Restrict gardenlet access for Seed resources
#11062
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a73e0f1 to
d85f217
Compare
|
/unhold e2e tests look good, PR is ready to go. |
c70f7de to
568196f
Compare
|
The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
You can:
/lifecycle stale |
|
/remove-lifecycle stale |
|
/assign |
timuthy
requested changes
Jan 17, 2025
568196f to
fd5ec2f
Compare
|
Added fd5ec2f to address review comment (#11062 (comment)) and rebased PR. |
|
There is an rebase error in |
fd5ec2f to
4c6e4d2
Compare
|
/retest-required |
|
/test pull-gardener-e2e-kind-migration |
The `gardenlet` only updates its own `Seed`, so there is no need to have these verbs as part of the "always allowed" list.
The only place where `gardenlet` deletes `Seed` resources is in its `ManagedSeed` controller via https://github.com/gardener/gardener/blob/48169a21cfbfd5a515a7374c729c9de9111e5bd2/pkg/controller/gardenletdeployer/actuator.go#L304-L311. Now, the graph is consulted and asked whether the `gardenlet` is allowed to delete it.
- own name - optional: name of parent seed in case the `Seed` is a managed seed This allows to use a label selector in `gardenlet` when watching `Seed`s. Similar to gardener#9089
only the name of the parent seed (i.e., the name of the seed that is used in the referenced shoot)
… label selector
This should not be activated in the same release since we have to
make sure that all `{Managed}Seed`s get the label first (which usually
only happens when the `gardenlet`s make their first request for updating
the `{Managed}Seed` status).
If we rolled this out in one release (gardenlet cache already
restricted), the `{Managed}Seed`s wouldn't have the labels yet, hence
the `gardenlet`s wouldn't see any `{Managed}Seed`s.
The controller is ought to remove the `ShootReadyForMigration` constraint in case it missed the event during migration.
The `ReadyForMigration` taint was previously removed at the beginning of the `migration` phase. However, if the migration reconcile flow restarts then gardenlet will end up again and stuck in the check ready-for-migration check (see https://github.com/gardener/gardener/blob/4c6e4d23d2725c93ac77cae246095e20af75d86a/pkg/gardenlet/controller/shoot/shoot/reconciler.go#L161). With this change the constraint is removed during the `restore` phase.
4c6e4d2 to
725c3d8
Compare
|
/test pull-gardener-e2e-kind-ha-multi-zone |
|
/assign |
|
/test pull-gardener-e2e-kind-operator |
ScheererJ
approved these changes
Jan 27, 2025
|
LGTM label has been added. Git tree hash: d13e0b85d4302c81b0b41740fcd89b05001d21e7
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ScheererJ The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Roncossek
pushed a commit
to Roncossek/gardener
that referenced
this pull request
Jan 27, 2025
* No longer unconditionally allow `update`, `patch` verbs for `Seed`s The `gardenlet` only updates its own `Seed`, so there is no need to have these verbs as part of the "always allowed" list. * No longer unconditionally allow `delete` verb for `Seed`s The only place where `gardenlet` deletes `Seed` resources is in its `ManagedSeed` controller via https://github.com/gardener/gardener/blob/48169a21cfbfd5a515a7374c729c9de9111e5bd2/pkg/controller/gardenletdeployer/actuator.go#L304-L311. Now, the graph is consulted and asked whether the `gardenlet` is allowed to delete it. * New controller in GCM writing `ReadyForMigration` shoot constraint * Maintain seed labels on `Seed` resource - own name - optional: name of parent seed in case the `Seed` is a managed seed This allows to use a label selector in `gardenlet` when watching `Seed`s. Similar to gardener#9089 * Maintain seed label on `ManagedSeed` resource only the name of the parent seed (i.e., the name of the seed that is used in the referenced shoot) * Add TODO for restricting `gardenlet` watches on `{Managed}Seed`s with label selector This should not be activated in the same release since we have to make sure that all `{Managed}Seed`s get the label first (which usually only happens when the `gardenlet`s make their first request for updating the `{Managed}Seed` status). If we rolled this out in one release (gardenlet cache already restricted), the `{Managed}Seed`s wouldn't have the labels yet, hence the `gardenlet`s wouldn't see any `{Managed}Seed`s. * Improve `migration` controller The controller is ought to remove the `ShootReadyForMigration` constraint in case it missed the event during migration. * Remove constraint only during restoration The `ReadyForMigration` taint was previously removed at the beginning of the `migration` phase. However, if the migration reconcile flow restarts then gardenlet will end up again and stuck in the check ready-for-migration check (see https://github.com/gardener/gardener/blob/4c6e4d23d2725c93ac77cae246095e20af75d86a/pkg/gardenlet/controller/shoot/shoot/reconciler.go#L161). With this change the constraint is removed during the `restore` phase. * Change to external config * Address review comments --------- Co-authored-by: Tim Usner <tim.usner@sap.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How to categorize this PR?
/area security
/kind enhancement
What this PR does / why we need it:
See #11034 for details.
Which issue(s) this PR fixes:
Fixes #11034
Special notes for your reviewer:
/hold
The last commit should be dropped - I have to revert it once the tests pass. Otherwise, PR is ready for review.
Release note: