Add CNPs back

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- CNPs are added back to allow the api server to access pods for webhooks.
+
 ## [1.17.0] - 2024-05-08
 
 ### Changed

README.md

@@ -23,14 +23,21 @@ The following notable commands & scripts are triggered in `make generate`:
 1. `kubectl kustomize config/helm --output helm/cluster-api/templates`: Generates kustomized Helm templates from upstream Cluster API components.
 1. [`hack/move-generated-crds.sh`](hack/move-generated-crds.sh): Moves all the CRDs into the `helm/cluster-api/files` directory. They are later used in the CRD install job.
 1. [`hack/generate-crd-version-patches.sh`](hack/generate-crd-version-patches.sh): Extracts the upstream Cluster API CRDs into `kustomize` patches in `helm/cluster-api/files`.
-1. [`hack/wrap-with-conditional.sh`](hack/wrap-with-conditional.sh): Wraps all occurrences of the `cluster.x-k8s.io/watch-filter` object selector into a condition.
-    ```yaml
-    {{- if .Values.watchfilter }}
-    objectSelector:
-        matchLabels:
-            cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}'
-    {{- end }}
-    ```
+1. [`hack/wrap-with-conditional.sh`](hack/wrap-with-conditional.sh)
+    * Wraps all occurrences of the `cluster.x-k8s.io/watch-filter` object selector into a condition:
+        ```yaml
+        {{- if .Values.watchfilter }}
+        objectSelector:
+            matchLabels:
+                cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}'
+        {{- end }}
+        ```
+    * Wraps all the `*_ciliumnetworkpolicy_*.yaml` manifests into the global `ciliumNetworkPolicy.enabled` condition:
+        ```yaml
+        {{- if .Values.ciliumNetworkPolicy.enabled }}
+        [...]
+        {{- end }}
+        ```
 
 ## Upgrading Cluster API
 

config/helm/bases/ciliumnetworkpolicies/capi-controller-manager.yaml

@@ -0,0 +1,21 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: capi-controller-manager
+  namespace: capi-system
+  labels:
+    app.kubernetes.io/component: cluster-api
+    cluster.x-k8s.io/provider: cluster-api
+    control-plane: controller-manager
+spec:
+  endpointSelector:
+    matchLabels:
+      cluster.x-k8s.io/provider: cluster-api
+      control-plane: controller-manager
+  ingress:
+  - fromEntities:
+    - cluster
+    - kube-apiserver
+  egress:
+  - toEntities:
+    - kube-apiserver

config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml

@@ -0,0 +1,21 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: capi-kubeadm-bootstrap-controller-manager
+  namespace: capi-kubeadm-bootstrap-system
+  labels:
+    app.kubernetes.io/component: bootstrap-kubeadm
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+    control-plane: controller-manager
+spec:
+  endpointSelector:
+    matchLabels:
+      cluster.x-k8s.io/provider: bootstrap-kubeadm
+      control-plane: controller-manager
+  ingress:
+  - fromEntities:
+    - cluster
+    - kube-apiserver
+  egress:
+  - toEntities:
+    - kube-apiserver

config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml

@@ -0,0 +1,21 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: capi-kubeadm-control-plane-controller-manager
+  namespace: capi-kubeadm-control-plane-system
+  labels:
+    app.kubernetes.io/component: control-plane-kubeadm
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+    control-plane: controller-manager
+spec:
+  endpointSelector:
+    matchLabels:
+      cluster.x-k8s.io/provider: control-plane-kubeadm
+      control-plane: controller-manager
+  ingress:
+  - fromEntities:
+    - cluster
+    - kube-apiserver
+  egress:
+  - toEntities:
+    - kube-apiserver

config/helm/kustomization.yaml

@@ -8,6 +8,10 @@ resources:
 - bases/networkpolicies/capi-controller-manager.yaml
 - bases/networkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml
 - bases/networkpolicies/capi-kubeadm-control-plane-controller-manager.yaml
+# Cilium network policies
+- bases/ciliumnetworkpolicies/capi-controller-manager.yaml
+- bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml
+- bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml
 # Watch filter configmap
 - bases/configmaps/watch-filter.yaml
 

hack/wrap-with-conditional.sh

@@ -11,3 +11,10 @@ for file in admissionregistration.k8s.io_v1_*.yaml; do
     new_content=$(tr '\n' '\r' < "${file}" | sed -e "s/${match}/{{ if .Values.watchFilter }}\n${match}\n{{ end }}/g" | tr '\r' '\n')
     printf "%s\n" "${new_content}" > "${file}"
 done
+
+for file in *_ciliumnetworkpolicy_*.yaml; do
+    data=$(cat "${file}")
+    echo '{{- if .Values.ciliumNetworkPolicy.enabled }}' > "${file}"
+    echo "${data}" >> "${file}"
+    echo '{{- end }}' >> "${file}"
+done

helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-controller-manager.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.ciliumNetworkPolicy.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/component: cluster-api
+    app.kubernetes.io/instance: '{{ .Release.Name }}'
+    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+    app.kubernetes.io/name: cluster-api
+    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
+    application.giantswarm.io/branch: '{{ .Values.project.branch }}'
+    application.giantswarm.io/commit: '{{ .Values.project.commit }}'
+    cluster.x-k8s.io/provider: cluster-api
+    control-plane: controller-manager
+    helm.sh/chart: cluster-api
+  name: capi-controller-manager
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  egress:
+  - toEntities:
+    - kube-apiserver
+  endpointSelector:
+    matchLabels:
+      cluster.x-k8s.io/provider: cluster-api
+      control-plane: controller-manager
+  ingress:
+  - fromEntities:
+    - cluster
+    - kube-apiserver
+{{- end }}

helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.ciliumNetworkPolicy.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/component: bootstrap-kubeadm
+    app.kubernetes.io/instance: '{{ .Release.Name }}'
+    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+    app.kubernetes.io/name: cluster-api
+    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
+    application.giantswarm.io/branch: '{{ .Values.project.branch }}'
+    application.giantswarm.io/commit: '{{ .Values.project.commit }}'
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+    control-plane: controller-manager
+    helm.sh/chart: cluster-api
+  name: capi-kubeadm-bootstrap-controller-manager
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  egress:
+  - toEntities:
+    - kube-apiserver
+  endpointSelector:
+    matchLabels:
+      cluster.x-k8s.io/provider: bootstrap-kubeadm
+      control-plane: controller-manager
+  ingress:
+  - fromEntities:
+    - cluster
+    - kube-apiserver
+{{- end }}

helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-kubeadm-control-plane-controller-manager.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.ciliumNetworkPolicy.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/component: control-plane-kubeadm
+    app.kubernetes.io/instance: '{{ .Release.Name }}'
+    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+    app.kubernetes.io/name: cluster-api
+    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
+    application.giantswarm.io/branch: '{{ .Values.project.branch }}'
+    application.giantswarm.io/commit: '{{ .Values.project.commit }}'
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+    control-plane: controller-manager
+    helm.sh/chart: cluster-api
+  name: capi-kubeadm-control-plane-controller-manager
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  egress:
+  - toEntities:
+    - kube-apiserver
+  endpointSelector:
+    matchLabels:
+      cluster.x-k8s.io/provider: control-plane-kubeadm
+      control-plane: controller-manager
+  ingress:
+  - fromEntities:
+    - cluster
+    - kube-apiserver
+{{- end }}