Skip to content

Commit

Permalink
Validate all resources in kube-system if managed seed
Browse files Browse the repository at this point in the history 
All resources in the kube-system namespace of a ManagedSeed need to
validated.

We determine that a shoot is a ManagedSeed if its in the 'garden'
namespace.
  • Loading branch information
@rrhubenov
rrhubenov committed Jun 5, 2024
1 parent 72e8deb commit 72706bd
Showing 1 changed file with 13 additions and 4 deletions.
17 changes: 13 additions & 4 deletions pkg/controller/lifecycle/actuator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ func (a *actuator) Reconcile(ctx context.Context, logger logr.Logger, ex *extens
return err
}


// initialize SecretsManager based on Cluster object
configs := secrets.ConfigsFor(namespace)

Expand Down Expand Up @@ -140,6 +141,7 @@ func (a *actuator) Reconcile(ctx context.Context, logger logr.Logger, ex *extens
image.Tag = ptr.To[string](version.Get().GitVersion)
}


seedResources, err := getSeedResources(
getLakomReplicas(controller.IsHibernationEnabled(cluster)),
namespace,
Expand All @@ -162,6 +164,7 @@ func (a *actuator) Reconcile(ctx context.Context, logger logr.Logger, ex *extens
caBundleSecret.Data[secretutils.DataKeyCertificateBundle],
namespace,
lakomShootAccessSecret.ServiceAccountName,
cluster.Shoot.GetNamespace(),
)

if err != nil {
Expand Down Expand Up @@ -592,7 +595,8 @@ func getSeedResources(lakomReplicas *int32, namespace, genericKubeconfigName, sh
return resources, nil
}

func getShootResources(webhookCaBundle []byte, namespace, shootAccessServiceAccountName string) (map[string][]byte, error) {
func getShootResources(webhookCaBundle []byte, namespace, shootAccessServiceAccountName string, shootNamespace string) (map[string][]byte, error) {

var (
matchPolicy = admissionregistration.Equivalent
sideEffectClass = admissionregistration.SideEffectClassNone
Expand All @@ -610,7 +614,7 @@ func getShootResources(webhookCaBundle []byte, namespace, shootAccessServiceAcco
},
},
}
objectSelector = metav1.LabelSelector{
objectSelector = &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{
{
Key: resourcesv1alpha1.ManagedBy,
Expand All @@ -629,6 +633,11 @@ func getShootResources(webhookCaBundle []byte, namespace, shootAccessServiceAcco
}}
)

isManagedSeed := shootNamespace == v1beta1constants.GardenNamespace
if isManagedSeed {
objectSelector = nil
}

shootRegistry := managedresources.NewRegistry(kubernetes.ShootScheme, kubernetes.ShootCodec, kubernetes.ShootSerializer)
shootResources, err := shootRegistry.AddAllAndSerialize(
&admissionregistration.MutatingWebhookConfiguration{
Expand All @@ -649,7 +658,7 @@ func getShootResources(webhookCaBundle []byte, namespace, shootAccessServiceAcco
CABundle: webhookCaBundle,
},
NamespaceSelector: &namespaceSelector,
ObjectSelector: &objectSelector,
ObjectSelector: objectSelector,
}},
},
&admissionregistration.ValidatingWebhookConfiguration{
Expand All @@ -670,7 +679,7 @@ func getShootResources(webhookCaBundle []byte, namespace, shootAccessServiceAcco
CABundle: webhookCaBundle,
},
NamespaceSelector: &namespaceSelector,
ObjectSelector: &objectSelector,
ObjectSelector: objectSelector,
}},
},
&rbacv1.Role{
Expand Down

0 comments on commit 72706bd

Please sign in to comment.