@@ -37,7 +37,6 @@ import (
3737
3838 appsv1 "k8s.io/api/apps/v1"
3939 corev1 "k8s.io/api/core/v1"
40- networkingv1 "k8s.io/api/networking/v1"
4140 rbacv1 "k8s.io/api/rbac/v1"
4241 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
4342)
@@ -512,9 +511,11 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
512511 ObjectMeta : metav1.ObjectMeta {
513512 Labels : map [string ]string {
514513 "app" : "audit-webhook-backend" ,
515- "networking.gardener.cloud/from-prometheus" : "allowed" ,
516- "networking.gardener.cloud/to-dns" : "allowed" ,
517- "networking.gardener.cloud/to-public-networks" : "allowed" ,
514+ "networking.gardener.cloud/from-prometheus" : "allowed" ,
515+ "networking.gardener.cloud/to-dns" : "allowed" ,
516+ "networking.gardener.cloud/to-public-networks" : "allowed" ,
517+ "networking.gardener.cloud/from-shoot-apiserver" : "allowed" ,
518+ "networking.resources.gardener.cloud/to-audit-cluster-forwarding-vpn-gateway-tcp-9876" : "allowed" ,
518519 },
519520 Annotations : map [string ]string {
520521 "scheduler.alpha.kubernetes.io/critical-pod" : "" ,
@@ -600,62 +601,6 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
600601 },
601602 },
602603 },
603- & networkingv1.NetworkPolicy {
604- ObjectMeta : metav1.ObjectMeta {
605- Name : "allow-to-audit-webhook-backend-from-kube-apiserver" ,
606- Namespace : namespace ,
607- },
608- Spec : networkingv1.NetworkPolicySpec {
609- PodSelector : metav1.LabelSelector {
610- MatchLabels : map [string ]string {
611- "app" : "audit-webhook-backend" ,
612- },
613- },
614- Ingress : []networkingv1.NetworkPolicyIngressRule {
615- {
616- From : []networkingv1.NetworkPolicyPeer {
617- {
618- PodSelector : & metav1.LabelSelector {
619- MatchLabels : map [string ]string {
620- "app" : "kubernetes" ,
621- "role" : "apiserver" ,
622- },
623- },
624- },
625- },
626- },
627- },
628- PolicyTypes : []networkingv1.PolicyType {networkingv1 .PolicyTypeIngress },
629- },
630- },
631- & networkingv1.NetworkPolicy {
632- ObjectMeta : metav1.ObjectMeta {
633- Name : "allow-from-kube-apiserver-to-audit-webhook-backend" ,
634- Namespace : namespace ,
635- },
636- Spec : networkingv1.NetworkPolicySpec {
637- PodSelector : metav1.LabelSelector {
638- MatchLabels : map [string ]string {
639- "app" : "kubernetes" ,
640- "role" : "apiserver" ,
641- },
642- },
643- Egress : []networkingv1.NetworkPolicyEgressRule {
644- {
645- To : []networkingv1.NetworkPolicyPeer {
646- {
647- PodSelector : & metav1.LabelSelector {
648- MatchLabels : map [string ]string {
649- "app" : "audit-webhook-backend" ,
650- },
651- },
652- },
653- },
654- },
655- },
656- PolicyTypes : []networkingv1.PolicyType {networkingv1 .PolicyTypeEgress },
657- },
658- },
659604 }
660605
661606 if pointer .SafeDeref (auditConfig .Backends .Log ).Enabled {
@@ -735,13 +680,14 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
735680 Labels : map [string ]string {
736681 "app" : "audit-cluster-forwarding-vpn-gateway" ,
737682
738- "networking.gardener.cloud/to-dns" : "allowed" ,
739- "networking.gardener.cloud/to-shoot-apiserver" : "allowed" ,
740- "networking.gardener.cloud/to-private-networks" : "allowed" ,
741- "networking.gardener.cloud/to-public-networks" : "allowed" , // is this required?
742- "networking.gardener.cloud/to-runtime-apiserver" : "allowed" ,
743- "networking.resources.gardener.cloud/to-kube-apiserver-tcp-443" : "allowed" ,
744- "networking.resources.gardener.cloud/to-vpn-seed-server-tcp-9443" : "allowed" ,
683+ "networking.gardener.cloud/to-dns" : "allowed" ,
684+ "networking.gardener.cloud/to-shoot-apiserver" : "allowed" ,
685+ "networking.gardener.cloud/to-private-networks" : "allowed" ,
686+ "networking.gardener.cloud/to-public-networks" : "allowed" , // is this required?
687+ "networking.gardener.cloud/to-runtime-apiserver" : "allowed" ,
688+ "networking.resources.gardener.cloud/to-kube-apiserver-tcp-443" : "allowed" ,
689+ "networking.resources.gardener.cloud/to-vpn-seed-server-tcp-9443" : "allowed" ,
690+ "networking.resources.gardener.cloud/from-audit-webhook-backend-tcp-9876" : "allowed" ,
745691 },
746692 },
747693 Spec : corev1.PodSpec {
@@ -844,60 +790,6 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
844790 Name : "audit-cluster-forwarding-vpn-gateway" ,
845791 },
846792 },
847- & networkingv1.NetworkPolicy {
848- ObjectMeta : metav1.ObjectMeta {
849- Name : "allow-to-audit-cluster-forwarding-vpn-gateway-from-audit-webhook" ,
850- Namespace : namespace ,
851- },
852- Spec : networkingv1.NetworkPolicySpec {
853- PodSelector : metav1.LabelSelector {
854- MatchLabels : map [string ]string {
855- "app" : "audit-cluster-forwarding-vpn-gateway" ,
856- },
857- },
858- Ingress : []networkingv1.NetworkPolicyIngressRule {
859- {
860- From : []networkingv1.NetworkPolicyPeer {
861- {
862- PodSelector : & metav1.LabelSelector {
863- MatchLabels : map [string ]string {
864- "app" : "audit-webhook-backend" ,
865- },
866- },
867- },
868- },
869- },
870- },
871- PolicyTypes : []networkingv1.PolicyType {networkingv1 .PolicyTypeIngress },
872- },
873- },
874- & networkingv1.NetworkPolicy {
875- ObjectMeta : metav1.ObjectMeta {
876- Name : "allow-from-audit-webhook-to-audit-cluster-forwarding-vpn-gateway" ,
877- Namespace : namespace ,
878- },
879- Spec : networkingv1.NetworkPolicySpec {
880- PodSelector : metav1.LabelSelector {
881- MatchLabels : map [string ]string {
882- "app" : "audit-webhook-backend" ,
883- },
884- },
885- Egress : []networkingv1.NetworkPolicyEgressRule {
886- {
887- To : []networkingv1.NetworkPolicyPeer {
888- {
889- PodSelector : & metav1.LabelSelector {
890- MatchLabels : map [string ]string {
891- "app" : "audit-cluster-forwarding-vpn-gateway" ,
892- },
893- },
894- },
895- },
896- },
897- },
898- PolicyTypes : []networkingv1.PolicyType {networkingv1 .PolicyTypeEgress },
899- },
900- },
901793 }
902794
903795 objects = append (objects , clusterForwarderObjects ... )
0 commit comments