Add admission controller for cilium to disable kube-proxy unless alre…

…ady specified.

Cilium can run without kube-proxy. There is no need to enable kube-proxy by default.
With the admission controller of this change, new cilium clusters will have kube-proxy
disabled by default.

.ci/pipeline_definitions

@@ -15,6 +15,11 @@ gardener-extension-networking-cilium:
             image: 'eu.gcr.io/gardener-project/gardener/extensions/networking-cilium'
             dockerfile: 'Dockerfile'
             target: gardener-extension-networking-cilium
+          gardener-extension-admission-cilium:
+            registry: 'gcr-readwrite'
+            image: 'eu.gcr.io/gardener-project/gardener/extensions/admission-cilium'
+            dockerfile: 'Dockerfile'
+            target: gardener-extension-admission-cilium
   jobs:
     head-update:
       traits:
@@ -47,3 +52,5 @@ gardener-extension-networking-cilium:
           dockerimages:
             gardener-extension-networking-cilium:
               tag_as_latest: true
+            gardener-extension-admission-cilium:
+              tag_as_latest: true

Dockerfile

@@ -12,3 +12,10 @@ WORKDIR /
 COPY charts /charts
 COPY --from=builder /go/bin/gardener-extension-networking-cilium /gardener-extension-networking-cilium
 ENTRYPOINT ["/gardener-extension-networking-cilium"]
+
+############# gardener-extension-admission-cilium
+FROM gcr.io/distroless/static-debian11:nonroot AS gardener-extension-admission-cilium
+WORKDIR /
+
+COPY --from=builder /go/bin/gardener-extension-admission-cilium /gardener-extension-admission-cilium
+ENTRYPOINT ["/gardener-extension-admission-cilium"]

Makefile

@@ -14,6 +14,7 @@
 
 EXTENSION_PREFIX            := gardener-extension
 NAME                        := networking-cilium
+ADMISSION_NAME              := admission-cilium
 REGISTRY                    := eu.gcr.io/gardener-project/gardener
 IMAGE_PREFIX                := $(REGISTRY)/extensions
 REPO_ROOT                   := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
@@ -45,6 +46,16 @@ start:
 		--config-file=./example/00-componentconfig.yaml \
 		--gardener-version="v1.39.0"
 
+.PHONY: start-admission
+start-admission:
+	@LEADER_ELECTION_NAMESPACE=garden GO111MODULE=on go run \
+		-mod=vendor \
+		-ldflags $(LD_FLAGS) \
+		./cmd/$(EXTENSION_PREFIX)-$(ADMISSION_NAME) \
+		--webhook-config-server-host=0.0.0.0 \
+		--webhook-config-server-port=9443 \
+		--webhook-config-cert-dir=./example/admission-cilium-certs
+
 #################################################################
 # Rules related to binary build, Docker image build and release #
 #################################################################
@@ -60,7 +71,8 @@ docker-login:
 
 .PHONY: docker-images
 docker-images:
-	@docker build -t $(IMAGE_PREFIX)/$(NAME):$(VERSION) -t $(IMAGE_PREFIX)/$(NAME):latest -f Dockerfile -m 6g --target $(EXTENSION_PREFIX)-$(NAME) .
+	@docker build -t $(IMAGE_PREFIX)/$(NAME):$(VERSION)           -t $(IMAGE_PREFIX)/$(NAME):latest           -f Dockerfile -m 6g --target $(EXTENSION_PREFIX)-$(NAME)           .
+	@docker build -t $(IMAGE_PREFIX)/$(ADMISSION_NAME):$(VERSION) -t $(IMAGE_PREFIX)/$(ADMISSION_NAME):latest -f Dockerfile -m 6g --target $(EXTENSION_PREFIX)-$(ADMISSION_NAME) .
 
 #####################################################################
 # Rules for verification, formatting, linting, testing and cleaning #

charts/gardener-extension-admission-cilium/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/gardener-extension-admission-cilium/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for the Gardener Cilium admission controller
+name: gardener-extension-admission-cilium
+version: 0.1.0

charts/gardener-extension-admission-cilium/charts/application/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart to deploy the gardener-extension-admission-cilium application related resources
+name: application
+version: 0.1.0

charts/gardener-extension-admission-cilium/charts/application/templates/_helpers.tpl

@@ -0,0 +1,27 @@
+{{- define "name" -}}
+gardener-extension-admission-cilium
+{{- end -}}
+
+{{- define "labels.app.key" -}}
+app.kubernetes.io/name
+{{- end -}}
+{{- define "labels.app.value" -}}
+{{ include "name" . }}
+{{- end -}}
+
+{{- define "labels" -}}
+{{ include "labels.app.key" . }}: {{ include "labels.app.value" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{-  define "image" -}}
+  {{- if hasPrefix "sha256:" .tag }}
+  {{- printf "%s@%s" .repository .tag }}
+  {{- else }}
+  {{- printf "%s:%s" .repository .tag }}
+  {{- end }}
+{{- end }}
+
+{{- define "deploymentversion" -}}
+apps/v1
+{{- end -}}

charts/gardener-extension-admission-cilium/charts/application/templates/mutatingwebhook-mutator.yaml

@@ -0,0 +1,37 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "name" . }}
+webhooks:
+- name: mutation.cilium.networking.extensions.gardener.cloud
+  rules:
+  - apiGroups:
+    - "core.gardener.cloud"
+    apiVersions:
+    - v1alpha1
+    - v1beta1
+    operations:
+    - CREATE
+    resources:
+    - shoots
+  failurePolicy: Fail
+  objectSelector:
+    {{- if .Values.global.webhookConfig.useObjectSelector }}
+    matchLabels:
+      networking.extensions.gardener.cloud/cilium: "true"
+    {{- end }}
+  namespaceSelector: {}
+  sideEffects: None
+  admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    {{- if .Values.global.virtualGarden.enabled }}
+    url: {{ printf "https://%s.%s/webhooks/mutate" (include "name" .) (.Release.Namespace) }}
+    {{- else }}
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: {{ include "name" . }}
+      path: /webhooks/mutate
+    {{- end }}
+    caBundle: {{ required ".Values.global.webhookConfig.caBundle is required" .Values.global.webhookConfig.caBundle | b64enc }}

charts/gardener-extension-admission-cilium/charts/application/templates/rbac.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "name" . }}
+  labels:
+{{ include "labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - core.gardener.cloud
+  resources:
+  - shoots
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "name" . }}
+  labels:
+{{ include "labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "name" . }}
+subjects:
+{{- if and .Values.global.virtualGarden.enabled .Values.global.virtualGarden.user.name }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: {{ .Values.global.virtualGarden.user.name  }}
+{{- else }}
+- kind: ServiceAccount
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/gardener-extension-admission-cilium/charts/application/templates/serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if and .Values.global.virtualGarden.enabled ( not .Values.global.virtualGarden.user.name ) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "labels" . | indent 4 }}
+{{- end }}

charts/gardener-extension-admission-cilium/charts/application/values.yaml

@@ -0,0 +1 @@
+../../values.yaml

charts/gardener-extension-admission-cilium/charts/runtime/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart to deploy the gardener-extension-admission-cilium runtime related resources
+name: runtime
+version: 0.1.0

charts/gardener-extension-admission-cilium/charts/runtime/templates/_helpers.tpl

@@ -0,0 +1,27 @@
+{{- define "name" -}}
+gardener-extension-admission-cilium
+{{- end -}}
+
+{{- define "labels.app.key" -}}
+app.kubernetes.io/name
+{{- end -}}
+{{- define "labels.app.value" -}}
+{{ include "name" . }}
+{{- end -}}
+
+{{- define "labels" -}}
+{{ include "labels.app.key" . }}: {{ include "labels.app.value" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{-  define "image" -}}
+  {{- if hasPrefix "sha256:" .tag }}
+  {{- printf "%s@%s" .repository .tag }}
+  {{- else }}
+  {{- printf "%s:%s" .repository .tag }}
+  {{- end }}
+{{- end }}
+
+{{- define "deploymentversion" -}}
+apps/v1
+{{- end -}}

charts/gardener-extension-admission-cilium/charts/runtime/templates/deplyoment.yaml

@@ -0,0 +1,106 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "labels" . | indent 4 }}
+spec:
+  revisionHistoryLimit: 5
+  replicas: {{ .Values.global.replicaCount }}
+  selector:
+    matchLabels:
+{{ include "labels" . | indent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/secret-gardener-extension-admission-cilium-cert: {{ include (print $.Template.BasePath "/secret-cert.yaml") . | sha256sum }}
+        {{- if .Values.global.kubeconfig }}
+        checksum/gardener-extension-admission-cilium-kubeconfig: {{ include (print $.Template.BasePath "/secret-kubeconfig.yaml") . | sha256sum }}
+        {{- end }}
+      labels:
+{{ include "labels" . | indent 8 }}
+    spec:
+      {{- if not .Values.global.virtualGarden.enabled }}
+      serviceAccountName: {{ include "name" . }}
+      {{- else if and .Values.global.virtualGarden.enabled .Values.global.virtualGarden.user.name }}
+        {{- if .Values.global.serviceAccountTokenVolumeProjection.enabled }}
+      serviceAccountName: {{ include "name" . }}
+        {{- else }}
+      serviceAccountName: default
+        {{- end }}
+      {{- else }}
+      serviceAccountName: default
+      {{- end }}
+      {{- if .Values.global.kubeconfig }}
+      automountServiceAccountToken: false
+      {{- end }}
+      containers:
+      - name: {{ include "name" . }}
+        image: {{ include "image" .Values.global.image }}
+        imagePullPolicy: {{ .Values.global.image.pullPolicy }}
+        command:
+        - /gardener-extension-admission-cilium
+        - --webhook-config-server-port={{ .Values.global.webhookConfig.serverPort }}
+        - --webhook-config-cert-dir=/etc/gardener-extension-admission-cilium/srv
+        {{- if .Values.global.kubeconfig }}
+        - --kubeconfig=/etc/gardener-extension-admission-cilium/kubeconfig/kubeconfig
+        {{- end }}
+        - --health-bind-address=:{{ .Values.global.healthPort }}
+        ports:
+        - name: webhook-server
+          containerPort: {{ .Values.global.webhookConfig.serverPort }}
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: {{ .Values.global.healthPort }}
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: {{ .Values.global.healthPort }}
+            scheme: HTTP
+          initialDelaySeconds: 5
+{{- if .Values.global.resources }}
+        resources:
+{{ toYaml .Values.global.resources | nindent 10 }}
+{{- end }}
+        volumeMounts:
+        - name: gardener-extension-admission-cilium-cert
+          mountPath: /etc/gardener-extension-admission-cilium/srv
+          readOnly: true
+        {{- if .Values.global.kubeconfig }}
+        - name: gardener-extension-admission-cilium-kubeconfig
+          mountPath: /etc/gardener-extension-admission-cilium/kubeconfig
+          readOnly: true
+        {{- end }}
+        {{- if .Values.global.serviceAccountTokenVolumeProjection.enabled }}
+        - name: service-account-token
+          mountPath: /var/run/secrets/projected/serviceaccount
+          readOnly: true
+        {{- end }}
+      volumes:
+      - name: gardener-extension-admission-cilium-cert
+        secret:
+          secretName: gardener-extension-admission-cilium-cert
+          defaultMode: 420
+      {{- if .Values.global.kubeconfig }}
+      - name: gardener-extension-admission-cilium-kubeconfig
+        secret:
+          secretName: gardener-extension-admission-cilium-kubeconfig
+          defaultMode: 420
+      {{- end }}
+      {{- if .Values.global.serviceAccountTokenVolumeProjection.enabled }}
+      - name: service-account-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: token
+              expirationSeconds: {{ .Values.global.serviceAccountTokenVolumeProjection.expirationSeconds }}
+              {{- if .Values.global.serviceAccountTokenVolumeProjection.audience }}
+              audience: {{ .Values.global.serviceAccountTokenVolumeProjection.audience }}
+              {{- end }}
+      {{- end }}

charts/gardener-extension-admission-cilium/charts/runtime/templates/poddisruptionbudget.yaml

@@ -0,0 +1,14 @@
+{{- if gt (int .Values.global.replicaCount) 1 }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "labels" . | indent 4 }}
+spec:
+  maxUnavailable: {{ sub (int .Values.global.replicaCount) 1 }}
+  selector:
+    matchLabels:
+{{ include "labels" . | indent 6 }}
+{{- end }}

charts/gardener-extension-admission-cilium/charts/runtime/templates/secret-cert.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gardener-extension-admission-cilium-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: gardener
+    role: controller-manager
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  tls.crt: {{ required ".Values.global.webhookConfig.tls.crt is required" (b64enc .Values.global.webhookConfig.tls.crt) }}
+  tls.key: {{ required ".Values.global.webhookConfig.tls.key is required" (b64enc .Values.global.webhookConfig.tls.key) }}