control plane blackbox-exporter: Remove unneeded NetworkPolicy label …

…to kube-apiserver (gardener#10775)
LucaBernstein · Nov 7, 2024 · 413a66c · 413a66c
1 parent 6a6950e
commit 413a66c
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/pkg/gardenlet/operation/botanist/blackboxexporter.go b/pkg/gardenlet/operation/botanist/blackboxexporter.go
@@ -11,7 +11,6 @@ import (
 
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	"github.com/gardener/gardener/pkg/component"
-	kubeapiserverconstants "github.com/gardener/gardener/pkg/component/kubernetes/apiserver/constants"
 	"github.com/gardener/gardener/pkg/component/observability/monitoring/blackboxexporter"
 	clusterblackboxexporter "github.com/gardener/gardener/pkg/component/observability/monitoring/blackboxexporter/shoot/cluster"
 	controlplaneblackboxexporter "github.com/gardener/gardener/pkg/component/observability/monitoring/blackboxexporter/shoot/controlplane"
@@ -30,11 +29,12 @@ func (b *Botanist) DefaultBlackboxExporterControlPlane() (component.DeployWaiter
 			VPAEnabled:        true,
 			KubernetesVersion: b.Seed.KubernetesVersion,
 			PodLabels: map[string]string{
-				// needed to talk to shoot API server via istio-ingressgateway
 				v1beta1constants.LabelNetworkPolicyToDNS:            v1beta1constants.LabelNetworkPolicyAllowed,
 				v1beta1constants.LabelNetworkPolicyToPublicNetworks: v1beta1constants.LabelNetworkPolicyAllowed,
+				// The control plane blackbox-exporter is using the internal cluster domain to probe the shoot API server.
+				// Traffic to the istio-ingressgateway needs to be allowed because on some infrastructures kube-proxy shortcuts the network path.
+				// It directly forwards the traffic to the target within the cluster (i.e., istio-ingressgateway) instead of first going out and then coming in again.
 				gardenerutils.NetworkPolicyLabel(v1beta1constants.LabelNetworkPolicyIstioIngressNamespaceAlias+"-istio-ingressgateway", 9443): v1beta1constants.LabelNetworkPolicyAllowed,
-				gardenerutils.NetworkPolicyLabel(v1beta1constants.DeploymentNameKubeAPIServer, kubeapiserverconstants.Port):                   v1beta1constants.LabelNetworkPolicyAllowed,
 			},
 			PriorityClassName: v1beta1constants.PriorityClassNameShootControlPlane100,
 			Config:            controlplaneblackboxexporter.Config(),