First draft of API for isolated clusters

example/controller-registration.yaml

@@ -8,7 +8,7 @@ providerConfig:
   chart: H4sIAAAAAAAAA+0ca2/cNjKf9SsIpYe2h0j78NoOBORQ13YT3yW2YftSHIoi0Er0rmKtqJKSH03z32/40lurlZ04TSvCgFfUzHBIzgyHw6EWLvVxhKmFbxMcsYBEVkzJdeBD1Qonbjh68uAyhrK7vS3+Q6n+F78nW7PJdHu6s8PrJztb49kTtP3wprtLyhKXIvSEEpKsg+t6/5WWRef87y9dmth37iq8bxt8gndms9b5n27NyvM/harxEzT+lB1tK3/z+Xfj4C2mfN4ddD0x3DjOHs2JPTYNHzOPBnEiqvbQKxyukMdFAl0SipIlRi+VCKE3XF7QqRIflEmUEbkr7KBOUTOuddNjG9o2vvTY/B1Kt/77xLMX5CFtdOn/9tZuxf7vzsbbg/4/RhmNFsRZcAlwE4zYElkeMm17BH/XOPIJHS2CZJnObY+sRlpY8h9L17saaXTLI1FCSRiC7FC8CFgCtSBRNpAtCxWy0TffeW6CZEtvD8/Oj06Ov1eP+NZdxSEetZHjaxHaly9PQzfCjiR6FF1SF6BSL0mprvyZ0CtM5YNpGKMROgWe3QVWVgxH7jzEDJWGIY1joiycqgyihTB2HqEUewnKeUMl3oy4SP3Pb8K69T/BMBkwKuzenmBv/2863hpPB//vMUqf+X+3xGEMS7SdxL18wQ77P5lOdyrzP92ZDvb/UcqHDxby8WUQYWRyN81E1sePRrerxvFgfRDQRpFI6M5xyGxwJO0rfCfJiYd0jmmEQY7sgIx4UyUaLSSu3TBVPH34gILIC1M/49RGCnENI3XcKoOcioNaIFT7oqV6L4IIhCfysEC3z3CIXYbtY2CukbOMtWAFK4TkDCH+JrhES5edUnh/i0y2dKfbOw40+5Y3D01xeDtxFyjDiGkQJZfI/Af74R+sCklxTFiQEHq3jgT0ETcRdO5NEDpb6Hd1Qnwch+RuhaNE+fmZcLARbD2Kw/WlteLvU/rYf/B5LoPFyo0tMfnX4AcRahGYzRsaJLg1RtDl/892tir2f5dXDfb/EYqyPiWtfism9kTPq7R9pTDBVRD5DnfBQR7euLHBJcV3E9cBSyA3+83WullwFBID17nBlIpqaWSkYXYazDkn/wdUgiwnaMahNTuiRfauLKUO+oMTWdvrMrmCUfvSU/ZJy730v2c0sEP/tye72xX935rMJoP+P0b5VIqdycZnVWbZSqbCCIplWeJ/sSNCcG0tx3Ym2sxWBLTU215IUh+8DzeMl+5EEMqGQO3v5WCkcn9vVOyloueFAfAKkBEYEQCTPQR+K/WOqAVmPQ/HvB4YSy7uYszEUFH8WxpQ7COzg75dJ4ACluGbXfw14SuWxSDr2p5cFTD7sVNEzPj4Le47KoDRr12OkLU3TylLerYocPq1KVHKS0qzVK1cbwme85FYwTSfpUqhPQn5Hw+IrUVuXcyaW76Erty4YXgE00IjN5Q7k5yJtvdr+Gkl2ZM1vKCYsQPMkiASKpkxVX+zhp0GMq2MCOKJ52vtZeAnwKjqR67mLmPH2jxWWwJMW6HYGWQudoDuglUMkrtubAVYkFnXu0rjnBPmLbGfhu2MSARbwxXZ8HGYuOeRG7MlSU4xDYjfRaYBJTd9sLJiupf6QaL5k7HWRqpFcFvBaVIur7wg53GYRlcb0CrBF4k1S1QruGxoib0LcoWj7pY0ZI7LBeq2G1GAlVp8RZQp6mqQA5YwTwndDJMD5phJyA43HdEcttTy/t5PAZe8kmvd1roEznXueV3lKmrmp5SwXNLXzL9WF4HRPf+t4Lqp2KVJwG2EdAXWWJUyqQpe3tnJtMHCiE3IaRqGpyQMvEZjUAFp71IGeI49irlCecTH/gHxrrRD8+/zk+Na0xI8V7FGrLWcdTf4V91JfZ2lz/4vD+D12wCu3/9NJpPtav7H1tb2kP/xKKW4bdKRWLkDOshme+Nd4GfZ+7EYe7xhiq8DzuergFvZu9fBChwLNBZvYjCHLisZJlW5T9JILXMMeOEhHkf50Ym3fL0ZHzuSgNYERaAwKMJLiSKSaL9TLx0bhtcyTxBWxiuWrgqhVqGEzXGz0jR8JwL46Bv7QnFp/wgDf+omS2RuFLk1vxddlocPwEORr8pS1cLq2tDAPZjdiC0YXRc40yMMw0UDTy/j5x4FAY8WpdWcEgBa4jQ7iHKQ2XB+Y7ZgME6T4yQ0xTnQU37O4aZhghQLfMBiwrsZRIV0AYuCQAYr3EI9Fu6bWRBkRU65a2b7nGil0gARTm4IBWWuxTsSormwYHgYpiAIoP5hSG6wvxm+D1LeDyNO56CQloLpjU2Da55ishE6bO1ISj0YvDohQLNgt0ISZvHDvHwArMSLrdlsK6fcYRWeZ46qslBCLWCiXdh302wirC6TKYtQzPLM187ePn50aq/lCZxZptPiRkqMuORAZvpMVitQpFx8LDRqcA6kOVrexZgWIMsuQzEPCGhCm0VYSxkE6xI2AC9GsJ0cNQ+NMgSjQtCvSoa3EvMMIGjnlld4KaUwNxbF/AEaYC/KzqriK/stsO0c8/wu8lhxXHhLSwye/By7iZUtby/WrG5NiEAb31gBD35cwwgxzp/fylyGZwu8I4V2LrGqrQSlvKf+Q1HG7xqMYBERaIXEWIZErXzha21AoJxojL0MoUr7RiRr9e+BxOvi/AbPQfGvtPz1nMsKtjIa3F4XuVJQ+2o/KIDKO21JzQ8YX6AKqlLqnHqdR6F5eOo9rCbIfGa20VJtNxH6Wb1qoVJxU8pLTqkt9cqagxG0XN/nUbQXTutytc6DUAoSJst2avJ9EyOZbVLJBMVOZ1ZfvSvi4ui6aOOkbX59uHdwePbu8PXh/sXRyfG74703h+ene/uHGSRCIhXkJ1isnUIlD4Xi0D/Dl+VaVc89GifzFO1M4u7rH2p+j97svTx8C8yenL07eXt49vPZ0UWNVweNRBJi4fBz1Hgaum6SwuAaRpKxU0rmuNjHZZLEL/NYgSyx6O9Iztrv5VfVuFTz1PLCg5O8l68uLk4LL4IoSAI3PMChe6csoYMm4wyCYtcPevPKse4ehdVto9gAq0uhtjDSahTIZU5FLbi3ibkRLmZCPBI66GL/tBoyypylIk5W2RTsyjH+QJEOaY0bQlq8XJMwXeE3fBvW0GVpTAusrjigVJtu1+ChatSWjdDETE2VCnBchk6iEJwtvidoVyc+P4GH9zyPEz7udgufIvfykgvTnZPVcPHx98B732t4hbKDqIMUtliLcxnnh19HYg1W1Ye32EuLB5JP1bgIN/e8tFHWL8WA8E3z4W3M7XRxo5tDWOgK37Wm02UJdzU8hKRDAa2io6jhtTBpDQ3yJjdI3iujJSQmIVnc/YfzapaT+paEJWIiFI4U4Jo7X5FATx+ZF43Mxifmuqgt5BviA95sqm1bL/HeTLj789ulLGt4H8K9f9rSJ/4LdgfcSZqKy2Dz1F/gzQLBnfd/ZpX7P/BjdzrEfx+jKNOySNB3PFTVFD39Hk2qKYCxCB+MridzEBEdMD4l/kEmHj8K8fhzRI5hO/nfyL12g5BvhQR5ls47O/zgiPHXYPr66D+du959LgJ36P9sZ1K7/zHh978H/f/8hafPFTVbzLGbJktCg9/llbar58IvyrMDZarGGQlxH/3uo7k0DbnHZfGsvpeUpLFwvyxUyOQrR3aN0paFg6qEEiYfCsG+hpoRyECSyhflYFhjXRFcRp5Kv/PX4CXNFTvcGAoHO2Dyxw23JuJXnP1KYxhLXO92Wzy73msZbvWz2jIT5j/NOnGPEOqrJCg113W6whZXqHmw7REeYK1XD2xD1wvTL99VAswAyh+EeeZZmWKE65YsC6M2z0XbcJum+MePQ8WPeTZBrdohEfxVIPZFpRuhRYA4KEhw4UXh7KJtdLLlkVUeR7ALdMPgdy2F4KPDVlv8ZCIZIxN4ud1QUOpwSj7lJ/u15xHz3BArcmL7yooPrtzLsqLOgV7hWgUP8UH/ZH0OUXv1nszlD/A28x8j2K1JAU8TcRlXBT68YnKuBIddX+B3wHjAFlnpERYXlIL8rZoN4eQEG+mQSra0mRsLxWycQY7ZTQqki/AhXycLQCMBZyWEkdHgcvYrxJ/KTGiLO0LBZeChNruqwBLXu2psUCdvlmb1JuD61neoNCm7X5vZk5ZnXVEW3a7WdYJWV+MigWsDev4GKxHAAHc0UBKfP/ZZKB6yFEKL/AiF+qzy2IuBBzkKP0oV/2z+AjShYvB6mNZwaGRJ/gVPpoMf2DC8h8VGKI9EPi8F8z7N/ubx/b8+/r8y+b23AB3+/3R7Vs3/mu5sDff/HqU03v9Rov3pd++1HKlNkjYuKVnxk+HQt3giiDg7Qd/+8sHUxxqmY17sn5rPTP7OdDY7Hvn467f9OBCJIxj7lkwAskBswFQyS2WLlBir8lE+FH1W5fxevOjTonV8PNYAZbNv6ZCJ4qAQM4F2K5H20rko8CiJmjBANcRKe9zeA4LI4zF7cQoukyVWkYzTPA8AhjDgWYT50mrIQ4OLk4MTB10sAyZXJb41oAR8Pn7zBxwQWE7BQPoiES0iKCTRAlNgBzxLn2d/8Q/HXKYiuQKd4RW5xrxqhVyGGCER/1/7tM4P1xN7d5t/FgDNMY5gTRca5dv9JEVG6qx6t0WaU5NA34v+J1OC+8T3EnFTTS3mR/wcNg/cbZbZmR3IWurwdzbbEuNQPjkVR0dilHodxH5pG7+u3GP9V1u+zd2Arvj/dDaprP+z6XjI/36Usm79167tFw3if+kB+ouXbv2XB+8P+QBoh/5vTXer3/8Yz3aH+P+jFJl2LGIGOs3YQYulR7WDpqIkTbnAlU9C8bVx4SCxVvD9cFxIQt4Lb9w7ZhjFYzYHTYw8UoE+fDSMgovgoOfj52MjT70SFRPDKGRMqk8CZIF8uaeoZIHKxKtyCH8NYBYzljBN+bcO2uLZDTLcv67NtrRXB126IcOGUU/zdNAvvxqVpE1RZzxFTXkf/Lolz2oJ1H3wp4UMkNhNmcwwFcljhsx+kQN+Vpzu/AuPuYNe/DkPyXy0crl7NZqnQQhuNCc9ktf7eB63oZOPClSlDC0IWYT4XZ4XL3Etd+XvzBSakBtzi39uVlZkH4Kd2JOJfft192pS65X5rxe8Z1P5wrZtwyj5j44hc8V0wh/3Ro2nT6Eu4XFtJj5MqXTlGcL2wkZM33SZ3yHh1OfXSgBTKxYnDHTk5ZjsoorGFS8NfbVW351RSW2Gl7HW/FWLpm9awD6JqzsHGr1nJNK6kn9fohFCfPlhMpYpROqzDBOhc+WvH3C9aLz3L1+0fqVA4WVX+is3jfPr/LpCX9CXDJXu3Gc37g2dBlW/RW80XYfPLjBLW9B4zb0GU7iOLp7kBXP9Qtwa1w9CdOSWJb/brV+qu9pGpe+lO9YNjdfvQnOz3XDp5OjyGHoP84JFaLTxgnHb9WIj+/yg1APNtl5u1PddBs9wKEMZylCGMpShDGUoQxnKUIYylKEMZShDGcpQhjKUoQylqfwfDhFVpwB4AAA=
   values:
     image:
-      tag: v0.21.1
+      tag: v0.20.20
 ---
 apiVersion: core.gardener.cloud/v1beta1
 kind: ControllerRegistration

pkg/apis/metal/types_cloudprofile.go

@@ -1,6 +1,7 @@
 package metal
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -66,4 +67,35 @@ const (
 type Partition struct {
 	// FirewallTypes is a list of available firewall machine types in this partition. When empty, allows all values.
 	FirewallTypes []string
+
+	// NetworkIsolation if given allows the creation of shoot clusters which have network restrictions activated.
+	// Will be taken into account if NetworkAccessRestricted or NetworkAccessForbidden is defined
+	// +optional
+	NetworkIsolation *NetworkIsolation
+}
+
+type NetworkIsolation struct {
+	// AllowedNetworks is a list of networks which are allowed to connect in restricted or forbidden NetworkIsolated clusters.
+	AllowedNetworks []string
+	// DNSServers
+	DNSServers []NetworkServer
+	// NTPServers
+	NTPServers []NetworkServer
+	// The registry which serves the images required to create a shoot.
+	Registry NetworkServer
+}
+
+type NetworkServer struct {
+	// Name describes this server
+	Name string
+	// Hostname is typically the dns name of this server
+	Hostname string
+	// IP is the ipv4 or ipv6 address of this server
+	IP string
+	// IPFamily defines the family of the ip
+	IPFamily corev1.IPFamily
+	// Port at which port the service is reachable
+	Port int32
+	// Proto the network protocol to reach the service
+	Proto corev1.Protocol
 }

pkg/apis/metal/types_controlplane.go

@@ -19,6 +19,10 @@ type ControlPlaneConfig struct {
 
 	// CustomDefaultStorageClass
 	CustomDefaultStorageClass *CustomDefaultStorageClass
+
+	// NetworkAccessType defines how the cluster can reach external networks.
+	// +optional
+	NetworkAccessType *NetworkAccessType
 }
 
 // CustomDefaultStorageClass defines the  custom storageclass which should be set as default
@@ -52,6 +56,7 @@ type ControlPlaneFeatures struct {
 	// RestrictEgress limits the cluster egress to the API server and necessary external dependencies (like container registries)
 	// by using DNS egress policies.
 	// Requires firewall-controller >= 1.2.0.
+	// Deprecated: Will be replaced by NetworkAccessRestricted.
 	// +optional
 	RestrictEgress *bool `json:"restrictEgress,omitempty"`
 }
@@ -66,3 +71,25 @@ type CloudControllerManagerConfig struct {
 	// +optional
 	DefaultExternalNetwork *string
 }
+
+type (
+	// NetworkAccessType defines how a cluster is capable of accessing external networks
+	NetworkAccessType string
+)
+
+const (
+	// NetworkAccessBaseline allows the cluster to access external networks in a baseline manner
+	NetworkAccessBaseline = NetworkAccessType("baseline")
+	// NetworkAccessRestricted access to external networks is by default restricted to registries, dns and ntp to partition only destinations.
+	// Therefor registries, dns and ntp destinations must be specified in the cloud-profile accordingly-
+	// If this is not the case, restricting the access must not be possible.
+	// Image overrides for all images which are required to create such a shoot, must be specified. No other images are provided in the given registry.
+	// customers can define own rules to access external networks as in the baseline.
+	// Service type loadbalancers are also not restricted.
+	NetworkAccessRestricted = NetworkAccessType("restricted")
+	// NetworkAccessForbidden in this configuration a customer can no longer create rules to access external networks.
+	// which are outside of a given list of allowed networks. This is enforced by the firewall.
+	// Service type loadbalancers are also not possible to open a service ip which is not in the list of allowed networks.
+	// This is also enforced by the firewall.
+	NetworkAccessForbidden = NetworkAccessType("baseline")
+)

pkg/apis/metal/v1alpha1/types_cloudprofile.go

@@ -1,6 +1,7 @@
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -72,4 +73,33 @@ const (
 type Partition struct {
 	// FirewallTypes is a list of available firewall machine types in this partition. When empty, allows all values.
 	FirewallTypes []string `json:"firewallTypes"`
+
+	// NetworkIsolation if given allows the creation of shoot clusters which have network restrictions activated.
+	NetworkIsolation *NetworkIsolation `json:"networkIsolation,omitempty"`
+}
+
+type NetworkIsolation struct {
+	// AllowedNetworks is a list of networks which are allowed to connect in restricted or forbidden NetworkIsolated clusters.
+	AllowedNetworks []string `json:"allowedNetworks,omitempty"`
+	// DNSServers
+	DNSServers []NetworkServer `json:"dnsServers,omitempty"`
+	// NTPServers
+	NTPServers []NetworkServer `json:"ntpServers,omitempty"`
+	// The registry which serves the images required to create a shoot.
+	Registry NetworkServer `json:"registry,omitempty"`
+}
+
+type NetworkServer struct {
+	// Name describes this server
+	Name string `json:"name,omitempty"`
+	// Hostname is typically the dns name of this server
+	Hostname string `json:"hostname,omitempty"`
+	// IP is the ipv4 or ipv6 address of this server
+	IP string `json:"ip,omitempty"`
+	// IPFamily defines the family of the ip
+	IPFamily corev1.IPFamily `json:"ipfamily,omitempty"`
+	// Port at which port the service is reachable
+	Port int32 `json:"port,omitempty"`
+	// Proto the network protocol to reach the service
+	Proto corev1.Protocol `json:"proto,omitempty"`
 }

pkg/apis/metal/v1alpha1/types_controlplane.go

@@ -19,6 +19,10 @@ type ControlPlaneConfig struct {
 
 	// CustomDefaultStorageClass
 	CustomDefaultStorageClass *CustomDefaultStorageClass `json:"customDefaultStorageClass,omitempty"`
+
+	// NetworkAccessType defines how the cluster can reach external networks.
+	// +optional
+	NetworkAccessType *NetworkAccessType `json:"networkAccessType,omitempty"`
 }
 
 // CustomDefaultStorageClass defines the custom storageclass which should be set as default
@@ -67,3 +71,24 @@ type CloudControllerManagerConfig struct {
 	// +optional
 	DefaultExternalNetwork *string `json:"defaultExternalNetwork" optional:"true"`
 }
+type (
+	// NetworkAccessType defines how a cluster is capable of accessing external networks
+	NetworkAccessType string
+)
+
+const (
+	// NetworkAccessBaseline allows the cluster to access external networks in a baseline manner
+	NetworkAccessBaseline = NetworkAccessType("baseline")
+	// NetworkAccessRestricted access to external networks is by default restricted to registries, dns and ntp to partition only destinations.
+	// Therefor registries, dns and ntp destinations must be specified in the cloud-profile accordingly-
+	// If this is not the case, restricting the access must not be possible.
+	// Image overrides for all images which are required to create such a shoot, must be specified. No other images are provided in the given registry.
+	// customers can define own rules to access external networks as in the baseline.
+	// Service type loadbalancers are also not restricted.
+	NetworkAccessRestricted = NetworkAccessType("restricted")
+	// NetworkAccessForbidden in this configuration a customer can no longer create rules to access external networks.
+	// which are outside of a given list of allowed networks. This is enforced by the firewall.
+	// Service type loadbalancers are also not possible to open a service ip which is not in the list of allowed networks.
+	// This is also enforced by the firewall.
+	NetworkAccessForbidden = NetworkAccessType("baseline")
+)