Skip to content

Make garden access for extensions an explicit opt-in feature #11593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Mar 6, 2025
Merged

Make garden access for extensions an explicit opt-in feature #11593

merged 8 commits into from
Mar 6, 2025

Conversation

rfranzke
Copy link
Member

@rfranzke rfranzke commented Mar 5, 2025
edited
Loading

How to categorize this PR?

/area security
/kind enhancement

What this PR does / why we need it:
With #8204, we introduced the automatic injection of a garden cluster kubeconfig into extension deployments in the seed clusters. This PR makes this an explicit opt-in feature (a new field injectGardenKubeconfig in the ControllerDeployment must be set to true) to make sure only extensions that really request/need it really get this kubeconfig injection ("PoLP").

Special notes for your reviewer:
/cc @ScheererJ
FYI @timebertt

Release note:

The injection of a garden cluster kubeconfig into extension deployments running in the seed cluster does NO LONGER happen automatically. If you need it, make sure to set `.injectGardenKubeconfig=true` in your `ControllerDeployment` resources before you upgrade your `gardenlet`s to this version.

@gardener-prow gardener-prow bot requested a review from ScheererJ March 5, 2025 15:13
@gardener-prow gardener-prow bot added area/security Security related kind/enhancement Enhancement, improvement, extension cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. labels Mar 5, 2025
@rfranzke
Copy link
Member Author

rfranzke commented Mar 5, 2025

/cherry-pick release-v1.114

@gardener-ci-robot
Copy link
Contributor

@rfranzke: once the present PR merges, I will cherry-pick it on top of release-v1.114 in a new PR and assign it to you.

In response to this:

/cherry-pick release-v1.114

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@gardener-prow gardener-prow bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Mar 5, 2025
@ScheererJ
Copy link
Member

/assign

@rfranzke rfranzke mentioned this pull request Mar 5, 2025
Merged
@rfranzke rfranzke force-pushed the garden-kubeconfig branch 3 times, most recently from 6ef8e9f to 49ab84e Compare March 5, 2025 16:09
ScheererJ
ScheererJ approved these changes Mar 5, 2025
View reviewed changes
Copy link
Member

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adhering to the principle of least privilege. This is a nice improvement in the security posture of Gardener.

/lgtm
/approve

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Mar 5, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Mar 5, 2025

LGTM label has been added.

Git tree hash: 65136bdb109c55ab8875a7c7444671b14e507381

@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Mar 5, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ScheererJ

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed lgtm Indicates that a PR is ready to be merged. labels Mar 5, 2025
@gardener-prow gardener-prow bot requested a review from ScheererJ March 5, 2025 16:48
ScheererJ
ScheererJ reviewed Mar 5, 2025
View reviewed changes
Copy link
Member

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Mar 5, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Mar 5, 2025

LGTM label has been added.

Git tree hash: 2377b53e64dff3eeac0c3b77d8faf4d4713979b8

@rfranzke rfranzke force-pushed the garden-kubeconfig branch from 686c490 to 27b09a3 Compare March 5, 2025 18:37
@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 5, 2025
@gardener-prow gardener-prow bot requested a review from ScheererJ March 5, 2025 18:37
@rfranzke
Copy link
Member Author

rfranzke commented Mar 5, 2025

/cherry-pick release-v1.114

@gardener-ci-robot
Copy link
Contributor

@rfranzke: once the present PR merges, I will cherry-pick it on top of release-v1.114 in a new PR and assign it to you.

In response to this:

/cherry-pick release-v1.114

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@vpnachev
Copy link
Member

vpnachev commented Mar 5, 2025

make generate needs to be run:
M example/provider-local/garden/operator/extension.yaml

@rfranzke rfranzke force-pushed the garden-kubeconfig branch from 2bbcee4 to 6e93b51 Compare March 6, 2025 07:24
@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 6, 2025
@rfranzke rfranzke requested a review from timuthy March 6, 2025 07:25
@rfranzke
Copy link
Member Author

rfranzke commented Mar 6, 2025

/unhold

@gardener-prow gardener-prow bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 6, 2025
timuthy
timuthy reviewed Mar 6, 2025
View reviewed changes
Copy link
Member

@timuthy timuthy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Mar 6, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Mar 6, 2025

LGTM label has been added.

Git tree hash: 63f7680aca35961a43d6fa48769688d2bd90e585

@gardener-prow gardener-prow bot merged commit 6a44fd0 into gardener:master Mar 6, 2025
19 checks passed
@rfranzke rfranzke deleted the garden-kubeconfig branch March 6, 2025 10:03
@gardener-ci-robot
Copy link
Contributor

@rfranzke: new pull request created: #11607

In response to this:

/cherry-pick release-v1.114

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@gardener-ci-robot gardener-ci-robot mentioned this pull request Mar 6, 2025
Merged
@rfranzke rfranzke mentioned this pull request Mar 12, 2025
Merged
rfranzke added a commit to rfranzke/gardener that referenced this pull request Mar 31, 2025
@rfranzke
Cleanup migration logic for e2e upgrade tests
adf0544 
From gardener#11593, released with `v1.115.0`
@rfranzke rfranzke mentioned this pull request Mar 31, 2025
Merged
rfranzke added a commit to rfranzke/gardener that referenced this pull request Apr 1, 2025
@rfranzke
Cleanup migration logic for e2e upgrade tests
b929e4e 
From gardener#11593, released with `v1.115.0`
gardener-prow bot pushed a commit that referenced this pull request Apr 4, 2025
@rfranzke
🧹 Cleanup a few TODOs (#11773)
2f8e9aa 
* Cleanup migration logic for e2e upgrade tests

From #11593, released with `v1.115.0`

* Filter {Managed}Seeds in gardenlet on manager.Manager level

#11479, released with `v1.114.0`

* No longer generate empy `Secret` for `reconcile` OSC

#11004, released with `v1.111.0`
This was referenced Apr 10, 2025
Merged
Merged
axel7born pushed a commit to axel7born/gardener that referenced this pull request Apr 11, 2025
@rfranzke @axel7born
🧹 Cleanup a few TODOs (gardener#11773)
422b539 
* Cleanup migration logic for e2e upgrade tests

From gardener#11593, released with `v1.115.0`

* Filter {Managed}Seeds in gardenlet on manager.Manager level

gardener#11479, released with `v1.114.0`

* No longer generate empy `Secret` for `reconcile` OSC

gardener#11004, released with `v1.111.0`
@timuthy timuthy mentioned this pull request Apr 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timuthy timuthy timuthy left review comments

@ScheererJ ScheererJ Awaiting requested review from ScheererJ

+1 more reviewer

@dimityrmirchev dimityrmirchev dimityrmirchev left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@ScheererJ ScheererJ

@timuthy timuthy

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/security Security related cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rfranzke @gardener-ci-robot @ScheererJ @vpnachev @dimityrmirchev @timuthy