support extension on `Garden` resource by hown3d · Pull Request #280 · stackitcloud/gardener-extension-acl

hown3d · 2026-05-05T15:59:57Z

What this PR does / why we need it:
Allows to use the ACL extension to restrict access to the virtual garden API server

Which issue(s) this PR fixes:
Fixes gardener/hackathon#47

Special notes for your reviewer:

timebertt

Partial review together with @MichaelEischer @mstueer @hammadzf

timebertt · 2026-05-26T07:51:56Z

  - get
  - list
  - watch
+{{- end }}


Please double-check if we need all of the remaining permissions in the garden case.

I think having a seperate roles that clearly define which permissions are granted for the extensions is easier to read. I will refactor this.

timebertt · 2026-05-26T08:11:39Z

+	var gardenCluster cluster.Cluster
+	if kFile := os.Getenv("GARDEN_KUBECONFIG"); kFile != "" {
+		var err error
+		gardenCluster, err = setupGardenCluster(mgr, kFile)


This should happen in app.go not in the controller package

I agree, but there where would I put the cluster to pass it through to the predicate?
The controllers are registered via controllerSwitches which expects the AddToManger(ctx, mgr) signature.

Binding to AddOptions could be an option, but this seems a bit weird. WDYT?

I suggest passing a new cluster.Cluster param to ControllerSwitches, then you can wrap the actual AddToManager(ctx, mgr, cluster) call in a func(context.Context, manager.Manager)

This does not work well because the controller switches are registered before the manager is setup and I would like to setup the cluster next to the manager.

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

hown3d mentioned this pull request May 5, 2026

Add support for virtual Garden to ACL Extension gardener/hackathon#47

Open

hown3d force-pushed the garden-extension branch from 54b032d to 68234a1 Compare May 12, 2026 15:21

hown3d mentioned this pull request May 13, 2026

operator: report virtual garden api server address in status gardener/gardener#14831

Merged

hown3d force-pushed the garden-extension branch 4 times, most recently from 677f076 to 6cc819a Compare May 19, 2026 06:37

timebertt reviewed May 26, 2026

View reviewed changes

hown3d force-pushed the garden-extension branch 4 times, most recently from 04a3249 to fd64462 Compare May 27, 2026 13:37

hown3d added 16 commits May 27, 2026 16:14

controller

21cd4dc

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

watch managedseed shoots

09dbe34

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

different managed resource name for garden extension

40818e5

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

healthcheck garden managed resource

ca7d23a

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

tests

68f84e5

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

delete managed resource of garden extension

fa05bb5

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

fix deployment manifest for controller

f07f6dd

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

move garden specific allowed cidrs into own file

1e06ecc

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

comment why to add node and pod cidr of runtime cluster to allowed

3c5eef7

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

move rbac for extension classes into separate files

15c7bb8

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

drop uneeded permissions

81a4804

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

restrict garden permissions to garden namespace

a534fad

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

kustomization for garden resources

88f7687

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

helper function to check if garden extension

a9ecb17

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

requeue if no advertised addresses

470001b

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

drop special findIstioNamespace logic for garden extension

f1d8cf0

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

hown3d force-pushed the garden-extension branch from fd64462 to f1d8cf0 Compare May 27, 2026 14:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

support extension on `Garden` resource#280

support extension on `Garden` resource#280
hown3d wants to merge 16 commits into
mainfrom
garden-extension

hown3d commented May 5, 2026

Uh oh!

timebertt left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

timebertt May 26, 2026

Uh oh!

hown3d May 26, 2026

Uh oh!

timebertt May 26, 2026

Uh oh!

hown3d May 26, 2026

Uh oh!

timebertt May 27, 2026

Uh oh!

hown3d May 27, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

hown3d commented May 5, 2026

Uh oh!

timebertt left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

timebertt May 26, 2026

Choose a reason for hiding this comment

Uh oh!

hown3d May 26, 2026

Choose a reason for hiding this comment

Uh oh!

timebertt May 26, 2026

Choose a reason for hiding this comment

Uh oh!

hown3d May 26, 2026

Choose a reason for hiding this comment

Uh oh!

timebertt May 27, 2026

Choose a reason for hiding this comment

Uh oh!

hown3d May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

hown3d May 27, 2026 •

edited

Loading