Add NetworkPolicy for accessing the Seed Kubernetes API #12569
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
In #12450, I moved the
etcd-running
check from a plain script toetcd-launcher
. However,etcd-launcher
needs to fetch information from the Seed's Kubernetes API (mainly from theCluster
object).Since the kube-apiserver Pod is locked down by the NetworkPolicies feature that is on by default, this can cause problems with i/o timeouts caused by
NetworkPolicies
blocking access.This PR discovers IPs and FQDNs in the
EndpointSlices
for thekubernetes.default
service and creates a correspondingNetworkPolicy
object in the user cluster namespace so that theetcd-running
InitContainer can successfully fetch information to discover the etcd cluster.Which issue(s) this PR fixes:
Fixes #
What type of PR is this?
/kind regression
Special notes for your reviewer:
Does this PR introduce a user-facing change? Then add your Release Note here:
Documentation: