From 413a66c18425ab11d010a841d27af55ceae4a56a Mon Sep 17 00:00:00 2001
From: Ismail Alidzhikov <9372594+ialidzhikov@users.noreply.github.com>
Date: Thu, 7 Nov 2024 03:30:04 +0200
Subject: [PATCH] control plane blackbox-exporter: Remove unneeded
 NetworkPolicy label to kube-apiserver (#10775)

---
 pkg/gardenlet/operation/botanist/blackboxexporter.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/gardenlet/operation/botanist/blackboxexporter.go b/pkg/gardenlet/operation/botanist/blackboxexporter.go
index d36374f3252..215f2b5c5fe 100644
--- a/pkg/gardenlet/operation/botanist/blackboxexporter.go
+++ b/pkg/gardenlet/operation/botanist/blackboxexporter.go
@@ -11,7 +11,6 @@ import (
 
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	"github.com/gardener/gardener/pkg/component"
-	kubeapiserverconstants "github.com/gardener/gardener/pkg/component/kubernetes/apiserver/constants"
 	"github.com/gardener/gardener/pkg/component/observability/monitoring/blackboxexporter"
 	clusterblackboxexporter "github.com/gardener/gardener/pkg/component/observability/monitoring/blackboxexporter/shoot/cluster"
 	controlplaneblackboxexporter "github.com/gardener/gardener/pkg/component/observability/monitoring/blackboxexporter/shoot/controlplane"
@@ -30,11 +29,12 @@ func (b *Botanist) DefaultBlackboxExporterControlPlane() (component.DeployWaiter
 			VPAEnabled:        true,
 			KubernetesVersion: b.Seed.KubernetesVersion,
 			PodLabels: map[string]string{
-				// needed to talk to shoot API server via istio-ingressgateway
 				v1beta1constants.LabelNetworkPolicyToDNS:            v1beta1constants.LabelNetworkPolicyAllowed,
 				v1beta1constants.LabelNetworkPolicyToPublicNetworks: v1beta1constants.LabelNetworkPolicyAllowed,
+				// The control plane blackbox-exporter is using the internal cluster domain to probe the shoot API server.
+				// Traffic to the istio-ingressgateway needs to be allowed because on some infrastructures kube-proxy shortcuts the network path.
+				// It directly forwards the traffic to the target within the cluster (i.e., istio-ingressgateway) instead of first going out and then coming in again.
 				gardenerutils.NetworkPolicyLabel(v1beta1constants.LabelNetworkPolicyIstioIngressNamespaceAlias+"-istio-ingressgateway", 9443): v1beta1constants.LabelNetworkPolicyAllowed,
-				gardenerutils.NetworkPolicyLabel(v1beta1constants.DeploymentNameKubeAPIServer, kubeapiserverconstants.Port):                   v1beta1constants.LabelNetworkPolicyAllowed,
 			},
 			PriorityClassName: v1beta1constants.PriorityClassNameShootControlPlane100,
 			Config:            controlplaneblackboxexporter.Config(),