{"id":37143010,"url":"https://github.com/stackitcloud/gardener-extension-acl","last_synced_at":"2026-01-14T16:47:26.956Z","repository":{"id":60898761,"uuid":"542716740","full_name":"stackitcloud/gardener-extension-acl","owner":"stackitcloud","description":null,"archived":false,"fork":false,"pushed_at":"2026-01-13T05:15:54.000Z","size":24125,"stargazers_count":7,"open_issues_count":9,"forks_count":17,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-01-13T08:36:08.453Z","etag":null,"topics":["ske"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stackitcloud.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-09-28T17:40:26.000Z","updated_at":"2026-01-13T05:14:45.000Z","dependencies_parsed_at":"2023-12-19T15:57:39.123Z","dependency_job_id":"a16df2a0-887e-495a-bb03-394c5ee5e605","html_url":"https://github.com/stackitcloud/gardener-extension-acl","commit_stats":{"total_commits":196,"total_committers":32,"mean_commits":6.125,"dds":0.8622448979591837,"last_synced_commit":"9346b6db0644184ab91e79f690fbb2f5621837d4"},"previous_names":[],"tags_count":27,"template":false,"template_full_name":null,"purl":"pkg:github/stackitcloud/gardener-extension-acl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackitcloud%2Fgardener-extension-acl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackitcloud%2Fgardener-extension-acl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackitcloud%2Fgardener-extension-acl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackitcloud%2Fgardener-extension-acl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stackitcloud","download_url":"https://codeload.github.com/stackitcloud/gardener-extension-acl/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackitcloud%2Fgardener-extension-acl/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28426427,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T16:38:47.836Z","status":"ssl_error","status_checked_at":"2026-01-14T16:34:59.695Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ske"],"created_at":"2026-01-14T16:47:26.340Z","updated_at":"2026-01-14T16:47:26.951Z","avatar_url":"https://github.com/stackitcloud.png","language":"Go","readme":"# Gardener ACL Extension\n\n**TL;DR: The Gardener ACL extension allows you to limit the access to shoot\nclusters using an allow-list mechanism. Basically, it looks like this:**\n\n```yaml\n# in the shoot object\nspec:\n  extensions:\n  - type: acl\n    providerConfig:\n      rule:\n        action: ALLOW\n        type: remote_ip\n        cidrs:\n          - \"1.2.3.4/24\"\n          - \"10.250.0.0/16\"\n          - ...\n```\n\nThe extension also supports multiple ingress namespaces, e.g. when using\nGardener `ExposureClasses` or deploying Highly Available Control Planes (see\n[ADR03](./docs/adr/03_multiple_istio_namespaces.md) for more information).\n\nPlease read on for more information.\n\n## Installation\n\nSet your `KUBECONFIG` variable to the Garden cluster.\n\n```sh\nkubectl apply -f deploy/extension/base/controller-registration.yaml\n```\n\n## Background, Functionality \u0026 Limitations\n\nGardener introduced *Shoot API Server SNI* with [GEP08](https://github.com/gardener/gardener/blob/master/docs/proposals/08-shoot-apiserver-via-sni.md).\n\nUsing Istio, Gardener configures a single ingress gateway per seed to proxy\ntraffic to all API servers on this seed based on some criteria. At it's core,\nIstio configures an envoy proxy using a set of\n[Kubernetes CRDs](https://istio.io/latest/docs/reference/config/networking/).\nWe can hook into this mechanism and insert additional configuration, which\nfurther limits the access to a specific cluster.\n\nBroadly speaking, there are two different external traffic flows:\n\n1. Kubernetes API Listener (via SNI name)\n2. Apiserver-Proxy / Reversed-VPN Listener\n\n*Please note that this changed with [GEP-30](https://github.com/gardener/gardener/blob/master/docs/proposals/30-apiserver-proxy.md) as the dedicated Kubernetes Service Listener for the apiserver-proxy was removed.*\n\nThese ways are described in more detail in the aforementioned GEP. Essentially,\nthese two ways are all represented by a specific Envoy listener with filters.\nThe extension needs to hook into each of these filters (and their filter chains)\nto implement the desired behavior. Unfortunately, all types of access\nrequire a unique way of handling them, respectively.\n\n1. **SNI Access** - The most straightforward approach. We can deploy one\n   additional `EnvoyFilter` per shoot with enabled ACL extension. It contains a\n   filter patch that matches on the shoot SNI name and specifies an `ALLOW` rule\n   with the provided IPs.\n2. **Apiserver-Proxy / VPN Access** - All apiserver-proxy and VPN traffic moves through the same listener. This\n   requires us to create only a single `EnvoyFilter` for VPN that contains\n   **all** rules of all shoots that have the extension enabled. And, conversely,\n   we need to make sure that traffic of all shoots that don't have the\n   extension enabled is still able to pass through this filter unhindered. We\n   achieve this by not only creating a policy for every shoot with ACL enabled,\n   but also an \"inverted\" policy which matches all shoots that don't have ACL\n   enabled. All these policies are then put in a single EnvoyFilter patch.\n\nBecause of the last point, we currently see no way of allowing the user to\ndefine multiple rules of different action types (`ALLOW` or `DENY`). Instead, we\nonly support a single `ALLOW` rule per shoot, which is in our opinion the best\ntrade-off to efficiently secure Kubernetes API servers.\n\nSee [ADR02](./docs/adr/02_envoyfilter_patching.md) for a more in-depth\ndiscussion of the challenges we had.\n\n## Cloud specific settings\n\n### Openstack\n\nIn order for the internal VPN traffic to work, the router IP adresses from the\nshoot openstack projects have to get allowlisted in the ACL extension.\n\n## Healthchecks\n\nGardener provides a [Health Check Library](https://gardener.cloud/docs/gardener/extensions/healthcheck-library/)\nthat we can use to monitor the health of resources that our extension is\nresponsible for. Example: If the extension controller deploys a Gardener\n`ManagedResource`, we can define a health check on the extension that checks for\nthe health of this `ManagedResource`. This lets the extension reflect the state\nof the resources it is responsible for. This is expressed by status conditions\nin the extension resource itself (one per health check).\n\n## Generating ControllerRegistration and ControllerDeployment\n\nExtensions are installed on a Gardener cluster by deploying a\n`ControllerRegistration` and a `ControllerDeployment` object to the garden\ncluster. In this repository, you find an example for both of these resources in\nthe `deploy/extension/base/controller-registration.yaml` file. \n\nThe `ProviderConfig.chart` field contains the entire Helm chart for your\nextension as a gzipped and then base64-encoded string. After you altered this\nHelm chart in the `charts/gardener-extension-acl` directory, run `make generate` to\nre-create this value. \n\n## Tests\n\nTo run the test suite, execute:\n\n```bash\nmake test\n```\n\nPlace all needed Gardener CRDs in the `upstream-crds` directory, they get\ninstalled automatically in the envtest cluster.\n\nSee the [actuator_test.go](pkg/controller/actuator_test.go) for a minimal test\ncase example.\n\n## Local deployment\n\nSet up a garden [local-setup](https://github.com/gardener/gardener/blob/master/docs/deployment/getting_started_locally.md).\n\nTo install the extension with 2 ways:\n\n`make extension-up` this will install the acl-extension into the local gardener environment.\n\n`make extension-dev` this will also install the acl-extension into the local gardener environment but it will rebuild and redeploy if you press any key in the terminal.\n\n\n### Local debugging\n\nThis can only be done with the gardener [local-setup](https://github.com/gardener/gardener/blob/master/docs/deployment/getting_started_locally.md).\n\nAfter your local gardener is ready you can start the controller\n\nInstall extension\n```bash\nmake extension-up\n```\n\nDisable reconcile of managed resource\n```bash\nkubectl annotate managedresource acl-XXXXXX resources.gardener.cloud/ignore=\"true\"\n```\n\nScale down acl-extension:\n```bash\nkubectl scale deployment -n extension-acl-XXXXXXX --replicas=0 gardener-extension-acl\n```\n\nNow you can run the acl-extension locally to debug it.\n\n```bash\nmake run\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackitcloud%2Fgardener-extension-acl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackitcloud%2Fgardener-extension-acl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackitcloud%2Fgardener-extension-acl/lists"}