{"id":19838523,"url":"https://github.com/metal-stack/firewall-controller-manager","last_synced_at":"2025-08-22T11:44:23.329Z","repository":{"id":64301138,"uuid":"568850243","full_name":"metal-stack/firewall-controller-manager","owner":"metal-stack","description":"Kubernetes Controller to reconcile firewalls","archived":false,"fork":false,"pushed_at":"2025-05-19T09:19:20.000Z","size":715,"stargazers_count":2,"open_issues_count":12,"forks_count":0,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-05-19T10:32:59.908Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/metal-stack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-11-21T14:43:42.000Z","updated_at":"2025-04-15T13:18:32.000Z","dependencies_parsed_at":"2023-02-16T07:30:50.489Z","dependency_job_id":"18f2295b-ebd9-44dc-8bed-4573d948c8a1","html_url":"https://github.com/metal-stack/firewall-controller-manager","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"purl":"pkg:github/metal-stack/firewall-controller-manager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metal-stack%2Ffirewall-controller-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metal-stack%2Ffirewall-controller-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metal-stack%2Ffirewall-controller-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metal-stack%2Ffirewall-controller-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/metal-stack","download_url":"https://codeload.github.com/metal-stack/firewall-controller-manager/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metal-stack%2Ffirewall-controller-manager/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271632775,"owners_count":24793750,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-22T02:00:08.480Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T12:18:02.850Z","updated_at":"2025-08-22T11:44:23.282Z","avatar_url":"https://github.com/metal-stack.png","language":"Go","readme":"# firewall-controller-manager\n\n## Overview\n\nThe firewall-controller-manager (FCM) is a collection of controllers which are responsible for managing the lifecycle of firewalls in a [Gardener](https://gardener.cloud/) shoot cluster for the metal-stack provider.\n\nThe FCM is typically deployed into the shoot namespace of a seed cluster. This is done by the [gardener-extension-provider-metal](https://github.com/metal-stack/gardener-extension-provider-metal/).\n\nThe design of the FCM is roughly inspired by Gardener's [machine-controller-manager](https://github.com/gardener/machine-controller-manager) and Kubernetes' built-in resources `Deployment`, `ReplicaSet` and `Pod`.\n\n## Architecture\n\nThe following table is a summary over the [CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) introduced by the FCM:\n\n| Custom Resource Object | Description                                                                                                                                                     |\n| ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `FirewallDeployment`   | A `FirewallDeployment` contains the spec template of a `Firewall` resource similar to a `Deployment` and implements update strategies like rolling update.      |\n| `FirewallSet`          | A `FirewallSet` is similar to `ReplicaSet`. It is typically owned by a `FirewallDeployment` and attempts to run the defined replica amount of the `Firewall`(s) |\n| `Firewall`             | A `Firewall` is similar to a `Pod` and has a 1:1 relationship to a firewall in the metal-stack api.                                                             |\n| `FirewallMonitor`      | Deployed into the cluster of the user (shoot cluster), which is useful for monitoring the firewall or user-triggered actions on the firewall.                   |\n\n### `FirewallDeploymentController`\n\nThe `FirewallDeployment` controller manages the lifecycle of `FirewallSet`s. It syncs the `Firewall` template spec and if significant changes were made, it may trigger a `FirewallSet` roll. When choosing `RollingUpdate` as a deployment strategy, the deployment controller is waiting for the firewall-controller to connect before throwing away an old `FirewallSet`. The `Recreate` strategy first releases firewalls before creating a new one (can be useful for environments which ran out of available machines but you still want to update).\n\nThe controller also deploys a service account for the firewall-controller to be able to talk to the seed's kube-apiserver.\n\n### `FirewallSetController`\n\nCreates and deletes `Firewall` objects according to the spec and the given number of firewall replicas. It also checks the status of the `Firewall` and report that in the own status.\n\n### `FirewallController`\n\nCreates and deletes the physical firewall machine from the spec at the [metal-api](https://github.com/metal-stack/metal-api).\n\n## Rolling a `FirewallSet` through `FirewallMonitor` Annotation\n\nA user can initiate rolling the latest firewall set by annotating a monitor in the following way:\n\n```bash\nkubectl annotate fwmon \u003cfirewall-name\u003e firewall.metal-stack.io/roll-set=true\n```\n\n## Development\n\nMost of the functionality is developed with the help of the [intgration](integration) test suite.\n\nTo play with the FCM, you can also run this controller inside the [mini-lab](https://github.com/metal-stack/mini-lab) and without a running Gardener installation:\n\n1. Start up the mini-lab, run `eval $(make dev-env)` and change back to this project's directory\n1. Deploy the FCM into the mini-lab with `make deploy`\n1. Adapt the example [firewalldeployment.yaml](config/examples/firewalldeployment.yaml) and apply with `kubectl apply -f config/examples/firewalldeployment.yaml`\n1. Note that the firewall-controller will not be able to connect to the mini-lab due to network restrictions, so the firewall will not get ready.\n   - You can make the firewall become ready anyway by setting the annotation `kubectl annotate fw \u003cfw-nsme\u003e firewall.metal-stack.io/no-controller-connection=true`\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmetal-stack%2Ffirewall-controller-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmetal-stack%2Ffirewall-controller-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmetal-stack%2Ffirewall-controller-manager/lists"}