Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add NetworkPolicy for accessing the Seed Kubernetes API #12569

Merged
merged 1 commit into from
Aug 17, 2023
Merged

Add NetworkPolicy for accessing the Seed Kubernetes API #12569

merged 1 commit into from
Aug 17, 2023

Conversation

embik
Copy link
Member

@embik embik commented Aug 17, 2023

What this PR does / why we need it:

In #12450, I moved the etcd-running check from a plain script to etcd-launcher. However, etcd-launcher needs to fetch information from the Seed's Kubernetes API (mainly from the Cluster object).

Since the kube-apiserver Pod is locked down by the NetworkPolicies feature that is on by default, this can cause problems with i/o timeouts caused by NetworkPolicies blocking access.

This PR discovers IPs and FQDNs in the EndpointSlices for the kubernetes.default service and creates a corresponding NetworkPolicy object in the user cluster namespace so that the etcd-running InitContainer can successfully fetch information to discover the etcd cluster.

Which issue(s) this PR fixes:

Fixes #

What type of PR is this?
/kind regression

Special notes for your reviewer:

Does this PR introduce a user-facing change? Then add your Release Note here:

Create a NetworkPolicy for user cluster kube-apiserver to access the Seed Kubernetes API

Documentation:

NONE

@embik
Add NetworkPolicy for accessing the seed Kubernetes API from user clu…
4be97c7 
…ster kube-apiserver

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
@kubermatic-bot kubermatic-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. docs/none Denotes a PR that doesn't need documentation (changes). dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. kind/regression Categorizes issue or PR as related to a regression from a prior release. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Aug 17, 2023
@embik
Copy link
Member Author

embik commented Aug 17, 2023

/retest

xrstf
xrstf approved these changes Aug 17, 2023
View reviewed changes
Copy link
Contributor

@xrstf xrstf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@kubermatic-bot kubermatic-bot added the lgtm Indicates that a PR is ready to be merged. label Aug 17, 2023
@kubermatic-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: embik, xrstf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubermatic-bot
Copy link
Contributor

LGTM label has been added.

Git tree hash: b3fbc07a8a1e5e3a120a12af9457fb6a8198db26

@kubermatic-bot kubermatic-bot merged commit e1db8eb into kubermatic:main Aug 17, 2023
21 checks passed
@kubermatic-bot kubermatic-bot added this to the KKP 2.24 milestone Aug 17, 2023
@embik embik deleted the etcd-running-networkpolicy branch August 17, 2023 14:12
@mihiragrawal mihiragrawal mentioned this pull request Dec 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xrstf xrstf xrstf approved these changes

Assignees

@xrstf xrstf

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. docs/none Denotes a PR that doesn't need documentation (changes). kind/regression Categorizes issue or PR as related to a regression from a prior release. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
KKP 2.24
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@embik @kubermatic-bot @xrstf