stackitcloud / gardener-extension-acl Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
gardener-extension-acl's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
gardener-extension-acl's Issues
Removing ACL extension from Shoot leaves ACL config in EnvoyFilter
What happened:
When removing the ACL extension from the Shoot spec, it leaves the ACL config in the EnvoyFilter for the apiserver-proxy path (ingress-gateway/shoot--foo--bar) until the next shoot reconciliation.
What you expected to happen:
Removing the ACL extension from the Shoot spec should take effect on all paths immediately.
How to reproduce it (as minimally and precisely as possible):
- Create a shoot with the ACL extension enabled, e.g.:
kind: Shoot
# ...
spec:
extensions:
- type: acl
providerConfig:
rule:
action: ALLOW
cidrs:
- 1.2.3.4/32
type: remote_ip- Remove the ACL extension from the shoot spec.
- The
shoot--foo--barEnvoyFilterinistio-ingressnamespace is unchanged and still contains the ACL config injected by the webhook.
Expand me
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: shoot--foo--bar
namespace: istio-ingress
spec:
configPatches:
- applyTo: FILTER_CHAIN
match:
context: ANY
listener:
portNumber: 8443
patch:
operation: ADD
value:
filter_chain_match:
destination_port: 443
prefix_ranges:
- address_prefix: 100.83.42.91
prefix_len: 32
filters:
- name: acl-internal-remote_ip
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
rules:
action: ALLOW
policies:
acl-internal:
permissions:
- any: true
principals:
- remote_ip:
address_prefix: 1.2.3.4
prefix_len: 32
# always allowed CIDRs...
stat_prefix: envoyrbac- Reconcile the shoot once again.
- The ACL config is removed from the
EnvoyFilter.
Anything else we need to know?:
When removing the ACL extension from the shoot, the Extension object is deleted after gardenlet applied the EnvoyFilter.
On extension deletion, the extension controller triggers the EnvoyFilter webhook with an empty patch.
However, the webhook doesn't actively remove the ACL config (it responds without a patch).
Hence, the config is left until gardenlet applies the desired state of the EnvoyFilter again and the webhook doesn't act on the object anymore.
Environment:
- Gardener version: v1.85
- Extension version: 72d7499
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.