feat(controlplane): cwnp for registry

Adds CWNP to access the internal registry for restricted or forbidden network accesses and disallows HTTP(S) egress in those cases.

charts/internal/shoot-control-plane/templates/network-policies.yaml

@@ -31,6 +31,21 @@ spec:
     - protocol: UDP
       port: 123
 
+{{- if .Values.networkAccess.restrictedOrForbidden }}
+---
+apiVersion: metal-stack.io/v1
+kind: ClusterwideNetworkPolicy
+metadata:
+  name: allow-to-registry
+  namespace: firewall
+spec:
+  egress:
+  - toFQDNs:
+    - matchName: {{ quote .Values.networkAccess.registry.host }}
+    ports:
+    - protocol: {{ .Values.networkAccess.registry.proto }}
+      port: {{ .Values.networkAccess.registry.port }}
+{{- end }}
 # FIXME remove and replace with appropriate cwnp based on networkAccessType
 {{- if .Values.restrictEgress.enabled }}
 ---
@@ -75,7 +90,7 @@ spec:
 {{- end }}
 
 {{- else }}
-
+{{- if not .Values.networkAccess.restrictedOrForbidden }}
 ---
 apiVersion: metal-stack.io/v1
 kind: ClusterwideNetworkPolicy
@@ -102,6 +117,7 @@ spec:
     ports:
     - protocol: TCP
       port: 80
+{{- end }}
 {{- if gt (len .Values.apiserverIPs) 0 }}
 ---
 apiVersion: metal-stack.io/v1

charts/internal/shoot-control-plane/values.yaml

@@ -35,8 +35,16 @@ restrictEgress:
       port: 443
 
 networkAccess:
+  restrictedOrForbidden: false
   dnsCidrs: ["0.0.0.0/0"]
   ntpCidrs: ["0.0.0.0/0"]
+  registry:
+    name: ""
+    hostname: ""
+    ip: ""
+    port: 443
+    ipfamily: ""
+    proto: ""
 
 droptailer:
   podAnnotations: {}

pkg/controller/controlplane/valuesprovider.go

@@ -707,9 +707,10 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c
 	if cpConfig.NetworkAccessType != nil {
 		networkAccessType = *cpConfig.NetworkAccessType
 	}
+	restrictedOrForbidden := networkAccessType != apismetal.NetworkAccessBaseline
 
 	var dnsCidrs []string
-	if networkAccessType != apismetal.NetworkAccessBaseline {
+	if restrictedOrForbidden && partition.NetworkIsolation != nil {
 		dnsCidrs = make([]string, len(partition.NetworkIsolation.DNSServers))
 		for i, ip := range partition.NetworkIsolation.DNSServers {
 			dnsCidrs[i] = ip + "/32"
@@ -720,7 +721,7 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c
 	}
 
 	var ntpCidrs []string
-	if networkAccessType != apismetal.NetworkAccessBaseline {
+	if restrictedOrForbidden && partition.NetworkIsolation != nil {
 		ntpCidrs = make([]string, len(partition.NetworkIsolation.NTPServers))
 		for i, ip := range partition.NetworkIsolation.NTPServers {
 			ntpCidrs[i] = ip + "/32"
@@ -730,6 +731,19 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c
 		ntpCidrs = []string{"0.0.0.0/0"}
 	}
 
+	var networkAccessRegistry map[string]any
+	if restrictedOrForbidden && partition.NetworkIsolation != nil {
+		r := partition.NetworkIsolation.Registry
+		networkAccessRegistry = map[string]any{
+			"name":     r.Name,
+			"hostname": r.Hostname,
+			"ip":       r.IP,
+			"port":     r.Port,
+			"ipfamily": r.IPFamily,
+			"proto":    r.Proto,
+		}
+	}
+
 	values := map[string]any{
 		"imagePullPolicy": helper.ImagePullPolicyFromString(vp.controllerConfig.ImagePullPolicy),
 		"pspDisabled":     gardencorev1beta1helper.IsPSPDisabled(cluster.Shoot),
@@ -744,8 +758,10 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c
 			"destinations":           egressDestinations,
 		},
 		"networkAccess": map[string]any{
-			"dnsCidrs": dnsCidrs,
-			"ntpCidrs": ntpCidrs,
+			"restrictedOrForbidden": restrictedOrForbidden,
+			"dnsCidrs":              dnsCidrs,
+			"ntpCidrs":              ntpCidrs,
+			"registry":              networkAccessRegistry,
 		},
 	}