From 03cb6f84794943dd0d95bbe2c28c6dd5db6ed347 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 25 Sep 2022 19:53:36 +0200
Subject: [PATCH] fix(metallb): Switch to "Allow from all namespaces"

Currently there is an issue, that the kube-apiserver can't reach the
metallb admission webhook, which results in the inability to sync any
metallb objects.

The reason why this doesn't work is not completely understood yet. It
uses an IP address from the Pod CIDR (10.1.0.0/16) which is blocked by
the network policies. No single pod has this IP address according to
`kubectl get pods --all-namespace -o wide`, which displays the Pods
along with their IP addresses.

This makes sense, given that the kube-apiserver is a host/node Pod,
which is directly define in the kubelet configuration of the
control-plane node, which also runs in the host network. As a result the
pod has no regular Pod IP from the Pod IP address space.

For debugging, I used a calico log rule, which are based on the calico
network policies.

Reference:
https://projectcalico.docs.tigera.io/archive/v3.23/security/calico-network-policy#generate-logs-for-specific-traffic
---
 infrastructure/metallb/kustomization.yaml | 2 +-
 infrastructure/metallb/networkpolicy.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/infrastructure/metallb/kustomization.yaml b/infrastructure/metallb/kustomization.yaml
index 58fd710f5..cefbaf423 100644
--- a/infrastructure/metallb/kustomization.yaml
+++ b/infrastructure/metallb/kustomization.yaml
@@ -7,7 +7,7 @@ resources:
   - release.yaml
   - ../../shared/networkpolicies/allow-from-same-namespace.yaml
   - ../../shared/networkpolicies/allow-from-monitoring.yaml
-  - ../../shared/networkpolicies/allow-from-kube-system.yaml
+  - ../../shared/networkpolicies/allow-from-all-namespaces.yaml
 patchesStrategicMerge:
   - networkpolicy.yaml
 configMapGenerator:
diff --git a/infrastructure/metallb/networkpolicy.yaml b/infrastructure/metallb/networkpolicy.yaml
index 3344f55a2..228c4472d 100644
--- a/infrastructure/metallb/networkpolicy.yaml
+++ b/infrastructure/metallb/networkpolicy.yaml
@@ -12,7 +12,7 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-from-kube-system
+  name: allow-from-all-namespaces
 spec:
   podSelector:
     matchLabels:
-- 
GitLab