🧹 Cleanup a few TODOs (gardener#8883)

* Remove MCM legacy CRD deletion

follow-up of gardener#8559, released with `v1.82.0`

* Remove legacy `shoot-node-logging` MR cleanup

follow-up of gardener#8501, released with `v1.80.0`

* Remove MCM legacy resources cleanup in generic `Worker` actuator

follow-up of gardener#8596, released with `v1.82.0`

* Restrict GRM's token requestor to secrets with `class=shoot`

follow-up of gardener#8152, released with `v1.74.0`

* Remove support for deprecated `NetworkPolicy` annotations

follow-up of gardener#7907, released with `v1.71.0`

charts/gardener/gardenlet/templates/clusterrole-gardenlet.yaml

@@ -177,13 +177,6 @@ rules:
   - filters.fluentbit.fluent.io
   - outputs.fluentbit.fluent.io
   - parsers.fluentbit.fluent.io
-  # TODO(rfranzke): Remove this code after Gardener v1.83 has been released.
-  - alicloudmachineclasses.machine.sapcloud.io
-  - awsmachineclasses.machine.sapcloud.io
-  - azuremachineclasses.machine.sapcloud.io
-  - gcpmachineclasses.machine.sapcloud.io
-  - openstackmachineclasses.machine.sapcloud.io
-  - packetmachineclasses.machine.sapcloud.io
   verbs:
   - delete
 - apiGroups:

cmd/gardenlet/app/app.go

@@ -61,7 +61,6 @@ import (
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	"github.com/gardener/gardener/pkg/apis/operations"
 	operationsv1alpha1 "github.com/gardener/gardener/pkg/apis/operations/v1alpha1"
-	resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1"
 	"github.com/gardener/gardener/pkg/client/kubernetes"
 	clientmapbuilder "github.com/gardener/gardener/pkg/client/kubernetes/clientmap/builder"
 	"github.com/gardener/gardener/pkg/controllerutils"
@@ -377,11 +376,6 @@ func (g *garden) Start(ctx context.Context) error {
 		return err
 	}
 
-	log.Info("Cleaning up legacy 'shoot-node-logging' ManagedResource")
-	if err := cleanupLegacyLoggingManagedResource(ctx, g.mgr.GetClient()); err != nil {
-		return err
-	}
-
 	log.Info("Cleaning up orphaned ServiceAccounts related to garden access secrets for extensions")
 	if err := g.cleanupOrphanedExtensionsServiceAccounts(ctx, gardenCluster.GetClient()); err != nil {
 		return err
@@ -441,30 +435,6 @@ func (g *garden) Start(ctx context.Context) error {
 	return nil
 }
 
-// TODO(rfranzke): Remove this code after v1.83 has been released.
-func cleanupLegacyLoggingManagedResource(ctx context.Context, seedClient client.Client) error {
-	managedResourceList := &metav1.PartialObjectMetadataList{}
-	managedResourceList.SetGroupVersionKind(resourcesv1alpha1.SchemeGroupVersion.WithKind("ManagedResourceList"))
-	if err := seedClient.List(ctx, managedResourceList); err != nil {
-		if meta.IsNoMatchError(err) {
-			return nil
-		}
-		return err
-	}
-
-	var taskFns []flow.TaskFn
-	for _, managedResource := range managedResourceList.Items {
-		if managedResource.GetName() == "shoot-node-logging" {
-			mr := managedResource
-			taskFns = append(taskFns, func(ctx context.Context) error {
-				return seedClient.Delete(ctx, &mr)
-			})
-		}
-	}
-
-	return flow.Parallel(taskFns...)(ctx)
-}
-
 // TODO(rfranzke): Remove this code after v1.86 has been released.
 func (g *garden) cleanupOrphanedExtensionsServiceAccounts(ctx context.Context, gardenClient client.Client) error {
 	serviceAccountList := &corev1.ServiceAccountList{}

extensions/pkg/controller/worker/genericactuator/actuator_delete.go

@@ -53,11 +53,6 @@ func (a *genericActuator) Delete(ctx context.Context, log logr.Logger, worker *e
 		return fmt.Errorf("pre worker deletion hook failed: %w", err)
 	}
 
-	// Cleanup legacy machine-controller-manager resources.
-	if err := a.cleanupLegacyMachineControllerManagerResources(ctx, log, worker); err != nil {
-		return err
-	}
-
 	// Redeploy generated machine classes to update credentials machine-controller-manager used.
 	log.Info("Deploying the machine classes")
 	if err := workerDelegate.DeployMachineClasses(ctx); err != nil {

extensions/pkg/controller/worker/genericactuator/actuator_migrate.go

@@ -24,9 +24,6 @@ import (
 )
 
 // Migrate ensures that the MCM is deleted in case it is managed.
-func (a *genericActuator) Migrate(ctx context.Context, log logr.Logger, worker *extensionsv1alpha1.Worker, _ *controller.Cluster) error {
-	log = log.WithValues("operation", "migrate")
-
-	// Cleanup legacy machine-controller-manager resources.
-	return a.cleanupLegacyMachineControllerManagerResources(ctx, log, worker)
+func (a *genericActuator) Migrate(_ context.Context, _ logr.Logger, _ *extensionsv1alpha1.Worker, _ *controller.Cluster) error {
+	return nil
 }

extensions/pkg/controller/worker/genericactuator/actuator_reconcile.go

@@ -62,11 +62,6 @@ func (a *genericActuator) Reconcile(ctx context.Context, log logr.Logger, worker
 		return err
 	}
 
-	// Cleanup legacy machine-controller-manager resources.
-	if err := a.cleanupLegacyMachineControllerManagerResources(ctx, log, worker); err != nil {
-		return err
-	}
-
 	// Generate the desired machine deployments.
 	log.Info("Generating machine deployments")
 	wantedMachineDeployments, err := workerDelegate.GenerateMachineDeployments(ctx)

extensions/pkg/controller/worker/genericactuator/machine_controller_manager.go

@@ -18,26 +18,14 @@ import (
 	"context"
 
 	"github.com/go-logr/logr"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	"github.com/gardener/gardener/pkg/client/kubernetes"
 	kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes"
-	"github.com/gardener/gardener/pkg/utils/managedresources"
 )
 
-// TODO(rfranzke): Remove this function after v1.85 has been released.
-func (a *genericActuator) cleanupLegacyMachineControllerManagerResources(ctx context.Context, logger logr.Logger, workerObj *extensionsv1alpha1.Worker) error {
-	logger.Info("Skip machine-controller-manager deployment since gardenlet manages it - deleting monitoring ConfigMap and extension-worker-mcm-shoot ManagedResource")
-	if err := a.seedClient.Delete(ctx, &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "machine-controller-manager-monitoring-config", Namespace: workerObj.Namespace}}); client.IgnoreNotFound(err) != nil {
-		return err
-	}
-	return managedresources.Delete(ctx, a.seedClient, workerObj.Namespace, "extension-worker-mcm-shoot", false)
-}
-
 func scaleMachineControllerManager(ctx context.Context, logger logr.Logger, cl client.Client, worker *extensionsv1alpha1.Worker, replicas int32) error {
 	logger.Info("Scaling machine-controller-manager", "replicas", replicas)
 	return client.IgnoreNotFound(kubernetes.ScaleDeployment(ctx, cl, kubernetesutils.Key(worker.Namespace, v1beta1constants.DeploymentNameMachineControllerManager), replicas))

pkg/apis/resources/v1alpha1/types.go

@@ -179,17 +179,6 @@ const (
 	// NetworkingFromWorldToPorts is a constant for an annotation on a Service which contains a list of ports to which
 	// ingress traffic from everywhere shall be allowed.
 	NetworkingFromWorldToPorts = "networking.resources.gardener.cloud/from-world-to-ports"
-	// NetworkingFromPolicyPodLabelSelector is a constant for an annotation on a Service which contains the label
-	// selector which should be used for pods initiating the communication with this Service. Note that the ports must
-	// be container ports, not service ports.
-	// Deprecated: Use `networking.resources.gardener.cloud/from-<some-alias>-allowed-ports`
-	// (NetworkPolicyFromPolicyAnnotationPrefix and NetworkPolicyFromPolicyAnnotationSuffix) instead.
-	NetworkingFromPolicyPodLabelSelector = "networking.resources.gardener.cloud/from-policy-pod-label-selector"
-	// NetworkingFromPolicyAllowedPorts is a constant for an annotation on a Service which contains a list of ports to
-	// which ingress traffic shall be allowed. Note that the ports must be container ports, not service ports.
-	// Deprecated: Use `networking.resources.gardener.cloud/from-<some-alias>-allowed-ports`
-	// (NetworkPolicyFromPolicyAnnotationPrefix and NetworkPolicyFromPolicyAnnotationSuffix) instead.
-	NetworkingFromPolicyAllowedPorts = "networking.resources.gardener.cloud/from-policy-allowed-ports"
 	// NetworkPolicyFromPolicyAnnotationPrefix is a constant for an annotation key prefix on a Service which contains
 	// the label selector alias which is used by pods initiating the communication to this Service. The annotation key
 	// must be suffixed with NetworkPolicyFromPolicyAnnotationSuffix, and the annotations value must be a list of

pkg/component/machinecontrollermanager/crd.go

@@ -19,14 +19,11 @@ import (
 	_ "embed"
 	"fmt"
 
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/gardener/gardener/pkg/client/kubernetes"
 	"github.com/gardener/gardener/pkg/component"
 	gardenerutils "github.com/gardener/gardener/pkg/utils/gardener"
-	kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes"
 )
 
 var (
@@ -72,7 +69,7 @@ func (c *crd) Deploy(ctx context.Context) error {
 		}
 	}
 
-	return c.deleteLegacyCRDs(ctx)
+	return nil
 }
 
 func (c *crd) Destroy(ctx context.Context) error {
@@ -93,27 +90,5 @@ func (c *crd) Destroy(ctx context.Context) error {
 		}
 	}
 
-	return c.deleteLegacyCRDs(ctx)
-}
-
-// TODO(rfranzke): Remove this code after Gardener v1.83 has been released.
-func (c *crd) deleteLegacyCRDs(ctx context.Context) error {
-	for _, name := range []string{
-		"alicloudmachineclasses.machine.sapcloud.io",
-		"awsmachineclasses.machine.sapcloud.io",
-		"azuremachineclasses.machine.sapcloud.io",
-		"gcpmachineclasses.machine.sapcloud.io",
-		"openstackmachineclasses.machine.sapcloud.io",
-		"packetmachineclasses.machine.sapcloud.io",
-	} {
-		obj := &apiextensionsv1.CustomResourceDefinition{ObjectMeta: metav1.ObjectMeta{Name: name}}
-		if err := gardenerutils.ConfirmDeletion(ctx, c.client, obj); client.IgnoreNotFound(err) != nil {
-			return err
-		}
-		if err := kubernetesutils.DeleteObject(ctx, c.client, obj); err != nil {
-			return err
-		}
-	}
-
 	return nil
 }

pkg/gardenlet/controller/managedseed/charttest/charttest.go

@@ -279,13 +279,6 @@ func getGardenletClusterRole(labels map[string]string) *rbacv1.ClusterRole {
 					"filters.fluentbit.fluent.io",
 					"outputs.fluentbit.fluent.io",
 					"parsers.fluentbit.fluent.io",
-					// TODO(rfranzke): Remove this code after Gardener v1.83 has been released.
-					"alicloudmachineclasses.machine.sapcloud.io",
-					"awsmachineclasses.machine.sapcloud.io",
-					"azuremachineclasses.machine.sapcloud.io",
-					"gcpmachineclasses.machine.sapcloud.io",
-					"openstackmachineclasses.machine.sapcloud.io",
-					"packetmachineclasses.machine.sapcloud.io",
 				},
 				Verbs: []string{"delete"},
 			},

pkg/gardenlet/controller/shoot/shoot/cleaner.go

@@ -184,10 +184,6 @@ func (c *cleaner) finalizeShootManagedResources(ctx context.Context, namespace s
 
 	shootMRList := &resourcesv1alpha1.ManagedResourceList{}
 	for _, mr := range mrList.Items {
-		// TODO(rfranzke): Uncomment the next line after v1.85 has been released.
-		// if pointer.StringDeref(mr.Spec.Class, "") != resourcesv1alpha1.ResourceManagerClassShoot {
-		// 	continue
-		// }
 		if mr.Spec.Class != nil {
 			continue
 		}

pkg/gardenlet/controller/shoot/shoot/reconciler_reconcile.go

@@ -28,6 +28,7 @@ import (
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	v1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
+	resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1"
 	"github.com/gardener/gardener/pkg/client/kubernetes/clientmap/keys"
 	"github.com/gardener/gardener/pkg/component/kubeapiserver"
 	"github.com/gardener/gardener/pkg/controllerutils"
@@ -325,9 +326,7 @@ func (r *Reconciler) runReconcileShootFlow(ctx context.Context, o *operation.Ope
 			Fn: flow.TaskFn(func(ctx context.Context) error {
 				return tokenrequest.RenewAccessSecrets(ctx, o.SeedClientSet.Client(),
 					client.InNamespace(o.Shoot.SeedNamespace),
-					// TODO(rfranzke): Uncomment the next line after v1.85 has been released
-					//  (together with restricting the garden's/shoot's tokenrequestor to the shoot class).
-					// client.MatchingLabels{resourcesv1alpha1.ResourceManagerClass: resourcesv1alpha1.ResourceManagerClassShoot},
+					client.MatchingLabels{resourcesv1alpha1.ResourceManagerClass: resourcesv1alpha1.ResourceManagerClassShoot},
 				)
 			}).RetryUntilTimeout(defaultInterval, defaultTimeout),
 			SkipIf:       v1beta1helper.GetShootServiceAccountKeyRotationPhase(o.Shoot.GetInfo().Status.Credentials) != gardencorev1beta1.RotationPreparing,

pkg/operator/controller/garden/garden/reconciler_reconcile.go

@@ -313,9 +313,7 @@ func (r *Reconciler) reconcile(
 			Fn: flow.TaskFn(func(ctx context.Context) error {
 				return tokenrequest.RenewAccessSecrets(ctx, r.RuntimeClientSet.Client(),
 					client.InNamespace(r.GardenNamespace),
-					// TODO(rfranzke): Uncomment the next line after v1.85 has been released
-					//  (together with restricting the garden's/shoot's tokenrequestor to the shoot class).
-					// client.MatchingLabels{resourcesv1alpha1.ResourceManagerClass: resourcesv1alpha1.ResourceManagerClassShoot},
+					client.MatchingLabels{resourcesv1alpha1.ResourceManagerClass: resourcesv1alpha1.ResourceManagerClassShoot},
 				)
 			}).RetryUntilTimeout(5*time.Second, 30*time.Second),
 			SkipIf:       helper.GetServiceAccountKeyRotationPhase(garden.Status.Credentials) != gardencorev1beta1.RotationPreparing,

pkg/resourcemanager/controller/add.go

@@ -27,6 +27,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
+	resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1"
 	"github.com/gardener/gardener/pkg/controller/tokenrequestor"
 	"github.com/gardener/gardener/pkg/resourcemanager/apis/config"
 	"github.com/gardener/gardener/pkg/resourcemanager/controller/csrapprover"
@@ -118,8 +119,7 @@ func AddToManager(ctx context.Context, mgr manager.Manager, sourceCluster, targe
 			Clock:           clock.RealClock{},
 			JitterFunc:      wait.Jitter,
 			APIAudiences:    []string{v1beta1constants.GardenerAudience},
-			// TODO(rfranzke): Uncomment the next line after v1.85 has been released.
-			// Class: pointer.String(resourcesv1alpha1.ResourceManagerClassShoot),
+			Class:           pointer.String(resourcesv1alpha1.ResourceManagerClassShoot),
 		}).AddToManager(mgr, sourceCluster, targetCluster); err != nil {
 			return fmt.Errorf("failed adding token requestor controller: %w", err)
 		}

pkg/resourcemanager/controller/networkpolicy/add.go

@@ -135,8 +135,6 @@ func (r *Reconciler) ServicePredicate() predicate.Predicate {
 				oldService.Annotations[resourcesv1alpha1.NetworkingPodLabelSelectorNamespaceAlias] != service.Annotations[resourcesv1alpha1.NetworkingPodLabelSelectorNamespaceAlias] ||
 				oldService.Annotations[resourcesv1alpha1.NetworkingNamespaceSelectors] != service.Annotations[resourcesv1alpha1.NetworkingNamespaceSelectors] ||
 				oldService.Annotations[resourcesv1alpha1.NetworkingFromWorldToPorts] != service.Annotations[resourcesv1alpha1.NetworkingFromWorldToPorts] ||
-				oldService.Annotations[resourcesv1alpha1.NetworkingFromPolicyPodLabelSelector] != service.Annotations[resourcesv1alpha1.NetworkingFromPolicyPodLabelSelector] ||
-				oldService.Annotations[resourcesv1alpha1.NetworkingFromPolicyAllowedPorts] != service.Annotations[resourcesv1alpha1.NetworkingFromPolicyAllowedPorts] ||
 				fromPolicyAnnotationsChanged(oldService.Annotations, service.Annotations)
 		},
 	}

pkg/resourcemanager/controller/networkpolicy/add_test.go

@@ -122,20 +122,6 @@ var _ = Describe("Add", func() {
 				Expect(p.Update(event.UpdateEvent{ObjectOld: oldService, ObjectNew: service})).To(BeTrue())
 			})
 
-			It("should return true because the from-policy-pod-label-selector annotation was changed", func() {
-				oldService := service.DeepCopy()
-				service.Annotations = map[string]string{"networking.resources.gardener.cloud/from-policy-pod-label-selector": "foo"}
-
-				Expect(p.Update(event.UpdateEvent{ObjectOld: oldService, ObjectNew: service})).To(BeTrue())
-			})
-
-			It("should return true because the from-policy-allowed-ports annotation was changed", func() {
-				oldService := service.DeepCopy()
-				service.Annotations = map[string]string{"networking.resources.gardener.cloud/from-policy-allowed-ports": "foo"}
-
-				Expect(p.Update(event.UpdateEvent{ObjectOld: oldService, ObjectNew: service})).To(BeTrue())
-			})
-
 			It("should return true because a custom pod label selector was added", func() {
 				oldService := service.DeepCopy()
 				service.Annotations = map[string]string{"networking.resources.gardener.cloud/from-foo-allowed-ports": "foo"}

pkg/resourcemanager/controller/networkpolicy/reconciler.go

@@ -206,20 +206,6 @@ func (r *Reconciler) reconcileDesiredPolicies(ctx context.Context, service *core
 		addTasksForRelevantNamespacesAndPort(networkingv1.NetworkPolicyPort{Protocol: &port.Protocol, Port: &port.TargetPort}, "")
 	}
 
-	// TODO(rfranzke): The following block is deprecated and should be removed as soon as v1.82 has been released.
-	{
-		if customPodLabelSelector, allowedPorts := service.Annotations[resourcesv1alpha1.NetworkingFromPolicyPodLabelSelector], service.Annotations[resourcesv1alpha1.NetworkingFromPolicyAllowedPorts]; customPodLabelSelector != "" && allowedPorts != "" {
-			var ports []networkingv1.NetworkPolicyPort
-			if err := json.Unmarshal([]byte(allowedPorts), &ports); err != nil {
-				return nil, nil, fmt.Errorf("failed unmarshaling %s: %w", allowedPorts, err)
-			}
-
-			for _, port := range ports {
-				addTasksForRelevantNamespacesAndPort(port, customPodLabelSelector)
-			}
-		}
-	}
-
 	for k, allowedPorts := range service.Annotations {
 		match := fromPolicyRegexp.FindStringSubmatch(k)
 		if len(match) != 2 {