Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify all images for managedseed #91

Merged
merged 7 commits into from
Jun 10, 2024
Merged

Verify all images for managedseed #91

merged 7 commits into from
Jun 10, 2024

Conversation

rrhubenov
Copy link
Contributor

@rrhubenov rrhubenov commented Jun 5, 2024
edited
Loading

What this PR does / why we need it:
When a shoot is a managed seed cluster, all of the resources in the kube-system namespace need to be validated and not only those that are labeled with managed-by: gardener.

With this change, if the shoot is a managed seed (determined by checking if it is in the garden namespace) the selector for managed-by: gardener won't be used.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
Note that this method for handling the case where the cluster is a managed seed will most likely be changed/updated in the near future.

Release note:

All pods in Managed Seed clusters will now be validated for trusted image signatures.

@rrhubenov rrhubenov requested a review from a team as a code owner June 5, 2024 09:56
@gardener-robot gardener-robot added needs/review Needs review size/s Size of pull request is small (see gardener-robot robot/bots/size.py) labels Jun 5, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jun 5, 2024
@rrhubenov rrhubenov changed the title Verify all resources for managedseed Verify all images for managedseed Jun 5, 2024
@JordanJordanov JordanJordanov added the area/ipcei IPCEI (Important Project of Common European Interest) label Jun 5, 2024
vpnachev
vpnachev requested changes Jun 5, 2024
View reviewed changes
hack/configure-webhook.sh Outdated Show resolved Hide resolved
pkg/controller/lifecycle/actuator.go Outdated Show resolved Hide resolved
pkg/controller/lifecycle/actuator.go Outdated Show resolved Hide resolved
pkg/controller/lifecycle/actuator.go Outdated Show resolved Hide resolved
@gardener-robot gardener-robot added the needs/changes Needs (more) changes label Jun 5, 2024
@rrhubenov
Validate all resources in kube-system if managed seed
69a5a6c 
All resources in the kube-system namespace of a ManagedSeed need to
validated.

We determine that a shoot is a ManagedSeed if its in the 'garden'
namespace.
@rrhubenov rrhubenov force-pushed the verify-all-resources-for-managedseed branch from 72706bd to 69a5a6c Compare June 6, 2024 07:14
@gardener-robot gardener-robot added size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py) and removed size/s Size of pull request is small (see gardener-robot robot/bots/size.py) labels Jun 6, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jun 6, 2024
rrhubenov added 2 commits June 6, 2024 11:46
@rrhubenov
Rework getShootResources tests and add new managedseed test
7d94a80 
ManagedSeeds need to have an empty object selector.
Currently we assume that if a cluster is a managedseed, then the shoot
resource is in the "garden" namespace
@rrhubenov
Improve getShootResources formatting and parameter names
a048809
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 6, 2024
@gardener-robot gardener-robot added the size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) label Jun 6, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 6, 2024
@gardener-robot gardener-robot removed the size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py) label Jun 6, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 6, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 6, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jun 6, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 7, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 7, 2024
vpnachev
vpnachev reviewed Jun 7, 2024
View reviewed changes
pkg/controller/lifecycle/actuator.go Outdated Show resolved Hide resolved
pkg/controller/lifecycle/actuator_test.go Outdated Show resolved Hide resolved
pkg/controller/lifecycle/actuator.go Outdated Show resolved Hide resolved
pkg/controller/lifecycle/actuator_test.go Outdated Show resolved Hide resolved
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 10, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 10, 2024
@rrhubenov rrhubenov force-pushed the verify-all-resources-for-managedseed branch from 503f657 to 123b304 Compare June 10, 2024 07:45
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 10, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 10, 2024
vpnachev
vpnachev approved these changes Jun 10, 2024
View reviewed changes
Copy link
Member

@vpnachev vpnachev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/changes Needs (more) changes needs/review Needs review labels Jun 10, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 10, 2024
@vpnachev vpnachev merged commit c4e36ce into gardener:main Jun 10, 2024
8 checks passed
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Jun 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vpnachev vpnachev vpnachev approved these changes

Assignees
No one assigned
Labels
area/ipcei IPCEI (Important Project of Common European Interest) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@rrhubenov @vpnachev @gardener-robot-ci-1 @JordanJordanov @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot