Use Calico as Default Network Provider for Kubify Clusters

[marwinski]

Story

As a seed cluster operator I want to protect my resources using network policies. The current implementation is based on flannel which does not support network policies.

Motivation

Kubify cluster are used in our landscapes as seed clusters for OpenStack. We need to be able to also provide #266 to those clusters. As we are quite familiar with Calico it should be used as the network provider.

Questions

• I am not sure whether it should be possible to migrate existing clusters from flannel to calico. I do believe this is not a necessary feature.

Definition of Done

• [ ] New clusters created by Kubify use Calico as their default network implementation

Release Notes

- Kubify now uses Calico as its default network implementation

[vlerenc]

I suggest to not do it, because of (1) our plans with the Gardener Ring that will use Gardener to run the clusters it runs itself on, but also (2) because of the technical reasons we initially had. Also, Kubify cluster usually (in the Gardener context), (3) do not run additional API servers (attack surface) and (4) don't provide access to other users from the outside. And, again on the known Kubernetes API server vulnerabilities, we do not grant project members access to services, endpoints or pods (in the Gardener context).

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed You can:
• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten

/close

[gardener-robot]

@gardener-ci-robot Command /close is not available to you but only to a Maintainer, Member, Author, Owner.