When apiserver-proxy mutating webhook starts too late, firewalls don't work

metal-stack / gardener-extension-provider-metal

Implementation of the gardener-extension-controller for metal-stack

MIT License

24 stars 11 forks source link

When apiserver-proxy mutating webhook starts too late, firewalls don't work #326

Closed majst01 closed 1 year ago

majst01 commented 1 year ago

Then the KUBERNETES_SERVICE_HOST of the seed api is not set to a dns name then the firewall-controller of a newly created firewall will not be able to talk to the seed.

This approach is a bit rude, but i am open for a solution without panic().

Gerrit91 commented 1 year ago

This does not work. GKE does not put their API servers behind DNS, it explicitly needs to allow IP addresses, too.