Simplify NetworkPolicy configuration for webhook servers (gardener#…

…8076)

* Adapt documentation

* Adapt implementation

* Deprecate `NetworkPolicy` function for shoot webhooks in extension library

* Adapt `provider-local`

charts/gardener/provider-local/extension/templates/service.yaml

@@ -6,7 +6,8 @@ metadata:
   annotations:
     networking.resources.gardener.cloud/from-world-to-ports: '[{"protocol":"TCP","port":{{ .Values.webhookConfig.serverPort }}}]'
     networking.resources.gardener.cloud/from-all-seed-scrape-targets-allowed-ports: '[{"port":{{ .Values.metricsPort }},"protocol":"TCP"}]'
-    networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"kubernetes.io/metadata.name":"garden"}}]'
+    networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"protocol":"TCP","port":{{ .Values.webhookConfig.serverPort }}}]'
+    networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"kubernetes.io/metadata.name":"garden"}},{"matchLabels":{"kubernetes.io/metadata.name":"shoot"}}]'
     networking.resources.gardener.cloud/pod-label-selector-namespace-alias: extensions
 {{-  if .Values.ignoreResources }}
     resources.gardener.cloud/ignore: "true"

docs/extensions/shoot-webhooks.md

@@ -19,6 +19,5 @@ The provider extension doesn't need to care about the same.
 ## What else is needed?
 
 The shoot's kube-apiserver must be allowed to talk to the provider extension.
-To achieve this, you need to create a `NetworkPolicy` in the shoot namespace.
-Our [extension controller library](https://github.com/gardener/gardener/blob/master/extensions) provides easy-to-use utilities and hooks to implement such a webhook.
-Please find an exemplary implementation [here](https://github.com/gardener/gardener-extension-provider-aws/tree/master/pkg/webhook/shoot) and [here](https://github.com/gardener/gardener-extension-provider-aws/blob/566fe4dd588c93821bc9d22c452203867457c930/cmd/gardener-extension-provider-aws/app/app.go#L170-L174).
+To achieve this, you need to make sure that the relevant `NetworkPolicy` get created for allowing the network traffic.
+Please refer to [this guide](../usage/network_policies.md#webhook-servers) for more information.

docs/usage/network_policies.md

@@ -92,6 +92,18 @@ annotations:
 
 This automatically allows the network traffic from the API server pods.
 
+In case the servers run in a different namespace than the `kube-apiserver`s, the following annotations are needed:
+
+```yaml
+annotations:
+  networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"port":<server-port-on-pod>,"protocol":"<protocol, typically TCP>"}]'
+  networking.resources.gardener.cloud/pod-label-selector-namespace-alias: extensions
+  # for the virtual garden cluster:
+  networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"kubernetes.io/metadata.name":"garden"}}]'
+  # for shoot clusters:
+  networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"gardener.cloud/role":"shoot"}}]'
+```
+
 ## Additional Namespace Coverage in Garden/Seed Cluster
 
 In some cases, garden or seed clusters might run components in dedicated namespaces which are not covered by the controller by default (see list above).
@@ -122,11 +134,9 @@ As a result, the respective component pods just need to be labeled with
 
 ### Ingress Traffic
 
-Components running in such custom namespaces might serve webhook handlers that must be reached by the `kube-apiservers` of the virtual garden cluster or a shoot cluster.
-In order to achieve this, their `Service` must be annotated with `networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports=<ports>` as well as
-
-- `networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"kubernetes.io/metadata.name":"garden"}}]` (virtual garden cluster)
-- `networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"gardener.cloud/role":"shoot"}}]` (shoot clusters)
+Components running in such custom namespaces might serve webhook handlers that must be reached by the `kube-apiserver`s of the virtual garden cluster or a shoot cluster.
+In order to achieve this, their `Service` must be annotated.
+Please refer to [this section](#webhook-servers) for more information.
 
 ## Shoot Cluster
 

extensions/pkg/webhook/shoot/networkpolicy.go

@@ -34,7 +34,10 @@ func GetNetworkPolicyMeta(shootNamespace, extensionName string) *networkingv1.Ne
 }
 
 // EnsureEgressNetworkPolicy ensures that the required egress network policy is installed that allows the kube-apiserver
-// running in the given shoot namespace to talk to the extension webhook .
+// running in the given shoot namespace to talk to the extension webhook.
+// Deprecated: This function is deprecated and will be removed after Gardener v1.80 has been released. Extensions should
+// make sure that they can be accessed via the 'all-webhook-targets' alias.
+// TODO(rfranzke): Drop this after v1.80 has been released.
 func EnsureEgressNetworkPolicy(ctx context.Context, c client.Client, shootNamespace, extensionNamespace, extensionName string, port int) error {
 	networkPolicy := GetNetworkPolicyMeta(shootNamespace, extensionName)
 	_, err := controllerutils.GetAndCreateOrMergePatch(ctx, c, networkPolicy, func() error {
@@ -78,6 +81,9 @@ func EnsureEgressNetworkPolicy(ctx context.Context, c client.Client, shootNamesp
 
 // EnsureIngressNetworkPolicy ensures that the required ingress network policy is installed that allows the
 // kube-apiservers of shoot namespaces to talk to the extension webhook.
+// Deprecated: This function is deprecated and will be removed after Gardener v1.80 has been released. Extensions should
+// make sure that they can be accessed via the 'all-webhook-targets' alias.
+// TODO(rfranzke): Drop this after v1.80 has been released.
 func EnsureIngressNetworkPolicy(ctx context.Context, c client.Client, extensionNamespace, extensionName string, port int) error {
 	networkPolicy := &networkingv1.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Namespace: extensionNamespace, Name: "ingress-from-all-shoots-kube-apiserver"}}
 	_, err := controllerutils.GetAndCreateOrMergePatch(ctx, c, networkPolicy, func() error {

pkg/apis/core/v1beta1/constants/types_constants.go

@@ -480,6 +480,9 @@ const (
 	// LabelNetworkPolicyShootNamespaceAlias is a constant for the alias for shoot namespaces used in NetworkPolicy
 	// labels.
 	LabelNetworkPolicyShootNamespaceAlias = "all-shoots"
+	// LabelNetworkPolicyExtensionsNamespaceAlias is a constant for the alias for extension namespaces used in
+	// NetworkPolicy labels.
+	LabelNetworkPolicyExtensionsNamespaceAlias = "extensions"
 	// LabelNetworkPolicyIstioIngressNamespaceAlias is a constant for the alias for shoot namespaces used in
 	// NetworkPolicy labels.
 	LabelNetworkPolicyIstioIngressNamespaceAlias = "all-istio-ingresses"

pkg/component/kubeapiserver/deployment.go

@@ -225,12 +225,13 @@ func (k *kubeAPIServer) reconcileDeployment(
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
 					Labels: utils.MergeStringMaps(GetLabels(), map[string]string{
-						v1beta1constants.LabelNetworkPolicyToDNS:                                                                                                       v1beta1constants.LabelNetworkPolicyAllowed,
-						v1beta1constants.LabelNetworkPolicyToPublicNetworks:                                                                                            v1beta1constants.LabelNetworkPolicyAllowed,
-						v1beta1constants.LabelNetworkPolicyToPrivateNetworks:                                                                                           v1beta1constants.LabelNetworkPolicyAllowed,
-						"networking.resources.gardener.cloud/to-" + v1beta1constants.LabelNetworkPolicyWebhookTargets:                                                  v1beta1constants.LabelNetworkPolicyAllowed,
-						gardenerutils.NetworkPolicyLabel(k.values.NamePrefix+etcdconstants.ServiceName(v1beta1constants.ETCDRoleMain), etcdconstants.PortEtcdClient):   v1beta1constants.LabelNetworkPolicyAllowed,
-						gardenerutils.NetworkPolicyLabel(k.values.NamePrefix+etcdconstants.ServiceName(v1beta1constants.ETCDRoleEvents), etcdconstants.PortEtcdClient): v1beta1constants.LabelNetworkPolicyAllowed,
+						v1beta1constants.LabelNetworkPolicyToDNS:                                                      v1beta1constants.LabelNetworkPolicyAllowed,
+						v1beta1constants.LabelNetworkPolicyToPublicNetworks:                                           v1beta1constants.LabelNetworkPolicyAllowed,
+						v1beta1constants.LabelNetworkPolicyToPrivateNetworks:                                          v1beta1constants.LabelNetworkPolicyAllowed,
+						"networking.resources.gardener.cloud/to-" + v1beta1constants.LabelNetworkPolicyWebhookTargets: v1beta1constants.LabelNetworkPolicyAllowed,
+						"networking.resources.gardener.cloud/to-" + v1beta1constants.LabelNetworkPolicyExtensionsNamespaceAlias + "-" + v1beta1constants.LabelNetworkPolicyWebhookTargets: v1beta1constants.LabelNetworkPolicyAllowed,
+						gardenerutils.NetworkPolicyLabel(k.values.NamePrefix+etcdconstants.ServiceName(v1beta1constants.ETCDRoleMain), etcdconstants.PortEtcdClient):                      v1beta1constants.LabelNetworkPolicyAllowed,
+						gardenerutils.NetworkPolicyLabel(k.values.NamePrefix+etcdconstants.ServiceName(v1beta1constants.ETCDRoleEvents), etcdconstants.PortEtcdClient):                    v1beta1constants.LabelNetworkPolicyAllowed,
 						// TODO(rfranzke): Remove these labels after v1.74 has been released.
 						gardenerutils.NetworkPolicyLabel(k.values.NamePrefix+resourcemanagerconstants.ServiceName, resourcemanagerconstants.ServerPort): v1beta1constants.LabelNetworkPolicyAllowed,
 						gardenerutils.NetworkPolicyLabel(vpaconstants.AdmissionControllerServiceName, vpaconstants.AdmissionControllerPort):             v1beta1constants.LabelNetworkPolicyAllowed,

pkg/component/kubeapiserver/kube_apiserver_test.go

@@ -1822,6 +1822,7 @@ rules:
 						"networking.gardener.cloud/to-private-networks":                              "allowed",
 						"networking.gardener.cloud/to-public-networks":                               "allowed",
 						"networking.resources.gardener.cloud/to-all-webhook-targets":                 "allowed",
+						"networking.resources.gardener.cloud/to-extensions-all-webhook-targets":      "allowed",
 						"networking.resources.gardener.cloud/to-etcd-main-client-tcp-2379":           "allowed",
 						"networking.resources.gardener.cloud/to-etcd-events-client-tcp-2379":         "allowed",
 						"networking.resources.gardener.cloud/to-gardener-resource-manager-tcp-10250": "allowed",