Please include calico-apiserver

[cbarbian-sap]

Please include calico-apiserver (https://projectcalico.docs.tigera.io/maintenance/install-apiserver) into the shoot deployment (calico-apiserver went GA with calico v3.20.0). If you don't want to make this default it would be nice to have it as an optional component, configurable via shoot spec.

Not sure, maybe this can even go into the seed ...

Background: without the calico-apiserver, the projectcalico.org/v3 api group is not available in the shoots, and people have to use the crd.proejctcalico.org/v1 variants of the calico resources. Which is unsupported and dangerous (see e.g. projectcalico/calico#6412). And I can confirm that really really bad things can happen when using the low-level ones (i.e. api group crd.projectcalico.org/v1) ...

[ScheererJ]

Could you please share what really really bad things happen using the old calico apis? I am aware that the calico team is not happy about them being used, but I wonder how bad it could get.

[cbarbian-sap]

It's about the missing validation/defaulting in the internal group.
For example, I missed to specify protocol: TCP in one port-matching rule of a GlobalNetworkPolicy (naively assuming that TCP would be default); result: calico accepted the resource w/o any complain, and silently just did not create the netfilter rule. Finally I found it out, but I had to study iptables-save output for a while to see it ...
Using projectcalico.org/v3 there was a proper admission error.