Fix network policy in local setup in conjunction with HA VPN. (garden…

…er#8370) Previously, the network policy specifying the allowed traffic to the machine pods in the local setup only listed other machine pods and `vpn-seed-server` as allowed ingress sources. However, in the HA VPN case `kube-apiserver` connects to machines as well. The connection to kubelet was allowed, but everything else was blocked by policy. This meant that `kubectl proxy` would not allow proxying traffic to pods in the host network due to network policy. This change adapts the network policy to work in both VPN cases and use the more general `to-shoot-networks` labels, which were already used correctly.
briantopping · Aug 22, 2023 · 8312ecb · 8312ecb
1 parent 10f6bbf
commit 8312ecb
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/pkg/provider-local/controller/infrastructure/actuator.go b/pkg/provider-local/controller/infrastructure/actuator.go
@@ -60,8 +60,7 @@ func (a *actuator) Reconcile(ctx context.Context, _ logr.Logger, infrastructure
 	networkPolicyAllowMachinePods.Spec = networkingv1.NetworkPolicySpec{
 		Ingress: []networkingv1.NetworkPolicyIngressRule{{
 			From: []networkingv1.NetworkPolicyPeer{
-				{PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"app": "machine"}}},
-				{PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"app": "vpn-seed-server"}}},
+				{PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{v1beta1constants.LabelNetworkPolicyToShootNetworks: v1beta1constants.LabelNetworkPolicyAllowed}}},
 			},
 		}},
 		Egress: []networkingv1.NetworkPolicyEgressRule{{