Skip to content

Inject extension garden access into ControllerInstallations #8204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Jul 5, 2023
Merged

Inject extension garden access into ControllerInstallations #8204

merged 13 commits into from
Jul 5, 2023

Conversation

timebertt
Copy link
Member

@timebertt timebertt commented Jul 3, 2023
edited
Loading

How to categorize this PR?

/area security usability
/kind enhancement

What this PR does / why we need it:

This PR builds upon #8032 to equip extensions with access to the garden cluster.
For this, we

  • create a generic garden kubeconfig in extension namespaces
  • create a garden access secret in extension namespaces
  • inject both into objects deployed via ControllerInstallation
  • use the injected kubeconfig in provider-local to verify the feature in e2e tests

Extensions don't have any permissions in the garden cluster right now, only those in gardener.cloud:system:read-global-resources. The ServiceAccounts still need to be handled in Seed{Authorizer,Restriction}.

Which issue(s) this PR fixes:
Part of #8001

Special notes for your reviewer:

/cc @rfranzke

Based on https://github.com/gardener-community/hackathon/blob/main/2023-05_Leverkusen/README.md#-garden-cluster-access-for-extensions-in-seed-clusters / https://github.com/rfranzke/gardener/tree/hackathon/extensions-garden-access

Release note:

`github.com/gardener/gardener/pkg/utils/gardener.ShootAccessSecret` was renamed to `AccessSecret`.

@gardener-prow gardener-prow bot requested a review from rfranzke July 3, 2023 14:08
@gardener-prow gardener-prow bot added area/security Security related area/usability Usability related kind/enhancement Enhancement, improvement, extension cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. labels Jul 3, 2023
@timebertt timebertt mentioned this pull request Jun 26, 2023
Closed
4 tasks
@gardener-prow gardener-prow bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jul 3, 2023
@rfranzke
Copy link
Member

rfranzke commented Jul 4, 2023

/assign

rfranzke
rfranzke requested changes Jul 4, 2023
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sweet, nice PR, well structured!

@timebertt
Copy link
Member Author

Thanks for your review @rfranzke. I address all suggestions, PTAL :)

@timebertt
Copy link
Member Author

/retest-required

@rfranzke
Copy link
Member

rfranzke commented Jul 5, 2023

Thanks, looks good now except for the failing unit test 👀

@timebertt
vali: only inject generic kubeconfig where needed
8626151 
With the previous commits, `InjectGenericKubeconfig` also injects into init containers which makes vali unit tests fail.
Instead of working around it in the test, we adapt the component to only inject the kubeconfig into the `kube-rbac-proxy` container.
The other containers shouldn't need it.
@timebertt
Copy link
Member Author

Yep, already on it. Found that it was a side-effect of injecting the generic kubeconfig also into init containers :)

@rfranzke
Copy link
Member

rfranzke commented Jul 5, 2023

/lgtm
/approve

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Jul 5, 2023
@gardener-prow
Copy link
Contributor

gardener-prow bot commented Jul 5, 2023

LGTM label has been added.

Git tree hash: 0b83c716f886dd39b04034e5d4f96dfee4cbae75

@gardener-prow
Copy link
Contributor

gardener-prow bot commented Jul 5, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rfranzke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 5, 2023
@gardener-prow
Copy link
Contributor

gardener-prow bot commented Jul 5, 2023
edited
Loading

@timebertt: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-gardener-apidiff 8626151 link false /test pull-gardener-apidiff

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@gardener-prow gardener-prow bot merged commit 599e7c5 into gardener:master Jul 5, 2023
@timebertt timebertt deleted the extensions-garden-access branch July 5, 2023 10:05
andrerun pushed a commit to andrerun/gardener that referenced this pull request Jul 6, 2023
@timebertt @andrerun
Inject extension garden access into ControllerInstallations (garden…
e8b4678 
…er#8204)

* Extend docs for feature

* Prefactor: allow executing controllerinstallation test against existing test env

* Create generic garden kubeconfig in extension namespace

* Prefactor: make `ShootAccessSecret` utility reusable for garden access secrets

* Create garden access secret in extension namespace

* Prefactor: make utility for injecting generic kubeconfig reusable

* Inject garden access into `ControllerInstallation` objects

* provider-local: verify garden access

* provider-local: add `NetworkPolicy` for talking to garden cluster

* Apply docs suggestions

* Drop abstract section

* Address review suggestions

* vali: only inject generic kubeconfig where needed

With the previous commits, `InjectGenericKubeconfig` also injects into init containers which makes vali unit tests fail.
Instead of working around it in the test, we adapt the component to only inject the kubeconfig into the `kube-rbac-proxy` container.
The other containers shouldn't need it.
nickytd pushed a commit to nickytd/gardener that referenced this pull request Sep 11, 2023
@timebertt @nickytd
Inject extension garden access into ControllerInstallations (garden…
6053b95 
…er#8204)

* Extend docs for feature

* Prefactor: allow executing controllerinstallation test against existing test env

* Create generic garden kubeconfig in extension namespace

* Prefactor: make `ShootAccessSecret` utility reusable for garden access secrets

* Create garden access secret in extension namespace

* Prefactor: make utility for injecting generic kubeconfig reusable

* Inject garden access into `ControllerInstallation` objects

* provider-local: verify garden access

* provider-local: add `NetworkPolicy` for talking to garden cluster

* Apply docs suggestions

* Drop abstract section

* Address review suggestions

* vali: only inject generic kubeconfig where needed

With the previous commits, `InjectGenericKubeconfig` also injects into init containers which makes vali unit tests fail.
Instead of working around it in the test, we adapt the component to only inject the kubeconfig into the `kube-rbac-proxy` container.
The other containers shouldn't need it.
@rfranzke rfranzke mentioned this pull request Oct 26, 2023
Merged
@rfranzke rfranzke mentioned this pull request Mar 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rfranzke rfranzke rfranzke requested changes

Assignees

@rfranzke rfranzke

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/security Security related area/usability Usability related cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@timebertt @rfranzke