Issue by rfranzke
Thursday Dec 07, 2017 at 07:35 GMT
Originally opened as https://git.removed/kubernetes-attic/garden-readvertiser/issues/4

Issue by ccwienk
Friday Dec 01, 2017 at 13:56 GMT
Originally opened as https://git.removed/kubernetes-attic/garden-readvertiser/pull/2

ccwienk included the following code: https://git.removed/kubernetes-attic/garden-readvertiser/pull/2/commits

Gardener informs its stakeholders in its CNCF CII Badge, that static code checks are applied by using Checkmarx. This repository has findings, which have to be assessed by the component owner(s). As required all prio high findings were already been immediately assessed. Please find the maximum processing times until when to assess the remaining prio medium findings in the SAP Security Response Team's Wiki (restricted access). At the time being you can ignore the prio low findings. Please find background information and a link to the Checkmarx project for your repository in the Wiki (restricted access). In the Wiki (restricted access) you will as well find information how to get a Checkmarx user which is required to be able to do your assessment in the Checkmarx Web UI.

This component lacks unit/integration tests (and coverage). Should we add them, so that integration in the Gardener becomes safer (in the context of the planned full output qualification and continuous deployment).

What would you like to be added:
The kubernetes endpoint sometimes is configured with outdated or manually added IPs which are not serving the kube-apiserver of the shoot. Because of this, applications deployed in the clusters are sporadically failing to connect to the kube-apiserver if they hit the wrong IP.

The readvertiser observes this behavior, but it only ensures that the currently active IPs are injected into the endpoint.

time="2020-11-06T12:49:02Z" level=info msg="DNS lookup results are: [10.10.10.10 10.10.10.11]"
time="2020-11-06T12:49:02Z" level=info msg="Kubernetes Endpoint IPs : [\"10.20.20.20\" \"10.10.10.10\" \"10.10.10.11\" \"10.20.20.21\" \"10.20.20.22\" \"10.20.20.22\"]"
time="2020-11-06T12:49:02Z" level=info msg="Nothing to be done"

Why is this needed:
To ensure that the in-cluster applications are always routed to the API server of the cluster.

Gardener informs its stakeholders in its CNCF CII Badge, that static code checks are applied by using Checkmarx. This repository has findings, which have to be assessed by the component owner(s). As required all prio high findings were already been immediately assessed. Please find the maximum processing times until when to assess the remaining prio medium findings in the SAP Security Response Team's Wiki (restricted access). At the time being you can ignore the prio low findings. Please find background information and a link to the Checkmarx project for your repository in the Wiki (restricted access). In the Wiki (restricted access) you will as well find information how to get a Checkmarx user which is required to be able to do your assessment in the Checkmarx Web UI.