Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add seed reconciler for secret replication #3582

Merged
merged 5 commits into from
Feb 25, 2021
Merged

Add seed reconciler for secret replication #3582

merged 5 commits into from
Feb 25, 2021

Conversation

timuthy
Copy link
Contributor

@timuthy timuthy commented Feb 18, 2021

How to categorize this PR?

/area security
/kind enhancement
/priority normal

What this PR does / why we need it:
This PR adds a new seed reconciler which:

  • creates a dedicated namespace per seed seed-<seed-name>
  • replicates secrets with gardener.cloud/role label from the garden namespace to seed-<seed-name> namespaces

In the future, this dedicated namespace will allow us to restrict Gardenlets to only access these namespaces (see #1723).

Which issue(s) this PR fixes:
Fixes parts of #1723

Special notes for your reviewer:
The seed lifecycle controller was refactored along the way and now implements the reconcile.Reconciler interface.

/cc @rfranzke

Release note:

A new `Seed` reconciler was added to the Gardener-Controller-Manager. It creates a dedicated namespace per seed in the Garden cluster `seed-<seed-name>` and copies common secrets from the `garden` Namespace (labelled with `gardener.cloud/role`) to the seed namespace. Gardenlets are supposed to read secrets (or namespaced objects in general)  from seed dedicated namespaces only in the future.

@timuthy timuthy requested a review from a team as a code owner February 18, 2021 09:10
@gardener-robot gardener-robot added needs/review area/security Security related kind/enhancement Enhancement, improvement, extension size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Feb 18, 2021
@rfranzke rfranzke self-assigned this Feb 18, 2021
timebertt
timebertt reviewed Feb 23, 2021
View reviewed changes
Copy link
Member

@timebertt timebertt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question from my side.
Looks good overall :)

pkg/controllermanager/controller/seed/seed_reconcile.go Show resolved Hide resolved
@gardener-robot gardener-robot added the kind/api-change API change with impact on API users label Feb 24, 2021
timebertt
timebertt approved these changes Feb 24, 2021
View reviewed changes
Copy link
Member

@timebertt timebertt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing my suggestion.
Very nice!
/lgtm

@timuthy timuthy merged commit 8d1ccfa into gardener:master Feb 25, 2021
@timuthy timuthy deleted the enhancement.seed-controller branch February 25, 2021 08:31
@gardener-robot gardener-robot added priority/3 Priority (lower number equals higher priority) and removed priority/3 Priority (lower number equals higher priority) labels Mar 8, 2021
@timuthy timuthy mentioned this pull request Mar 12, 2021
Merged
@rfranzke rfranzke mentioned this pull request Mar 12, 2021
Merged
@ialidzhikov ialidzhikov mentioned this pull request Apr 13, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timebertt timebertt timebertt approved these changes

@rfranzke rfranzke Awaiting requested review from rfranzke

Assignees

@rfranzke rfranzke

Labels
area/security Security related kind/api-change API change with impact on API users kind/enhancement Enhancement, improvement, extension size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@timuthy @rfranzke @timebertt @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot