contrib/gardener/scripts/deploy-karydia-cp deploys kube-mgmt in the gardener seed cluster (in the control plane of the shoot). But it is misconfigured and it connects to the apiserver of seed cluster instead of the shoot one. So opa is populated with the wrong data.
That's not a problem for most simple opa policies because the resource details is passed along in the admission request. But it will give wrong results for more complex opa policies.
We should make kube-mgmt use --kubeconfig to connect to the right apiserver.
Additionally, the RBAC rules should not be installed in the seed but in the shoot, since that's where kube-mgmt will connect. The script deploy-karydia-cp wrongly installs all resources in the same cluster.
contrib/gardener/scripts/deploy-karydia-cpdeploys kube-mgmt in the gardener seed cluster (in the control plane of the shoot). But it is misconfigured and it connects to the apiserver of seed cluster instead of the shoot one. Soopais populated with the wrong data.That's not a problem for most simple opa policies because the resource details is passed along in the admission request. But it will give wrong results for more complex opa policies.
We should make kube-mgmt use
--kubeconfigto connect to the right apiserver.Additionally, the RBAC rules should not be installed in the seed but in the shoot, since that's where
kube-mgmtwill connect. The scriptdeploy-karydia-cpwrongly installs all resources in the same cluster.