diff --git a/CHANGELOG.md b/CHANGELOG.md index eeb4ede3..7b24f8cb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- CNPs are added back to allow the api server to access pods for webhooks. + ## [1.17.0] - 2024-05-08 ### Changed diff --git a/README.md b/README.md index d9caf800..c37cdcdf 100644 --- a/README.md +++ b/README.md @@ -23,14 +23,21 @@ The following notable commands & scripts are triggered in `make generate`: 1. `kubectl kustomize config/helm --output helm/cluster-api/templates`: Generates kustomized Helm templates from upstream Cluster API components. 1. [`hack/move-generated-crds.sh`](hack/move-generated-crds.sh): Moves all the CRDs into the `helm/cluster-api/files` directory. They are later used in the CRD install job. 1. [`hack/generate-crd-version-patches.sh`](hack/generate-crd-version-patches.sh): Extracts the upstream Cluster API CRDs into `kustomize` patches in `helm/cluster-api/files`. -1. [`hack/wrap-with-conditional.sh`](hack/wrap-with-conditional.sh): Wraps all occurrences of the `cluster.x-k8s.io/watch-filter` object selector into a condition. - ```yaml - {{- if .Values.watchfilter }} - objectSelector: - matchLabels: - cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' - {{- end }} - ``` +1. [`hack/wrap-with-conditional.sh`](hack/wrap-with-conditional.sh) + * Wraps all occurrences of the `cluster.x-k8s.io/watch-filter` object selector into a condition: + ```yaml + {{- if .Values.watchfilter }} + objectSelector: + matchLabels: + cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}' + {{- end }} + ``` + * Wraps all the `*_ciliumnetworkpolicy_*.yaml` manifests into the global `ciliumNetworkPolicy.enabled` condition: + ```yaml + {{- if .Values.ciliumNetworkPolicy.enabled }} + [...] + {{- end }} + ``` ## Upgrading Cluster API diff --git a/config/helm/bases/ciliumnetworkpolicies/capi-controller-manager.yaml b/config/helm/bases/ciliumnetworkpolicies/capi-controller-manager.yaml new file mode 100644 index 00000000..ad6cf0a7 --- /dev/null +++ b/config/helm/bases/ciliumnetworkpolicies/capi-controller-manager.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: capi-controller-manager + namespace: capi-system + labels: + app.kubernetes.io/component: cluster-api + cluster.x-k8s.io/provider: cluster-api + control-plane: controller-manager +spec: + endpointSelector: + matchLabels: + cluster.x-k8s.io/provider: cluster-api + control-plane: controller-manager + ingress: + - fromEntities: + - cluster + - kube-apiserver + egress: + - toEntities: + - kube-apiserver diff --git a/config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml b/config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml new file mode 100644 index 00000000..6cd8fa4c --- /dev/null +++ b/config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: capi-kubeadm-bootstrap-controller-manager + namespace: capi-kubeadm-bootstrap-system + labels: + app.kubernetes.io/component: bootstrap-kubeadm + cluster.x-k8s.io/provider: bootstrap-kubeadm + control-plane: controller-manager +spec: + endpointSelector: + matchLabels: + cluster.x-k8s.io/provider: bootstrap-kubeadm + control-plane: controller-manager + ingress: + - fromEntities: + - cluster + - kube-apiserver + egress: + - toEntities: + - kube-apiserver diff --git a/config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml b/config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml new file mode 100644 index 00000000..90181fb4 --- /dev/null +++ b/config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: capi-kubeadm-control-plane-controller-manager + namespace: capi-kubeadm-control-plane-system + labels: + app.kubernetes.io/component: control-plane-kubeadm + cluster.x-k8s.io/provider: control-plane-kubeadm + control-plane: controller-manager +spec: + endpointSelector: + matchLabels: + cluster.x-k8s.io/provider: control-plane-kubeadm + control-plane: controller-manager + ingress: + - fromEntities: + - cluster + - kube-apiserver + egress: + - toEntities: + - kube-apiserver diff --git a/config/helm/kustomization.yaml b/config/helm/kustomization.yaml index 8a5b0962..1a3e4d10 100644 --- a/config/helm/kustomization.yaml +++ b/config/helm/kustomization.yaml @@ -8,6 +8,10 @@ resources: - bases/networkpolicies/capi-controller-manager.yaml - bases/networkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml - bases/networkpolicies/capi-kubeadm-control-plane-controller-manager.yaml +# Cilium network policies +- bases/ciliumnetworkpolicies/capi-controller-manager.yaml +- bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml +- bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml # Watch filter configmap - bases/configmaps/watch-filter.yaml diff --git a/hack/wrap-with-conditional.sh b/hack/wrap-with-conditional.sh index 74ee055b..d353f939 100755 --- a/hack/wrap-with-conditional.sh +++ b/hack/wrap-with-conditional.sh @@ -11,3 +11,10 @@ for file in admissionregistration.k8s.io_v1_*.yaml; do new_content=$(tr '\n' '\r' < "${file}" | sed -e "s/${match}/{{ if .Values.watchFilter }}\n${match}\n{{ end }}/g" | tr '\r' '\n') printf "%s\n" "${new_content}" > "${file}" done + +for file in *_ciliumnetworkpolicy_*.yaml; do + data=$(cat "${file}") + echo '{{- if .Values.ciliumNetworkPolicy.enabled }}' > "${file}" + echo "${data}" >> "${file}" + echo '{{- end }}' >> "${file}" +done diff --git a/helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-controller-manager.yaml b/helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-controller-manager.yaml new file mode 100644 index 00000000..5a9e7768 --- /dev/null +++ b/helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-controller-manager.yaml @@ -0,0 +1,30 @@ +{{- if .Values.ciliumNetworkPolicy.enabled }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + labels: + app.kubernetes.io/component: cluster-api + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + app.kubernetes.io/name: cluster-api + app.kubernetes.io/version: '{{ .Chart.AppVersion }}' + application.giantswarm.io/branch: '{{ .Values.project.branch }}' + application.giantswarm.io/commit: '{{ .Values.project.commit }}' + cluster.x-k8s.io/provider: cluster-api + control-plane: controller-manager + helm.sh/chart: cluster-api + name: capi-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + egress: + - toEntities: + - kube-apiserver + endpointSelector: + matchLabels: + cluster.x-k8s.io/provider: cluster-api + control-plane: controller-manager + ingress: + - fromEntities: + - cluster + - kube-apiserver +{{- end }} diff --git a/helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml b/helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml new file mode 100644 index 00000000..e64baa2e --- /dev/null +++ b/helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml @@ -0,0 +1,30 @@ +{{- if .Values.ciliumNetworkPolicy.enabled }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + labels: + app.kubernetes.io/component: bootstrap-kubeadm + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + app.kubernetes.io/name: cluster-api + app.kubernetes.io/version: '{{ .Chart.AppVersion }}' + application.giantswarm.io/branch: '{{ .Values.project.branch }}' + application.giantswarm.io/commit: '{{ .Values.project.commit }}' + cluster.x-k8s.io/provider: bootstrap-kubeadm + control-plane: controller-manager + helm.sh/chart: cluster-api + name: capi-kubeadm-bootstrap-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + egress: + - toEntities: + - kube-apiserver + endpointSelector: + matchLabels: + cluster.x-k8s.io/provider: bootstrap-kubeadm + control-plane: controller-manager + ingress: + - fromEntities: + - cluster + - kube-apiserver +{{- end }} diff --git a/helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-kubeadm-control-plane-controller-manager.yaml b/helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-kubeadm-control-plane-controller-manager.yaml new file mode 100644 index 00000000..a6199652 --- /dev/null +++ b/helm/cluster-api/templates/cilium.io_v2_ciliumnetworkpolicy_capi-kubeadm-control-plane-controller-manager.yaml @@ -0,0 +1,30 @@ +{{- if .Values.ciliumNetworkPolicy.enabled }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + labels: + app.kubernetes.io/component: control-plane-kubeadm + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + app.kubernetes.io/name: cluster-api + app.kubernetes.io/version: '{{ .Chart.AppVersion }}' + application.giantswarm.io/branch: '{{ .Values.project.branch }}' + application.giantswarm.io/commit: '{{ .Values.project.commit }}' + cluster.x-k8s.io/provider: control-plane-kubeadm + control-plane: controller-manager + helm.sh/chart: cluster-api + name: capi-kubeadm-control-plane-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + egress: + - toEntities: + - kube-apiserver + endpointSelector: + matchLabels: + cluster.x-k8s.io/provider: control-plane-kubeadm + control-plane: controller-manager + ingress: + - fromEntities: + - cluster + - kube-apiserver +{{- end }}