stackitcloud / gardener-extension-acl Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
What happened:
When removing the ACL extension from the Shoot spec, it leaves the ACL config in the EnvoyFilter
for the apiserver-proxy path (ingress-gateway/shoot--foo--bar
) until the next shoot reconciliation.
What you expected to happen:
Removing the ACL extension from the Shoot spec should take effect on all paths immediately.
How to reproduce it (as minimally and precisely as possible):
kind: Shoot
# ...
spec:
extensions:
- type: acl
providerConfig:
rule:
action: ALLOW
cidrs:
- 1.2.3.4/32
type: remote_ip
shoot--foo--bar
EnvoyFilter
in istio-ingress
namespace is unchanged and still contains the ACL config injected by the webhook.apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: shoot--foo--bar
namespace: istio-ingress
spec:
configPatches:
- applyTo: FILTER_CHAIN
match:
context: ANY
listener:
portNumber: 8443
patch:
operation: ADD
value:
filter_chain_match:
destination_port: 443
prefix_ranges:
- address_prefix: 100.83.42.91
prefix_len: 32
filters:
- name: acl-internal-remote_ip
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
rules:
action: ALLOW
policies:
acl-internal:
permissions:
- any: true
principals:
- remote_ip:
address_prefix: 1.2.3.4
prefix_len: 32
# always allowed CIDRs...
stat_prefix: envoyrbac
EnvoyFilter
.Anything else we need to know?:
When removing the ACL extension from the shoot, the Extension
object is deleted after gardenlet applied the EnvoyFilter
.
On extension deletion, the extension controller triggers the EnvoyFilter
webhook with an empty patch.
However, the webhook doesn't actively remove the ACL config (it responds without a patch).
Hence, the config is left until gardenlet applies the desired state of the EnvoyFilter
again and the webhook doesn't act on the object anymore.
Environment:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.