metal-stack · Gerrit91 · Aug 11, 2022 · Aug 9, 2022
diff --git a/pkg/operation/botanist/component/kubeapiserverexposure/kube_apiserver_sni.go b/pkg/operation/botanist/component/kubeapiserverexposure/kube_apiserver_sni.go
@@ -98,11 +98,12 @@ type envoyFilterTemplateValues struct {
 
 func (s *sni) Deploy(ctx context.Context) error {
 	var (
-		destinationRule = s.emptyDestinationRule()
-		envoyFilter     = s.emptyEnvoyFilter()
-		gateway         = s.emptyGateway()
-		virtualService  = s.emptyVirtualService()
-		accessControl   = s.allowAllAuthorizationPolicy()
+		destinationRule        = s.emptyDestinationRule()
+		envoyFilter            = s.emptyEnvoyFilter()
+		gateway                = s.emptyGateway()
+		virtualService         = s.emptyVirtualService()
+		accessControlAPIServer = s.emptyAuthorizationPolicyApiServer()
+		accessControlVPNServer = s.emptyAuthorizationPolicyVpnServer()
 
 		hostName        = fmt.Sprintf("%s.%s.svc.%s", v1beta1constants.DeploymentNameKubeAPIServer, s.namespace, gardencorev1beta1.DefaultDomain)
 		envoyFilterSpec bytes.Buffer
@@ -191,44 +192,27 @@ func (s *sni) Deploy(ctx context.Context) error {
 		return err
 	}
 
-	accessControlSpec := accessControl.Spec.DeepCopy()
-	if s.values.AccessControl != nil {
-		action, err := toIstioAuthPolicyAction(s.values.AccessControl.Action)
+	if _, err := controllerutils.GetAndCreateOrMergePatch(ctx, s.client, accessControlAPIServer, func() error {
+		accessControlAPIServer.Labels = getLabels()
+		spec, err := s.getAccessControlAPIServerSpec()
 		if err != nil {
 			return err
 		}
 
-		accessControlSpec = &istioapisecurityv1beta1.AuthorizationPolicy{
-			Action: action,
-			Rules: []*istioapisecurityv1beta1.Rule{{
-				From: []*istioapisecurityv1beta1.Rule_From{{
-					Source: &istioapisecurityv1beta1.Source{
-						IpBlocks:          notNilSlice(s.values.AccessControl.Source.IPBlocks),
-						NotIpBlocks:       notNilSlice(s.values.AccessControl.Source.NotIPBlocks),
-						RemoteIpBlocks:    notNilSlice(s.values.AccessControl.Source.RemoteIPBlocks),
-						NotRemoteIpBlocks: notNilSlice(s.values.AccessControl.Source.NotRemoteIPBlocks),
-					},
-				}},
-			}},
-		}
+		accessControlAPIServer.Spec = *spec.DeepCopy()
+		return nil
+	}); err != nil {
+		return err
 	}
 
-	if _, err := controllerutils.GetAndCreateOrMergePatch(ctx, s.client, accessControl, func() error {
-		accessControl.Labels = getLabels()
-		accessControl.Spec = istioapisecurityv1beta1.AuthorizationPolicy{
-			Action: accessControlSpec.Action,
-			Rules:  accessControlSpec.Rules,
-			Selector: &istiov1beta1.WorkloadSelector{
-				MatchLabels: s.values.IstioIngressGateway.Labels,
-			},
+	if _, err := controllerutils.GetAndCreateOrMergePatch(ctx, s.client, accessControlVPNServer, func() error {
+		accessControlVPNServer.Labels = getLabels()
+		spec, err := s.getAccessControlVpnServerSpec()
+		if err != nil {
+			return err
 		}
 
-		for i := range accessControl.Spec.Rules {
-			accessControl.Spec.Rules[i].When = []*istioapisecurityv1beta1.Condition{{
-				Key:    "connection.sni",
-				Values: s.values.Hosts,
-			}}
-		}
+		accessControlVPNServer.Spec = *spec.DeepCopy()
 		return nil
 	}); err != nil {
 		return err
@@ -245,7 +229,8 @@ func (s *sni) Destroy(ctx context.Context) error {
 		s.emptyEnvoyFilter(),
 		s.emptyGateway(),
 		s.emptyVirtualService(),
-		s.allowAllAuthorizationPolicy(),
+		s.emptyAuthorizationPolicyApiServer(),
+		s.emptyAuthorizationPolicyVpnServer(),
 	)
 }
 
@@ -268,17 +253,82 @@ func (s *sni) emptyVirtualService() *istionetworkingv1beta1.VirtualService {
 	return &istionetworkingv1beta1.VirtualService{ObjectMeta: metav1.ObjectMeta{Name: v1beta1constants.DeploymentNameKubeAPIServer, Namespace: s.namespace}}
 }
 
-func (s *sni) allowAllAuthorizationPolicy() *istiosecurity1beta1.AuthorizationPolicy {
-	return &istiosecurity1beta1.AuthorizationPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      s.namespace,
-			Namespace: s.values.IstioIngressGateway.Namespace,
-		},
-		Spec: istioapisecurityv1beta1.AuthorizationPolicy{
-			Action: istioapisecurityv1beta1.AuthorizationPolicy_ALLOW,
-			Rules:  []*istioapisecurityv1beta1.Rule{{From: []*istioapisecurityv1beta1.Rule_From{}}},
+func (s *sni) emptyAuthorizationPolicy(name string) *istiosecurity1beta1.AuthorizationPolicy {
+	return &istiosecurity1beta1.AuthorizationPolicy{ObjectMeta: metav1.ObjectMeta{Name: name, Namespace: s.values.IstioIngressGateway.Namespace}}
+}
+
+func (s *sni) emptyAuthorizationPolicyApiServer() *istiosecurity1beta1.AuthorizationPolicy {
+	return s.emptyAuthorizationPolicy(s.namespace + "-api-server")
+}
+
+func (s *sni) emptyAuthorizationPolicyVpnServer() *istiosecurity1beta1.AuthorizationPolicy {
+	return s.emptyAuthorizationPolicy(s.namespace + "-vpn-server")
+}
+
+func (s *sni) getAccessControlSpec() (*istioapisecurityv1beta1.AuthorizationPolicy, error) {
+	var err error
+	action := istioapisecurityv1beta1.AuthorizationPolicy_ALLOW
+	rules := []*istioapisecurityv1beta1.Rule{{From: []*istioapisecurityv1beta1.Rule_From{}}}
+
+	if s.values.AccessControl != nil {
+		ac := s.values.AccessControl
+		action, err = toIstioAuthPolicyAction(ac.Action)
+		if err != nil {
+			return nil, err
+		}
+
+		rules = []*istioapisecurityv1beta1.Rule{{
+			From: []*istioapisecurityv1beta1.Rule_From{{
+				Source: &istioapisecurityv1beta1.Source{
+					IpBlocks:          notNilSlice(ac.Source.IPBlocks),
+					NotIpBlocks:       notNilSlice(ac.Source.NotIPBlocks),
+					RemoteIpBlocks:    notNilSlice(ac.Source.RemoteIPBlocks),
+					NotRemoteIpBlocks: notNilSlice(ac.Source.NotRemoteIPBlocks),
+				},
+			}},
+		}}
+	}
+
+	accessControlSpec := istioapisecurityv1beta1.AuthorizationPolicy{
+		Selector: &istiov1beta1.WorkloadSelector{
+			MatchLabels: s.values.IstioIngressGateway.Labels,
 		},
+		Action: action,
+		Rules:  rules,
+	}
+	return &accessControlSpec, nil
+}
+
+func (s *sni) getAccessControlAPIServerSpec() (*istioapisecurityv1beta1.AuthorizationPolicy, error) {
+	control, err := s.getAccessControlSpec()
+	if err != nil {
+		return nil, err
+	}
+
+	for i := range control.Rules {
+		control.Rules[i].When = []*istioapisecurityv1beta1.Condition{{
+			Key:    "connection.sni",
+			Values: s.values.Hosts,
+		}}
+	}
+
+	return control, nil
+}
+
+func (s *sni) getAccessControlVpnServerSpec() (*istioapisecurityv1beta1.AuthorizationPolicy, error) {
+	control, err := s.getAccessControlSpec()
+	if err != nil {
+		return nil, err
 	}
+
+	for i := range control.Rules {
+		control.Rules[i].When = []*istioapisecurityv1beta1.Condition{{
+			Key:    "request.headers[reversed-vpn]",
+			Values: []string{fmt.Sprintf("outbound|1194||vpn-seed-server.%s.svc.cluster.local", s.namespace)},
+		}}
+	}
+
+	return control, nil
 }
 
 // AnyDeployedSNI returns true if any SNI is deployed in the cluster.

diff --git a/pkg/operation/botanist/component/kubeapiserverexposure/kube_apiserver_sni_test.go b/pkg/operation/botanist/component/kubeapiserverexposure/kube_apiserver_sni_test.go
@@ -16,6 +16,7 @@ package kubeapiserverexposure_test
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/gardener/gardener/pkg/client/kubernetes"
 	"github.com/gardener/gardener/pkg/client/kubernetes/test"
@@ -70,7 +71,8 @@ var _ = Describe("#SNI", func() {
 		expectedDestinationRule       *istionetworkingv1beta1.DestinationRule
 		expectedGateway               *istionetworkingv1beta1.Gateway
 		expectedVirtualService        *istionetworkingv1beta1.VirtualService
-		expectedAccessControl         *istiosecurity1beta1.AuthorizationPolicy
+		expectedAccessControlVpn      *istiosecurity1beta1.AuthorizationPolicy
+		expectedAccessControlApi      *istiosecurity1beta1.AuthorizationPolicy
 		expectedEnvoyFilterObjectMeta metav1.ObjectMeta
 	)
 
@@ -197,13 +199,13 @@ var _ = Describe("#SNI", func() {
 				}},
 			},
 		}
-		expectedAccessControl = &istiosecurity1beta1.AuthorizationPolicy{
+		expectedAccessControlApi = &istiosecurity1beta1.AuthorizationPolicy{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: istiosecurity1beta1.SchemeGroupVersion.String(),
 				Kind:       "AuthorizationPolicy",
 			},
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      namespace,
+				Name:      namespace + "-api-server",
 				Namespace: istioNamespace,
 				Labels: map[string]string{
 					"app":  "kubernetes",
@@ -228,6 +230,38 @@ var _ = Describe("#SNI", func() {
 				},
 			},
 		}
+
+		expectedAccessControlVpn = &istiosecurity1beta1.AuthorizationPolicy{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: istiosecurity1beta1.SchemeGroupVersion.String(),
+				Kind:       "AuthorizationPolicy",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      namespace + "-vpn-server",
+				Namespace: istioNamespace,
+				Labels: map[string]string{
+					"app":  "kubernetes",
+					"role": "apiserver",
+				},
+				ResourceVersion: "1",
+			},
+			Spec: istioapisecurityv1beta1.AuthorizationPolicy{
+				Rules: []*istioapisecurityv1beta1.Rule{{
+					From: []*istioapisecurityv1beta1.Rule_From{{
+						Source: &istioapisecurityv1beta1.Source{
+							IpBlocks: ipBlocks,
+						},
+					}},
+					When: []*istioapisecurityv1beta1.Condition{{
+						Key:    "request.headers[reversed-vpn]",
+						Values: []string{fmt.Sprintf("outbound|1194||vpn-seed-server.%s.svc.cluster.local", namespace)},
+					}},
+				}},
+				Selector: &istiov1beta1.WorkloadSelector{
+					MatchLabels: istioLabels,
+				},
+			},
+		}
 	})
 
 	JustBeforeEach(func() {
@@ -264,9 +298,13 @@ var _ = Describe("#SNI", func() {
 			Expect(c.Get(ctx, kutil.Key(expectedVirtualService.Namespace, expectedVirtualService.Name), actualVirtualService)).To(Succeed())
 			Expect(cmp.Diff(expectedVirtualService, actualVirtualService, protocmp.Transform())).To(BeEmpty())
 
-			actualAccessControl := &istiosecurity1beta1.AuthorizationPolicy{}
-			Expect(c.Get(ctx, kutil.Key(expectedAccessControl.Namespace, expectedAccessControl.Name), actualAccessControl)).To(Succeed())
-			Expect(cmp.Diff(expectedAccessControl, actualAccessControl, protocmp.Transform())).To(BeEmpty())
+			actualAccessControlApi := &istiosecurity1beta1.AuthorizationPolicy{}
+			Expect(c.Get(ctx, kutil.Key(expectedAccessControlApi.Namespace, expectedAccessControlApi.Name), actualAccessControlApi)).To(Succeed())
+			Expect(cmp.Diff(expectedAccessControlApi, actualAccessControlApi, protocmp.Transform())).To(BeEmpty())
+
+			actualAccessControlVpn := &istiosecurity1beta1.AuthorizationPolicy{}
+			Expect(c.Get(ctx, kutil.Key(expectedAccessControlVpn.Namespace, expectedAccessControlVpn.Name), actualAccessControlVpn)).To(Succeed())
+			Expect(cmp.Diff(expectedAccessControlVpn, actualAccessControlVpn, protocmp.Transform())).To(BeEmpty())
 
 			actualEnvoyFilter := &istionetworkingv1alpha3.EnvoyFilter{}
 			Expect(c.Get(ctx, kutil.Key(expectedEnvoyFilterObjectMeta.Namespace, expectedEnvoyFilterObjectMeta.Name), actualEnvoyFilter)).To(Succeed())
@@ -281,15 +319,17 @@ var _ = Describe("#SNI", func() {
 		Expect(c.Get(ctx, kutil.Key(expectedDestinationRule.Namespace, expectedDestinationRule.Name), &istionetworkingv1beta1.DestinationRule{})).To(Succeed())
 		Expect(c.Get(ctx, kutil.Key(expectedGateway.Namespace, expectedGateway.Name), &istionetworkingv1beta1.Gateway{})).To(Succeed())
 		Expect(c.Get(ctx, kutil.Key(expectedVirtualService.Namespace, expectedVirtualService.Name), &istionetworkingv1beta1.VirtualService{})).To(Succeed())
-		Expect(c.Get(ctx, kutil.Key(expectedAccessControl.Namespace, expectedAccessControl.Name), &istiosecurity1beta1.AuthorizationPolicy{})).To(Succeed())
+		Expect(c.Get(ctx, kutil.Key(expectedAccessControlApi.Namespace, expectedAccessControlApi.Name), &istiosecurity1beta1.AuthorizationPolicy{})).To(Succeed())
+		Expect(c.Get(ctx, kutil.Key(expectedAccessControlVpn.Namespace, expectedAccessControlVpn.Name), &istiosecurity1beta1.AuthorizationPolicy{})).To(Succeed())
 		Expect(c.Get(ctx, kutil.Key(expectedEnvoyFilterObjectMeta.Namespace, expectedEnvoyFilterObjectMeta.Name), &istionetworkingv1alpha3.EnvoyFilter{})).To(Succeed())
 
 		Expect(defaultDepWaiter.Destroy(ctx)).To(Succeed())
 
 		Expect(c.Get(ctx, kutil.Key(expectedDestinationRule.Namespace, expectedDestinationRule.Name), &istionetworkingv1beta1.DestinationRule{})).To(BeNotFoundError())
 		Expect(c.Get(ctx, kutil.Key(expectedGateway.Namespace, expectedGateway.Name), &istionetworkingv1beta1.Gateway{})).To(BeNotFoundError())
 		Expect(c.Get(ctx, kutil.Key(expectedVirtualService.Namespace, expectedVirtualService.Name), &istionetworkingv1beta1.VirtualService{})).To(BeNotFoundError())
-		Expect(c.Get(ctx, kutil.Key(expectedAccessControl.Namespace, expectedAccessControl.Name), &istiosecurity1beta1.AuthorizationPolicy{})).To(BeNotFoundError())
+		Expect(c.Get(ctx, kutil.Key(expectedAccessControlApi.Namespace, expectedAccessControlApi.Name), &istiosecurity1beta1.AuthorizationPolicy{})).To(BeNotFoundError())
+		Expect(c.Get(ctx, kutil.Key(expectedAccessControlVpn.Namespace, expectedAccessControlVpn.Name), &istiosecurity1beta1.AuthorizationPolicy{})).To(BeNotFoundError())
 		Expect(c.Get(ctx, kutil.Key(expectedEnvoyFilterObjectMeta.Namespace, expectedEnvoyFilterObjectMeta.Name), &istionetworkingv1alpha3.EnvoyFilter{})).To(BeNotFoundError())
 	})