ialidzhikov
commented
3 weeks ago cc @n-boshnakov @Kostov6 @ScheererJ @DockToFuture @axel7born
Open ialidzhikov opened 3 weeks ago
ialidzhikov
commented
3 weeks ago cc @n-boshnakov @Kostov6 @ScheererJ @DockToFuture @axel7born
ScheererJ
commented
3 weeks ago The extension works out-of-the-box with open stack as cloud provider. As far as I know, the AWS provider extension was also adapted accordingly. However, I am not sure about the state of the support for Alicloud, Azure, and GCP.
@shaoyongfeng / @kon-angelo: Could you please comment concerning the infrastructure support? The relevant feature is the support for egress IPs in the infrastructure status.
@ialidzhikov Should the documentation be included right away or only after all infrastructures are adapted? The extension is basically usable today, but without the infrastructure provider support cluster owners need to figure out their egress IPs (= NAT gateway IP addresses) and add them manually. When the provider extension has proper support the cluster owners cannot shoot themselves into the foot by forgetting to allow their nodes to communicate to the API server.
ialidzhikov
commented
3 weeks ago Should the documentation be included right away or only after all infrastructures are adapted?
If there are infrastructures that don't yet support the acl extension, then we can properly document this and additionally add a validation in the admission component of the acl extension to forbid enabling the extension on one of the unsupported infrastructures. Support on aws and openstack is a good starting point and good enough reason to add this extension to the documentation.
Background of this issue: Folks were asking me how they can restrict access to their Shoot's kube-apiserver. Listing the extension in our docs and adding proper end user docs would allow folks to find out about the extension (the supported scenario) by themselves.
I am also not sure whether we have good end user docs for the extension under https://github.com/stackitcloud/gardener-extension-acl/tree/main/docs/adr. @n-boshnakov , you might want to revise the extension docs, properly categorise it and add, if missing, good end user docs.
kon-angelo
commented
3 weeks ago @shaoyongfeng / @kon-angelo: Could you please comment concerning the infrastructure support? The relevant feature is the support for egress IPs in the infrastructure status.
GCP is supported since last release I believe. and Azure will be released by next week. They are much more restricted and have specific prerequisites though compared to openstack/aws.
If there are infrastructures that don't yet support the acl extension, then we can properly document this and additionally add a validation in the admission component of the acl extension to forbid enabling the extension on one of the unsupported infrastructures.
It works the other way around. The provider-extension is aware of the ACL extension rather.
shaoyongfeng
commented
3 weeks ago Hi @ScheererJ , I have a question about acl extension. Is it IaaS specific or IaaS agnostic?
kon-angelo
commented
3 weeks ago @shaoyongfeng the ACL extension can be considered IaaS agnostic. It used to have openstack "hardcoded" but with the introduction of the EgressCIDRs field in the infrastructure status, it technically became agnostic.
That being said, you may have restrictions on its use, at which point we decided the validation for such cases should be part of the provider-extension instead of the ACL, so that the ACL remains "agnostic".
What would you like to be added: https://github.com/stackitcloud/gardener-extension-acl to be added in https://github.com/gardener/documentation/blob/master/.docforge/documentation/gardener-extensions/others.yaml
Why is this needed: To allow end users to easily find out that such extension exists and that it can help with restricting the access to the kube-apiserver of a Shoot from given CIDR ranges.