Move shoot-core/network-policies Helm chart into responsible compon…

…ents packages (gardener#7401) * Move `addons-nginx-controller` specific `NetworkPolicy` template into component package * Move `allow-from-seed` `NetworkPolicy` template into `vpnshoot` package * Move `allow-to-apiserver` `NetworkPolicy` template into `shootsystem` package * Move `allow-to-dns` `NetworkPolicy` template into `shootsystem` package * Move `allow-to-kubelet` `NetworkPolicy` template into `shootsystem` package * Move `allow-to-public-networks` `NetworkPolicy` template into `shootsystem` package * Cleanup special code related to shoot Helm charts
andrerun · Jul 6, 2023 · 52aad3e · 52aad3e
1 parent 2926510
commit 52aad3e
Show file tree

Hide file tree

Showing 18 changed files with 384 additions and 347 deletions.
diff --git a/charts/shoot-core/components/charts/network-policies/templates/allow-from-seed.yaml b/charts/shoot-core/components/charts/network-policies/templates/allow-from-seed.yaml
@@ -1,24 +1,8 @@
+# TODO(rfranzke): Delete this Helm chart in a future version.
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  annotations:
-    gardener.cloud/description: |
-      Allows Ingress from the control plane to pods labeled with
-      'networking.gardener.cloud/from-seed=allowed'.
   name: gardener.cloud--allow-from-seed
   namespace: kube-system
-  labels:
-    origin: gardener
-spec:
-  podSelector:
-    matchLabels:
-      networking.gardener.cloud/from-seed: allowed
-  policyTypes:
-  - Ingress
-  ingress:
-  - from:
-    - podSelector:
-        matchLabels:
-          app: vpn-shoot
-          gardener.cloud/role: system-component
-          origin: gardener
+  annotations:
+    resources.gardener.cloud/mode: Ignore
diff --git a/charts/shoot-core/components/charts/network-policies/templates/allow-from-to-nginx.yaml b/charts/shoot-core/components/charts/network-policies/templates/allow-from-to-nginx.yaml
@@ -1,21 +1,8 @@
+# TODO(rfranzke): Delete this Helm chart in a future version.
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  annotations:
-    gardener.cloud/description: |
-      Allows all Egress and Ingress for the nginx-controller
   name: gardener.cloud--allow-to-from-nginx
   namespace: kube-system
-  labels:
-    origin: gardener
-spec:
-  podSelector:
-    matchLabels:
-      app: nginx-ingress
-  policyTypes:
-  - Ingress
-  - Egress
-  egress:
-  - {}
-  ingress:
-  - {}
+  annotations:
+    resources.gardener.cloud/mode: Ignore
diff --git a/charts/shoot-core/components/charts/network-policies/templates/allow-to-api-server.yaml b/charts/shoot-core/components/charts/network-policies/templates/allow-to-api-server.yaml
@@ -1,20 +1,8 @@
+# TODO(rfranzke): Delete this Helm chart in a future version.
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  annotations:
-    gardener.cloud/description: |
-      Allows traffic to api server in TCP Port 443
   name: gardener.cloud--allow-to-apiserver
   namespace: kube-system
-  labels:
-    origin: gardener
-spec:
-  podSelector:
-    matchLabels:
-      networking.gardener.cloud/to-apiserver: allowed
-  egress:
-  - ports:
-    - port: 443
-      protocol: TCP
-  policyTypes:
-  - Egress
+  annotations:
+    resources.gardener.cloud/mode: Ignore
diff --git a/charts/shoot-core/components/charts/network-policies/templates/allow-to-dns.yaml b/charts/shoot-core/components/charts/network-policies/templates/allow-to-dns.yaml
@@ -1,40 +1,8 @@
+# TODO(rfranzke): Delete this Helm chart in a future version.
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  annotations:
-    gardener.cloud/description: |
-      Allows Egress from pods labeled with 'networking.gardener.cloud/to-dns=allowed'
-      to DNS running in the 'kube-system' namespace.
   name: gardener.cloud--allow-to-dns
   namespace: kube-system
-  labels:
-    origin: gardener
-spec:
-  podSelector:
-    matchLabels:
-      networking.gardener.cloud/to-dns: allowed
-  policyTypes:
-  - Egress
-  egress:
-  - to:
-    - podSelector:
-        matchExpressions:
-        - {key: k8s-app, operator: In, values: [kube-dns]}
-    ports:
-    - protocol: UDP
-      port: 8053
-    - protocol: TCP
-      port: 8053
-  # this allows Pods with 'dnsPolicy: Default' to talk to
-  # the node's DNS provider.
-  - to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
-    - podSelector:
-        matchExpressions:
-        - {key: k8s-app, operator: In, values: [node-local-dns]}
-    ports:
-    - protocol: UDP
-      port: 53
-    - protocol: TCP
-      port: 53
+  annotations:
+    resources.gardener.cloud/mode: Ignore
diff --git a/charts/shoot-core/components/charts/network-policies/templates/allow-to-kubelet.yaml b/charts/shoot-core/components/charts/network-policies/templates/allow-to-kubelet.yaml
@@ -1,20 +1,8 @@
+# TODO(rfranzke): Delete this Helm chart in a future version.
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  annotations:
-    gardener.cloud/description: |
-      Allows traffic to kubelet in TCP Port 10250
   name: gardener.cloud--allow-to-kubelet
   namespace: kube-system
-  labels:
-    origin: gardener
-spec:
-  podSelector:
-    matchLabels:
-      networking.gardener.cloud/to-kubelet: allowed
-  egress:
-  - ports:
-    - port: 10250
-      protocol: TCP
-  policyTypes:
-  - Egress
+  annotations:
+    resources.gardener.cloud/mode: Ignore
diff --git a/charts/shoot-core/components/charts/network-policies/templates/allow-to-public-networks.yaml b/charts/shoot-core/components/charts/network-policies/templates/allow-to-public-networks.yaml
@@ -1,21 +1,8 @@
+# TODO(rfranzke): Delete this Helm chart in a future version.
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  annotations:
-    gardener.cloud/description: |
-      Allows Egress from pods labeled with 'networking.gardener.cloud/to-public-networks=allowed'
-      to all networks.
   name: gardener.cloud--allow-to-public-networks
   namespace: kube-system
-  labels:
-    origin: gardener
-spec:
-  podSelector:
-    matchLabels:
-      networking.gardener.cloud/to-public-networks: allowed
-  policyTypes:
-  - Egress
-  egress:
-  - to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
+  annotations:
+    resources.gardener.cloud/mode: Ignore
diff --git a/charts/shoot-core/components/charts/network-policies/values.yaml b/charts/shoot-core/components/charts/network-policies/values.yaml
diff --git a/charts/shoot-core/components/values.yaml b/charts/shoot-core/components/values.yaml
@@ -1,6 +1,4 @@
 global:
-  kubernetesVersion: 1.20.1
-  podNetwork: 100.96.0.0/11
   vpaEnabled: false
   pspDisabled: false
 apiserver-proxy:
@@ -24,5 +22,3 @@ network-policies:
 podsecuritypolicies:
   enabled: true
   allowPrivilegedContainers: false
-shoot-info:
-  enabled: true
diff --git a/pkg/operation/botanist/addons.go b/pkg/operation/botanist/addons.go
@@ -29,7 +29,6 @@ import (
 	extensionsv1alpha1helper "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1/helper"
 	"github.com/gardener/gardener/pkg/chartrenderer"
 	"github.com/gardener/gardener/pkg/controllerutils"
-	netpol "github.com/gardener/gardener/pkg/operation/botanist/addons/networkpolicy"
 	extensionsdnsrecord "github.com/gardener/gardener/pkg/operation/botanist/component/extensions/dnsrecord"
 	"github.com/gardener/gardener/pkg/operation/common"
 	"github.com/gardener/gardener/pkg/utils/images"
@@ -140,24 +139,15 @@ func (b *Botanist) DeployManagedResourceForAddons(ctx context.Context) error {
 // creates a ManagedResource CRD that references the rendered manifests and creates it.
 func (b *Botanist) generateCoreAddonsChart(ctx context.Context) (*chartrenderer.RenderedChart, error) {
 	var (
-		kasFQDN           = b.outOfClusterAPIServerFQDN()
-		kubernetesVersion = b.Shoot.GetInfo().Spec.Kubernetes.Version
-		global            = map[string]interface{}{
-			"kubernetesVersion": kubernetesVersion,
-			"podNetwork":        b.Shoot.Networks.Pods.String(),
-			"vpaEnabled":        b.Shoot.WantsVerticalPodAutoscaler,
-			"pspDisabled":       b.Shoot.PSPDisabled,
+		global = map[string]interface{}{
+			"vpaEnabled":  b.Shoot.WantsVerticalPodAutoscaler,
+			"pspDisabled": b.Shoot.PSPDisabled,
 		}
-
 		podSecurityPolicies = map[string]interface{}{
 			"allowPrivilegedContainers": pointer.BoolDeref(b.Shoot.GetInfo().Spec.Kubernetes.AllowPrivilegedContainers, false),
 		}
-
 		nodeExporterConfig     = map[string]interface{}{}
 		blackboxExporterConfig = map[string]interface{}{}
-		networkPolicyConfig    = netpol.ShootNetworkPolicyValues{
-			Enabled: true,
-		}
 	)
 
 	nodeExporter, err := b.InjectShootShootImages(nodeExporterConfig, images.ImageNameNodeExporter)
@@ -174,10 +164,10 @@ func (b *Botanist) generateCoreAddonsChart(ctx context.Context) (*chartrenderer.
 		return nil, fmt.Errorf("secret %q not found", v1beta1constants.SecretNameCACluster)
 	}
 
-	apiserverProxyConfig := map[string]interface{}{
+	apiServerProxyConfig := map[string]interface{}{
 		"advertiseIPAddress": b.APIServerClusterIP,
 		"proxySeedServer": map[string]interface{}{
-			"host": kasFQDN,
+			"host": b.outOfClusterAPIServerFQDN(),
 			"port": "8443",
 		},
 		"webhook": map[string]interface{}{
@@ -186,21 +176,20 @@ func (b *Botanist) generateCoreAddonsChart(ctx context.Context) (*chartrenderer.
 		"podMutatorEnabled": b.APIServerSNIPodMutatorEnabled(),
 	}
 
-	apiserverProxy, err := b.InjectShootShootImages(apiserverProxyConfig, images.ImageNameApiserverProxySidecar, images.ImageNameApiserverProxy)
+	apiServerProxy, err := b.InjectShootShootImages(apiServerProxyConfig, images.ImageNameApiserverProxySidecar, images.ImageNameApiserverProxy)
 	if err != nil {
 		return nil, err
 	}
 
 	values := map[string]interface{}{
 		"global":          global,
-		"apiserver-proxy": common.GenerateAddonConfig(apiserverProxy, b.APIServerSNIEnabled()),
+		"apiserver-proxy": common.GenerateAddonConfig(apiServerProxy, b.APIServerSNIEnabled()),
 		"monitoring": common.GenerateAddonConfig(map[string]interface{}{
 			"node-exporter":     nodeExporter,
 			"blackbox-exporter": blackboxExporter,
 		}, b.Operation.IsShootMonitoringEnabled()),
-		"network-policies":    networkPolicyConfig,
+		"network-policies":    common.GenerateAddonConfig(nil, true),
 		"podsecuritypolicies": common.GenerateAddonConfig(podSecurityPolicies, !b.Shoot.PSPDisabled),
-		"cluster-identity":    map[string]interface{}{"clusterIdentity": b.Shoot.GetInfo().Status.ClusterIdentity},
 	}
 
 	return b.ShootClientSet.ChartRenderer().Render(filepath.Join(charts.Path, "shoot-core", "components"), "shoot-core", metav1.NamespaceSystem, values)
@@ -209,12 +198,9 @@ func (b *Botanist) generateCoreAddonsChart(ctx context.Context) (*chartrenderer.
 // generateOptionalAddonsChart renders the gardener-resource-manager chart for the optional addons. After that it
 // creates a ManagedResource CRD that references the rendered manifests and creates it.
 func (b *Botanist) generateOptionalAddonsChart(_ context.Context) (*chartrenderer.RenderedChart, error) {
-	global := map[string]interface{}{
-		"vpaEnabled":  b.Shoot.WantsVerticalPodAutoscaler,
-		"pspDisabled": b.Shoot.PSPDisabled,
-	}
-
 	return b.ShootClientSet.ChartRenderer().Render(filepath.Join(charts.Path, "shoot-addons"), "addons", metav1.NamespaceSystem, map[string]interface{}{
-		"global": global,
+		"global": map[string]interface{}{
+			"vpaEnabled": b.Shoot.WantsVerticalPodAutoscaler,
+		},
 	})
 }
diff --git a/pkg/operation/botanist/addons/networkpolicy/shoot_network_policy.go b/pkg/operation/botanist/addons/networkpolicy/shoot_network_policy.go