stackitcloud · hown3d · May 4, 2026 · May 11, 2026 · May 12, 2026 · May 12, 2026
@@ -109,9 +109,10 @@ generate: $(HELM) $(YQ)
 format: $(GOIMPORTS) $(GOIMPORTSREVISER)
 	@bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg
 
-.PHONY: test
+.PHONY: test 
+test: DIRS ?= "./cmd/... ./pkg/..."
 test: $(REPORT_COLLECTOR) $(SETUP_ENVTEST)
-	@./hack/test.sh ./cmd/... ./pkg/...
+	@./hack/test.sh $(DIRS)
 
 .PHONY: test-cov
 test-cov:

@@ -22,9 +22,10 @@ spec:
       labels:
         networking.gardener.cloud/to-dns: allowed
         networking.gardener.cloud/to-runtime-apiserver: allowed
+        networking.resources.gardener.cloud/to-garden-virtual-garden-kube-apiserver-tcp-443: allowed
 {{ include "labels" . | indent 8 }}
     spec:
-      priorityClassName: gardener-system-900
+      priorityClassName: {{ default "gardener-system-900" .Values.gardener.runtimeCluster.priorityClassName }}
       serviceAccountName: {{ include "name" . }}
       containers:
       - name: {{ include "name" . }}
@@ -43,7 +44,16 @@ spec:
         {{- if .Values.gardener.version }}
         - --gardener-version={{ .Values.gardener.version }}
         {{- end }}
+        {{- if .Values.gardener.runtimeCluster.enabled }}
+        - --extension-classes=garden
+        {{- else }}
+        - --extension-classes=shoot
+        {{- end }}
         env:
+        {{- if .Values.gardener.runtimeCluster.enabled }}
+        - name: GARDEN_KUBECONFIG
+          value: /var/run/secrets/gardener.cloud/garden/generic-kubeconfig/kubeconfig
+        {{- end }}
         - name: LEADER_ELECTION_NAMESPACE
           valueFrom:
             fieldRef:
@@ -65,16 +75,33 @@ spec:
           runAsGroup: 65532
           seccompProfile:
             type: RuntimeDefault
-        {{- if .Values.imageVectorOverwrite }}
         volumeMounts:
+        {{- if .Values.gardener.runtimeCluster.enabled }}
+        - name: kubeconfig
+          mountPath: /var/run/secrets/gardener.cloud/garden/generic-kubeconfig
+          readOnly: true
+        {{- end }}
+        {{- if .Values.imageVectorOverwrite }}
         - name: extension-imagevector-overwrite
           mountPath: /charts_overwrite/
           readOnly: true
         {{- end }}
-      {{- if .Values.imageVectorOverwrite }}
       volumes:
+      {{- if .Values.imageVectorOverwrite }}
       - name: extension-imagevector-overwrite
         configMap:
           name: {{ include "name" . }}-imagevector-overwrite
           defaultMode: 420
       {{- end }}
+      {{- if .Values.gardener.runtimeCluster.enabled }}
+      - name: kubeconfig
+        projected:
+          defaultMode: 420
+          sources:
+          - secret:
+              items:
+              - key: kubeconfig
+                path: kubeconfig
+              name: garden-kubeconfig
+              optional: false
+      {{- end }}
@@ -0,0 +1,32 @@
+{{- if .Values.gardener.runtimeCluster.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "name" . }}:garden
+  labels:
+{{ include "labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - operator.gardener.cloud
+  resources:
+  - gardens
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "name" . }}:garden
+  labels:
+{{ include "labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "name" . }}:garden
+subjects:
+- kind: ServiceAccount
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
@@ -0,0 +1,42 @@
+{{- if not .Values.gardener.runtimeCluster.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "name" . }}:shoot
+  labels:
+{{ include "labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - extensions.gardener.cloud
+  resources:
+  - clusters
+  - dnsrecords
+  - infrastructures
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "name" . }}:shoot
+  labels:
+{{ include "labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "name" . }}:shoot
+subjects:
+- kind: ServiceAccount
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
@@ -18,24 +18,6 @@ rules:
   - delete
   resources:
   - envoyfilters
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - extensions.gardener.cloud
-  resources:
-  - clusters
-  - dnsrecords
-  - infrastructures
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - extensions.gardener.cloud
   resources:
@@ -67,28 +49,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-  - create
-  - update
-  - patch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterroles
-  - clusterrolebindings
-  - roles
-  - rolebindings
-  verbs:
-  - get
-  - create
-  - update
-  - patch
-  - delete
 - apiGroups:
   - ""
   resources:
@@ -197,4 +157,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ include "name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  annotations:
+    serviceaccount.resources.gardener.cloud/name: extension-acl
+    serviceaccount.resources.gardener.cloud/inject-ca-bundle: "true"
+    serviceaccount.resources.gardener.cloud/labels: '{"extension": "acl"}'
+  labels:
+    resources.gardener.cloud/class: garden
+    resources.gardener.cloud/purpose: token-requestor
+  name: garden-kubeconfig
+  namespace: {{ .Release.Namespace }}
+stringData:
+  kubeconfig: |
+    apiVersion: v1
+    clusters:
+    - cluster:
+        server: https://virtual-garden-kube-apiserver.garden.svc.cluster.local
+      name: default
+    contexts:
+    - context:
+        cluster: default
+        user: token
+      name: default
+    current-context: default
+    kind: Config
+    users:
+    - name: token
+      user: {}
@@ -38,3 +38,6 @@ additionalAllowedCidrs: []
 
 gardener:
   version: ""
+  runtimeCluster:
+    enabled: false
+    priorityClassName: ""
@@ -1,7 +1,7 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: acl-api-{{ .Values.shootName }}
+  name: acl-api-{{ .Values.suffix }}
   namespace: {{ .Values.targetNamespace }}
   labels:
     {{- include "gardener-extension.labels" . | nindent 4 }}

@@ -1,8 +1,10 @@
+{{- if .Values.httpProxyEnvoyFilterSpec }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: acl-http-proxy-{{ .Values.shootName }}
+  name: acl-http-proxy-{{ .Values.suffix }}
   namespace: {{ .Values.targetNamespace }}
   labels:
     {{- include "gardener-extension.labels" . | nindent 4 }}
 spec: {{- .Values.httpProxyEnvoyFilterSpec | toYaml | nindent 2 }}
+{{- end }}
@@ -2,7 +2,7 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: acl-ingress-{{ .Values.shootName }}
+  name: acl-ingress-{{ .Values.suffix }}
   namespace: istio-ingress
   labels:
     {{- include "gardener-extension.labels" . | nindent 4 }}

@@ -1,8 +1,10 @@
+{{- if .Values.vpnEnvoyFilterSpec }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: acl-vpn-{{ .Values.shootName }}
+  name: acl-vpn-{{ .Values.suffix }}
   namespace: {{ .Values.targetNamespace }}
   labels:
     {{- include "gardener-extension.labels" . | nindent 4 }}
 spec: {{- .Values.vpnEnvoyFilterSpec | toYaml | nindent 2 }}
+{{- end }}
@@ -1 +1,3 @@
-# TODO
+suffix: ""
+targetNamespace: ""
+
@@ -22,6 +22,7 @@ import (
 	extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
 	"github.com/gardener/gardener/extensions/pkg/util"
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
+	operatorv1alpha1 "github.com/gardener/gardener/pkg/apis/operator/v1alpha1"
 	"github.com/spf13/cobra"
 	istionetworkv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
 	istionetworkv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
@@ -98,6 +99,10 @@ func (o *Options) run(ctx context.Context) error {
 		return fmt.Errorf("could not update manager scheme: %s", err)
 	}
 
+	if err := operatorv1alpha1.AddToScheme(mgr.GetScheme()); err != nil {
+		return fmt.Errorf("could not update manager scheme: %s", err)
+	}
+
 	if err := istionetworkv1alpha3.AddToScheme(mgr.GetScheme()); err != nil {
 		return fmt.Errorf("could not update manager scheme: %s", err)
 	}
@@ -112,6 +117,10 @@ func (o *Options) run(ctx context.Context) error {
 	o.controllerOptions.Completed().Apply(&controller.DefaultAddOptions.ControllerOptions)
 	o.healthOptions.Completed().Apply(&healthcheck.DefaultAddOptions.Controller)
 	o.reconcileOptions.Completed().Apply(&controller.DefaultAddOptions.IgnoreOperationAnnotation)
+	healthcheck.DefaultAddOptions.ExtensionClasses = o.generalOptions.Completed().ExtensionClasses
+
+	o.reconcileOptions.Completed().Apply(&controller.DefaultAddOptions.IgnoreOperationAnnotation)
+	controller.DefaultAddOptions.ExtensionClasses = o.generalOptions.Completed().ExtensionClasses
 
 	if err := o.controllerSwitches.Completed().AddToManager(ctx, mgr); err != nil {
 		return fmt.Errorf("could not add controllers to manager: %s", err)

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - rbac.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: extensions.gardener.cloud:acl:managedseeds
+  namespace: garden
+  annotations:
+    authorization.gardener.cloud/extensions-serviceaccount-selector: '{"matchLabels":{"extension":"acl"}}'
+  labels:
+    authorization.gardener.cloud/custom-extensions-permissions: "true"
+rules:
+- apiGroups:
+  - seedmanagement.gardener.cloud
+  resources:
+  - managedseeds
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - core.gardener.cloud
+  resources:
+  - shoots
+  verbs:
+  - get
+  - list
+  - watch