feat: whitelist ntp and dns cidrs

metal-stack · Dec 11, 2023 · a45565c · a45565c
1 parent e0100b9
commit a45565c
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 5 deletions.
diff --git a/charts/internal/shoot-control-plane/templates/network-policies.yaml b/charts/internal/shoot-control-plane/templates/network-policies.yaml
@@ -7,7 +7,9 @@ metadata:
 spec:
   egress:
   - to:
-    - cidr: 0.0.0.0/0
+    {{- range $dest := .Values.networkAccess.dnsCidrs }}
+    - cidr: {{ $dest }}
+    {{- end }}
     ports:
     - protocol: UDP
       port: 53
@@ -22,7 +24,9 @@ metadata:
 spec:
   egress:
   - to:
-    - cidr: 0.0.0.0/0
+    {{- range $dest := .Values.networkAccess.ntpCidrs }}
+    - cidr: {{ $dest }}
+    {{- end }}
     ports:
     - protocol: UDP
       port: 123

diff --git a/charts/internal/shoot-control-plane/values.yaml b/charts/internal/shoot-control-plane/values.yaml
@@ -34,6 +34,10 @@ restrictEgress:
       protocol: TCP
       port: 443
 
+networkAccess:
+  dnsCidrs: ["0.0.0.0/0"]
+  ntpCidrs: ["0.0.0.0/0"]
+
 droptailer:
   podAnnotations: {}
   server:

diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go
@@ -595,7 +595,7 @@ func (vp *valuesProvider) GetControlPlaneShootChartValues(ctx context.Context, c
 		return nil, err
 	}
 
-	metalControlPlane, _, err := helper.FindMetalControlPlane(cloudProfileConfig, infrastructureConfig.PartitionID)
+	metalControlPlane, partition, err := helper.FindMetalControlPlane(cloudProfileConfig, infrastructureConfig.PartitionID)
 	if err != nil {
 		return nil, err
 	}
@@ -625,7 +625,7 @@ func (vp *valuesProvider) GetControlPlaneShootChartValues(ctx context.Context, c
 		return nil, err
 	}
 
-	values, err := vp.getControlPlaneShootChartValues(ctx, cpConfig, cluster, nws, infrastructure, infrastructureConfig, secretsReader, checksums)
+	values, err := vp.getControlPlaneShootChartValues(ctx, cpConfig, cluster, partition, nws, infrastructure, infrastructureConfig, secretsReader, checksums)
 	if err != nil {
 		vp.logger.Error(err, "Error getting shoot control plane chart values")
 		return nil, err
@@ -635,7 +635,7 @@ func (vp *valuesProvider) GetControlPlaneShootChartValues(ctx context.Context, c
 }
 
 // getControlPlaneShootChartValues returns the values for the shoot control plane chart.
-func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, cpConfig *apismetal.ControlPlaneConfig, cluster *extensionscontroller.Cluster, nws networkMap, infrastructure *extensionsv1alpha1.Infrastructure, infrastructureConfig *apismetal.InfrastructureConfig, secretsReader secretsmanager.Reader, checksums map[string]string) (map[string]interface{}, error) {
+func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, cpConfig *apismetal.ControlPlaneConfig, cluster *extensionscontroller.Cluster, partition *apismetal.Partition, nws networkMap, infrastructure *extensionsv1alpha1.Infrastructure, infrastructureConfig *apismetal.InfrastructureConfig, secretsReader secretsmanager.Reader, checksums map[string]string) (map[string]interface{}, error) {
 	namespace := cluster.ObjectMeta.Name
 
 	nodeCIDR, err := helper.GetNodeCIDR(infrastructure, cluster)
@@ -702,6 +702,33 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c
 		})
 	}
 
+	networkAccessType := apismetal.NetworkAccessBaseline
+	if cpConfig.NetworkAccessType != nil {
+		networkAccessType = *cpConfig.NetworkAccessType
+	}
+
+	var dnsCidrs []string
+	if networkAccessType != apismetal.NetworkAccessBaseline {
+		dnsCidrs = make([]string, len(partition.NetworkIsolation.DNSServers))
+		for i, ip := range partition.NetworkIsolation.DNSServers {
+			dnsCidrs[i] = ip + "/32"
+		}
+	}
+	if len(dnsCidrs) == 0 {
+		dnsCidrs = []string{"0.0.0.0/0"}
+	}
+
+	var ntpCidrs []string
+	if networkAccessType != apismetal.NetworkAccessBaseline {
+		ntpCidrs = make([]string, len(partition.NetworkIsolation.NTPServers))
+		for i, ip := range partition.NetworkIsolation.NTPServers {
+			ntpCidrs[i] = ip + "/32"
+		}
+	}
+	if len(ntpCidrs) == 0 {
+		ntpCidrs = []string{"0.0.0.0/0"}
+	}
+
 	values := map[string]any{
 		"imagePullPolicy": helper.ImagePullPolicyFromString(vp.controllerConfig.ImagePullPolicy),
 		"pspDisabled":     gardencorev1beta1helper.IsPSPDisabled(cluster.Shoot),
@@ -715,6 +742,10 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c
 			"apiServerIngressDomain": "api." + *cluster.Shoot.Spec.DNS.Domain,
 			"destinations":           egressDestinations,
 		},
+		"networkAccess": map[string]any{
+			"dnsCidrs": dnsCidrs,
+			"ntpCidrs": ntpCidrs,
+		},
 	}
 
 	droptailerServer, serverOK := secretsReader.Get(metal.DroptailerServerSecretName)