diff --git a/charts/internal/shoot-control-plane/templates/network-policies.yaml b/charts/internal/shoot-control-plane/templates/network-policies.yaml index d7504c384..40c09a5b9 100644 --- a/charts/internal/shoot-control-plane/templates/network-policies.yaml +++ b/charts/internal/shoot-control-plane/templates/network-policies.yaml @@ -31,6 +31,21 @@ spec: - protocol: UDP port: 123 +{{- if .Values.networkAccess.restrictedOrForbidden }} +--- +apiVersion: metal-stack.io/v1 +kind: ClusterwideNetworkPolicy +metadata: + name: allow-to-registry + namespace: firewall +spec: + egress: + - toFQDNs: + - matchName: {{ quote .Values.networkAccess.registry.host }} + ports: + - protocol: {{ .Values.networkAccess.registry.proto }} + port: {{ .Values.networkAccess.registry.port }} +{{- end }} # FIXME remove and replace with appropriate cwnp based on networkAccessType {{- if .Values.restrictEgress.enabled }} --- @@ -75,7 +90,7 @@ spec: {{- end }} {{- else }} - +{{- if not .Values.networkAccess.restrictedOrForbidden }} --- apiVersion: metal-stack.io/v1 kind: ClusterwideNetworkPolicy @@ -102,6 +117,7 @@ spec: ports: - protocol: TCP port: 80 +{{- end }} {{- if gt (len .Values.apiserverIPs) 0 }} --- apiVersion: metal-stack.io/v1 diff --git a/charts/internal/shoot-control-plane/values.yaml b/charts/internal/shoot-control-plane/values.yaml index 9377851cc..8ad816999 100644 --- a/charts/internal/shoot-control-plane/values.yaml +++ b/charts/internal/shoot-control-plane/values.yaml @@ -35,8 +35,16 @@ restrictEgress: port: 443 networkAccess: + restrictedOrForbidden: false dnsCidrs: ["0.0.0.0/0"] ntpCidrs: ["0.0.0.0/0"] + registry: + name: "" + hostname: "" + ip: "" + port: 443 + ipfamily: "" + proto: "" droptailer: podAnnotations: {} diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go index 6609cc982..9c7da0c84 100644 --- a/pkg/controller/controlplane/valuesprovider.go +++ b/pkg/controller/controlplane/valuesprovider.go @@ -707,9 +707,10 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c if cpConfig.NetworkAccessType != nil { networkAccessType = *cpConfig.NetworkAccessType } + restrictedOrForbidden := networkAccessType != apismetal.NetworkAccessBaseline var dnsCidrs []string - if networkAccessType != apismetal.NetworkAccessBaseline { + if restrictedOrForbidden && partition.NetworkIsolation != nil { dnsCidrs = make([]string, len(partition.NetworkIsolation.DNSServers)) for i, ip := range partition.NetworkIsolation.DNSServers { dnsCidrs[i] = ip + "/32" @@ -720,7 +721,7 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c } var ntpCidrs []string - if networkAccessType != apismetal.NetworkAccessBaseline { + if restrictedOrForbidden && partition.NetworkIsolation != nil { ntpCidrs = make([]string, len(partition.NetworkIsolation.NTPServers)) for i, ip := range partition.NetworkIsolation.NTPServers { ntpCidrs[i] = ip + "/32" @@ -730,6 +731,19 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c ntpCidrs = []string{"0.0.0.0/0"} } + var networkAccessRegistry map[string]any + if restrictedOrForbidden && partition.NetworkIsolation != nil { + r := partition.NetworkIsolation.Registry + networkAccessRegistry = map[string]any{ + "name": r.Name, + "hostname": r.Hostname, + "ip": r.IP, + "port": r.Port, + "ipfamily": r.IPFamily, + "proto": r.Proto, + } + } + values := map[string]any{ "imagePullPolicy": helper.ImagePullPolicyFromString(vp.controllerConfig.ImagePullPolicy), "pspDisabled": gardencorev1beta1helper.IsPSPDisabled(cluster.Shoot), @@ -744,8 +758,10 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c "destinations": egressDestinations, }, "networkAccess": map[string]any{ - "dnsCidrs": dnsCidrs, - "ntpCidrs": ntpCidrs, + "restrictedOrForbidden": restrictedOrForbidden, + "dnsCidrs": dnsCidrs, + "ntpCidrs": ntpCidrs, + "registry": networkAccessRegistry, }, }