communicate with itself (#12348) Signed-off-by: Marvin Beckers <marvin@kubermatic.com> --------- Signed-off-by: Marvin Beckers <marvin@kubermatic.com> Co-authored-by: Marvin Beckers <marvin@kubermatic.com>
kubermatic-bot
pushed a commit
that referenced
this pull request
Jun 13, 2023
…tivity-server's kubeconfig (#12346) * [release/v2.21] use internal kubeconfig reconciler to generate konnectivity-server's kubeconfig (#12344) Signed-off-by: Marvin Beckers <marvin@kubermatic.com> * Create an internal NetworkPolicy for apiserver to communicate with itself (#12348) Signed-off-by: Marvin Beckers <marvin@kubermatic.com> --------- Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
approved
Indicates a PR has been approved by an approver from all required OWNERS files.
code-freeze-approved
Indicates a PR has been approved by release managers during code freeze.
dco-signoff: yes
Denotes that all commits in the pull request have the valid DCO signoff message.
docs/none
Denotes a PR that doesn't need documentation (changes).
kind/bug
Categorizes issue or PR as related to a bug.
kind/regression
Categorizes issue or PR as related to a regression from a prior release.
lgtm
Indicates that a PR is ready to be merged.
release-note
Denotes a PR that will be considered when it comes time to generate release notes.
sig/cluster-management
Denotes a PR or issue as being assigned to SIG Cluster Management.
size/M
Denotes a PR that changes 30-99 lines, ignoring generated files.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
#12344 changed the way konnectivity-server talks to the kube-apiserver - from using the external endpoint to the internal one. This was unfortunately not covered by existing NetworkPolicies, so this PR adds a NetworkPolicy that allows apiserver to apiserver Pod communication (since konnectivity-server is part of that Pod).
I've been trying really hard to figure out why the external endpoint was chosen in the first place and went through the following PRs:
Not one of them explains or discusses why the external endpoint is necessary here. I don't see any reason for this other than this was the initially chosen design and subsequent PRs did not question it but tried to fix the as-is situation.
I was wondering if this could be something related to token validation, but looking at the same file in upstream examples, it even uses localhost there: https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/a38752dc9884a1fc1c32652eacb38aed21e4ab25/examples/kubernetes/kubeconfig#L11
Subsequently, I believe that this PR simplifies things a lot without having impact on functionality.
Which issue(s) this PR fixes:
Fixes #
What type of PR is this?
/kind bug
/kind regression
Special notes for your reviewer:
Does this PR introduce a user-facing change? Then add your Release Note here:
Documentation: