Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set kube-apiserver service external traffic policy to local so that a… #187

Closed
wants to merge 19 commits into from
Closed

Set kube-apiserver service external traffic policy to local so that a… #187

wants to merge 19 commits into from

Conversation

mreiger
Copy link
Contributor

@mreiger mreiger commented May 28, 2021

…udit events appear with their real source IP

majst01 and others added 19 commits May 4, 2021 13:40
@majst01
update to g/g 1.18.x
96b9f16
@majst01
Merge branch 'master' of https://github.com/metal-stack/gardener-exte…
09c1387 
…nsion-provider-metal
@majst01
Merge branch 'master' of https://github.com/metal-stack/gardener-exte…
e0ad0c4 
…nsion-provider-metal
@majst01
Merge branch 'master' of https://github.com/metal-stack/gardener-exte…
939ea95 
…nsion-provider-metal
@majst01
duros controller uses leases now for coordination
28f67a4
@majst01
add snapshot related crds required to make duros v2.2 be able to prov…
4928907 
…ide snapshots
@majst01
regenerate controller registration
f3a3881
@mreiger
Set kube-apiserver service external traffic policy to local so that a…
772b05e 
…udit events appear with their real source IP
@mreiger
merge duros-rbac branch so we can test this in dev
4d921c5
@mreiger
Regenerated controller registration
4e633fd
@mreiger
Add cluster name to log output for clarity
06725ee
@mreiger
More logging to see why reconcile fails now
94f5fae
@mreiger
Copy healthCheckNodePort over from the old service so that the new se…
f234d28 
…rvice can be applied
@mreiger
Add logging to healthCheckNodePort
0ea1f92
@mreiger
It is possible that no old kube-apiserver service version exists
cc0e713
@mreiger
Move apiserver service mutation from controlplaneexposure to controlp…
4144a12 
…lane to see if that gets it applied to both seed and shoot
@mreiger
Apparently apiserver service can only be modified from controlplaneex…
de4e231 
…posure
@mreiger
Merge branch 'master' of github.com:metal-stack/gardener-extension-pr…
f51cb55 
…ovider-metal into fix-186

Pull new changes from master
@mreiger
Generated controller registration
6f9141f
@mreiger
Copy link
Contributor Author

mreiger commented Jun 10, 2021

Gardener's own extension provider for Alicloud also does this:

https://github.com/gardener/gardener-extension-provider-alicloud/blob/0969fd18ba393658fccf44b07184b4e6d1535fa0/pkg/webhook/utils/service.go#L27

@mreiger mreiger marked this pull request as ready for review June 10, 2021 13:09
@mreiger mreiger requested a review from majst01 June 10, 2021 13:46
@Gerrit91
Copy link
Contributor

Gerrit91 commented Jan 10, 2022
edited
Loading

I assume this PR got outdated as there is now the istio-gateway in front of the services, which makes it even harder to reveal client source IPs for the audit logs.

This PR comes with the disadvantage that there is a chance that the API server becomes unavailable when the MetalLB on the worker node that runs the API server instance(s) is rolled / updated / not running properly (weaker availability). (https://metallb.universe.tf/usage/#local-traffic-policy-1)

Maybe there is only a good solution available when we get rid off kube-proxy to prevent SNAT, which is something that Cilium seems to offer. It could be reasonable to just open an issue regarding this requirement for further discussions and close this PR.

@Gerrit91 Gerrit91 added the stale A pull request that does not progress any further label Jan 10, 2022
@mreiger
Copy link
Contributor Author

mreiger commented Jan 13, 2022

Yes this is now outdated; the problem persists though since the service for the istio gateway has externalTrafficPolicy: Cluster.

There is already an issue: #186. I am closing this PR and we'll discuss how to move forward from here in the issue.

@mreiger mreiger closed this Jan 13, 2022
@majst01 majst01 deleted the fix-186 branch April 11, 2023 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@majst01 majst01 Awaiting requested review from majst01

Assignees
No one assigned
Labels
stale A pull request that does not progress any further
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mreiger @Gerrit91 @majst01