metal-stack · Gerrit91 · Feb 10, 2025 · Feb 5, 2025 · Feb 5, 2025
@@ -5,7 +5,6 @@ WORKDIR /work
 COPY . .
 RUN make
 
-FROM alpine:3.20
+FROM gcr.io/distroless/static-debian12:nonroot
 COPY --from=builder /work/bin/firewall-controller-manager .
-USER 65534
 ENTRYPOINT ["/firewall-controller-manager"]
@@ -4,14 +4,12 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/Masterminds/semver/v3"
 	v2 "github.com/metal-stack/firewall-controller-manager/api/v2"
 	controllerclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/rest"
 	configlatest "k8s.io/client-go/tools/clientcmd/api/latest"
 	configv1 "k8s.io/client-go/tools/clientcmd/api/v1"
@@ -58,11 +56,6 @@ func ensureSeedRBAC(ctx context.Context, seedConfig *rest.Config, deploy *v2.Fir
 		}
 	)
 
-	k8sVersion, err := determineK8sVersion(seedConfig)
-	if err != nil {
-		return fmt.Errorf("unable to determine seed k8s version: %w", err)
-	}
-
 	seed, err := controllerclient.New(seedConfig, controllerclient.Options{
 		Scheme: scheme,
 	})
@@ -80,24 +73,22 @@ func ensureSeedRBAC(ctx context.Context, seedConfig *rest.Config, deploy *v2.Fir
 		return fmt.Errorf("error ensuring service account: %w", err)
 	}
 
-	if versionGreaterOrEqual124(k8sVersion) {
-		serviceAccountSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: deploy.Namespace,
-			},
-		}
+	serviceAccountSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: deploy.Namespace,
+		},
+	}
 
-		_, err := controllerutil.CreateOrUpdate(ctx, seed, serviceAccountSecret, func() error {
-			serviceAccountSecret.Annotations = map[string]string{
-				"kubernetes.io/service-account.name": serviceAccount.Name,
-			}
-			serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
-			return nil
-		})
-		if err != nil {
-			return fmt.Errorf("error ensuring service account token secret: %w", err)
+	_, err = controllerutil.CreateOrUpdate(ctx, seed, serviceAccountSecret, func() error {
+		serviceAccountSecret.Annotations = map[string]string{
+			"kubernetes.io/service-account.name": serviceAccount.Name,
 		}
+		serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("error ensuring service account token secret: %w", err)
 	}
 
 	var shootAccessSecretNames []string
@@ -176,11 +167,6 @@ func ensureShootRBAC(ctx context.Context, shootConfig *rest.Config, shootNamespa
 		}
 	)
 
-	k8sVersion, err := determineK8sVersion(shootConfig)
-	if err != nil {
-		return fmt.Errorf("unable to determine shoot k8s version: %w", err)
-	}
-
 	shoot, err := controllerclient.New(shootConfig, controllerclient.Options{
 		Scheme: scheme,
 	})
@@ -195,24 +181,22 @@ func ensureShootRBAC(ctx context.Context, shootConfig *rest.Config, shootNamespa
 		return fmt.Errorf("error ensuring service account: %w", err)
 	}
 
-	if versionGreaterOrEqual124(k8sVersion) {
-		serviceAccountSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: shootNamespace,
-			},
-		}
+	serviceAccountSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: shootNamespace,
+		},
+	}
 
-		_, err := controllerutil.CreateOrUpdate(ctx, shoot, serviceAccountSecret, func() error {
-			serviceAccountSecret.Annotations = map[string]string{
-				"kubernetes.io/service-account.name": serviceAccount.Name,
-			}
-			serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
-			return nil
-		})
-		if err != nil {
-			return fmt.Errorf("error ensuring service account token secret: %w", err)
+	_, err = controllerutil.CreateOrUpdate(ctx, shoot, serviceAccountSecret, func() error {
+		serviceAccountSecret.Annotations = map[string]string{
+			"kubernetes.io/service-account.name": serviceAccount.Name,
 		}
+		serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("error ensuring service account token secret: %w", err)
 	}
 
 	_, err = controllerutil.CreateOrUpdate(ctx, shoot, clusterRole, func() error {
@@ -271,34 +255,6 @@ func ensureShootRBAC(ctx context.Context, shootConfig *rest.Config, shootNamespa
 	return nil
 }
 
-func determineK8sVersion(config *rest.Config) (*semver.Version, error) {
-	discoveryClient, err := discovery.NewDiscoveryClientForConfig(config)
-	if err != nil {
-		return nil, fmt.Errorf("unable to create discovery client: %w", err)
-	}
-
-	version, err := discoveryClient.ServerVersion()
-	if err != nil {
-		return nil, fmt.Errorf("unable to discover server version: %w", err)
-	}
-
-	k8sVersion, err := semver.NewVersion(version.GitVersion)
-	if err != nil {
-		return nil, fmt.Errorf("unable to parse kubernetes version version: %w", err)
-	}
-
-	return k8sVersion, nil
-}
-
-func versionGreaterOrEqual124(v *semver.Version) bool {
-	constraint, err := semver.NewConstraint(">=v1.24.0")
-	if err != nil {
-		return false
-	}
-
-	return constraint.Check(v)
-}
-
 type AccessConfig struct {
 	Ctx          context.Context
 	Config       *rest.Config
@@ -344,62 +300,26 @@ func GetAccessKubeconfig(c *AccessConfig) ([]byte, error) {
 		return nil, err
 	}
 
-	k8sVersion, err := determineK8sVersion(c.Config)
-	if err != nil {
-		return nil, fmt.Errorf("unable to determine k8s version: %w", err)
-	}
-
 	cl, err := controllerclient.New(c.Config, controllerclient.Options{
 		Scheme: scheme,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("unable to create client: %w", err)
 	}
 
-	if versionGreaterOrEqual124(k8sVersion) {
-		saSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: c.Namespace,
-			},
-		}
-		err := cl.Get(c.Ctx, client.ObjectKeyFromObject(saSecret), saSecret, &client.GetOptions{})
-		if err != nil {
-			return nil, err
-		}
-
-		token = string(saSecret.Data["token"])
-		ca = saSecret.Data["ca.crt"]
-	} else {
-		sa := &corev1.ServiceAccount{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: c.Namespace,
-			},
-		}
-		err := cl.Get(c.Ctx, client.ObjectKeyFromObject(sa), sa, &client.GetOptions{})
-		if err != nil {
-			return nil, err
-		}
-
-		if len(sa.Secrets) == 0 {
-			return nil, fmt.Errorf("service account %q contains no valid token secret", sa.Name)
-		}
-
-		saSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      sa.Secrets[0].Name,
-				Namespace: c.Namespace,
-			},
-		}
-		err = cl.Get(c.Ctx, client.ObjectKeyFromObject(saSecret), saSecret, &client.GetOptions{})
-		if err != nil {
-			return nil, err
-		}
-
-		token = string(saSecret.Data["token"])
-		ca = saSecret.Data["ca.crt"]
+	saSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: c.Namespace,
+		},
 	}
+	err = cl.Get(c.Ctx, client.ObjectKeyFromObject(saSecret), saSecret, &client.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	token = string(saSecret.Data["token"])
+	ca = saSecret.Data["ca.crt"]
 
 	if token == "" {
 		return nil, fmt.Errorf("no token was created")

@@ -40,7 +40,7 @@ const (
 	ConditionUnknown ConditionStatus = "Unknown"
 )
 
-type Conditions []Condition
+type Conditions []Condition // nolint:recvcheck
 
 // NewCondition creates a new condition.
 func NewCondition(t ConditionType, status ConditionStatus, reason, message string) Condition {