[GEP-28] Handle networking and control plane components #11892
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Skipping CI for Draft Pull Request. |
|
/assign |
ScheererJ
reviewed
Apr 16, 2025
f5ae781 to
a43b8ee
Compare
a43b8ee to
a5c2ad2
Compare
36320bb to
d23d2d2
Compare
ScheererJ
reviewed
Apr 17, 2025
- there is no VPN :)
- They might serve webhooks necessary for the subsequent steps (e.g., deployment of `kube-proxy`)
- only for autonomous shoots - we now deploy the control plane amespace (i.e., in fact we apply some labels to kube-system (besides others, gardener.cloud/role=shoot will be added) to make the webhooks work)
- This basically adds the `gardener.cloud/purpose=kube-system` label to the `kube-system` namespace (see https://github.com/gardener/gardener/blob/0df3391737ca7c36cd58279845a46c832ce4b422/pkg/component/shoot/namespaces/namespaces.go#L90-L101)
- the `ControllerInstallation` controller now passes information to extension controller Helm charts (when deploying them) in case the shoot is an autonomous shoot cluster - extensions can then use this information to adapt their behaviour (see next commit)
- if extension runs in an ASC, it now merges the shoot webhooks into the seed webhooks (without this, they would only be deployed when `gardenadm` or `gardenlet` create the `ControlPlane` resource later (not yet implemented)) - the `ControlPlane` controller does not include the shoot webhooks as part of its reconciliation in case the `ControlPlane` is for an ASC (no need since they are already deployed via the seed webhooks)
- We don't have any information of a garden cluster in `gardenadm init`, so we cannot inject anything - This becomes relevant only now because we deploy the extensions into the pod network (in bootstrap mode, this was skipped)
- Otherwise, the pods in the pod network cannot talk to the API server (or resolve DNS)
- without `.spec.region`, the validation webhook fails with
`2025-04-16T11:44:57.927Z ERROR Error {"flow": "init", "task":
"Deploying shoot control plane components", "error": "admission webhook
\"validation.extensions.controlplanes.resources.gardener.cloud\" denied
the request: ControlPlane.extensions.gardener.cloud \"root\" is invalid:
spec.region: Required value: field is required"}`
- without a cloud provider secret, the generic control plane actuator
fails with ` * task "Waiting until shoot control plane has been
reconciled" failed: Error while waiting for ControlPlane
kube-system/root to become ready: error during reconciliation: Error
reconciling ControlPlane: could not get secret
'kube-system/cloudprovider': Secret "cloudprovider" not found`
Otherwise, we would attempt to deploy a real pod into the cluster (which we don't want). Instead, we want a `StatefulSet` with `replicas=0` that we can translate into a static pod.
Result: ``` root@machine-0:/# k get deploy,sts NAME READY UP-TO-DATE AVAILABLE AGE ... deployment.apps/kube-apiserver 0/0 0 0 2m14s deployment.apps/kube-controller-manager 0/0 0 0 2m14s deployment.apps/kube-scheduler 0/0 0 0 2m14s NAME READY AGE statefulset.apps/etcd-events-0 0/0 2m14s statefulset.apps/etcd-main-0 0/0 2m14s ```
- we have to deactivate the NodeAgentAuthorizer feature for now since it only works with Machine objects (which we don't have) - we have to adapt the feature later (separately) - we don't have a machine image name/type for now, and that's a sane configuration
- GRM's system-components-config webhook now propagates respective tolerations to the pods managed by Gardener - GRM itself tolerates the taint if it is configured to propagate it to system component pods
d23d2d2 to
87a33f7
Compare
|
LGTM label has been added. Git tree hash: 48d2c79d95638300e8069a72db4f0e82a249f2a5
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ScheererJ The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ScheererJ
added a commit
to ScheererJ/gardener
that referenced
this pull request
May 9, 2025
The change merging the shoot and seed webhooks for autonomous shoot clusters (gardener#11892) assumed that extensions always had both validating as well as mutating webhooks. However, there are extensions, which only have one of them. They might also not have seed webhooks at all, but only shoot webhooks. In all those cases the initialisation was incomplete leading to potential nil dereferences when adding the shoot webhooks. This change resolves these problems.
ScheererJ
added a commit
to ScheererJ/gardener
that referenced
this pull request
May 9, 2025
The change merging the shoot and seed webhooks for autonomous shoot clusters (gardener#11892) assumed that extensions always had both validating as well as mutating webhooks. However, there are extensions, which only have one of them. They might also not have seed webhooks at all, but only shoot webhooks. In all those cases the initialisation was incomplete leading to potential nil dereferences when adding the shoot webhooks. This change resolves these problems.
gardener-prow bot
pushed a commit
that referenced
this pull request
May 12, 2025
…2040) The change merging the shoot and seed webhooks for autonomous shoot clusters (#11892) assumed that extensions always had both validating as well as mutating webhooks. However, there are extensions, which only have one of them. They might also not have seed webhooks at all, but only shoot webhooks. In all those cases the initialisation was incomplete leading to potential nil dereferences when adding the shoot webhooks. This change resolves these problems.
dimitar-kostadinov
added a commit
to dimitar-kostadinov/gardener-extension-registry-cache
that referenced
this pull request
Jun 17, 2025
dimitar-kostadinov
added a commit
to dimitar-kostadinov/gardener-extension-registry-cache
that referenced
this pull request
Jun 17, 2025
gardener-prow bot
pushed a commit
to gardener/gardener-extension-registry-cache
that referenced
this pull request
Jun 17, 2025
* Bump github.com/gardener/gardener from 1.117.6 to 1.118.3 * Adapt to breaking changes introduced in gardener/gardener#11892
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How to categorize this PR?
/area ipcei
/kind enhancement
What this PR does / why we need it:
This PR is the next increment for
gardenadm init. It deployskube-proxy, theNetworkextension, CoreDNS, theNetworkPolicys, and finally re-deploysgardener-resource-managerand extension controllers into the pod network.In addition, the
ControlPlaneresource is deployed as well asDeployments/StatefulSetfor the control plane components that have to be translated to static pods. These resources are used to make extension webhooks work (i.e., still allow extensions to modify the control plane components).Finally, the
gardener-node-agentsystemd unit is activated, and the node is properly tainted with the commonnode-role.kubernetes.io/control-planetaint.Which issue(s) this PR fixes:
Part of #2906
Special notes for your reviewer:
/cc @ScheererJ
Still in draft because some unit tests are still missing.Release note: