How to categorize this issue?

/area backup
/area security
/kind enhancement

What would you like to be added:

Implement support for immutable backup buckets in the Gardener provider extensions for AWS, GCP, and Azure. The provider extensions should be capable of creating or updating backup buckets with immutability settings based on configurations specified in the seed's backup configuration under the providerConfig section. Additionally, introduce an admission validation webhook to enforce immutability settings and prevent them from being disabled or reduced once set.

Why is this needed:

Immutability of backup data is critical for security and compliance purposes. Enforcing immutability ensures that backup data cannot be altered or deleted before a specified retention period, protecting against accidental deletions or malicious actions. By adding support for immutable backup buckets, we significantly enhance the robustness and reliability of the backup and restore mechanisms in Gardener-managed clusters.

Implementation Details:

Gardener Seed Backup Configuration

Introduce immutability settings in the seed's backup configuration under the providerConfig section:

spec:
  backup:
    providerConfig:
      apiVersion: gcp.provider.extensions.gardener.cloud/v1alpha1
      kind: BackupBucketConfig
      immutability:
        retentionType: "bucket"
        retentionPeriod: 96h
        locked: false|true

This configuration allows Gardener to specify immutability policies for backup buckets, such as the type of retention policy (retentionType) and the retention period (retentionPeriod).

The BackupBucket resource will be created during the creation of the Seed. These immutability settings will be propagated to backupbucket.spec.providerConfig as mentioned here, and the provider extension will utilize them to create or update the bucket accordingly.

Gardener Extension Providers

The Gardener extension providers for AWS, GCP, and Azure should update the backup bucket handling to consider the immutableSettings from backupbucket.spec.providerConfig:

• If the bucket does not exist: Create the bucket with the specified immutability settings.
• If the bucket exists without immutability settings: Update the bucket to include the specified immutability settings.
• If the bucket has immutability settings with a shorter retention period: Adjust the retention period to match the new settings.

Admission Validation Webhook

Implement a new admission webhook to validate changes to the immutability settings in the seed's backup configuration:

• Once immutability settings are enabled, they cannot be disabled.
• The retention period cannot be reduced once set.

This ensures that the immutability policy is consistently enforced and cannot be circumvented after being configured.

Tasks:

• Modify Gardener extension providers to handle immutability settings and implement the admission validation webhook.
  • Add support for Immutable backup buckets gardener-extension-provider-gcp#906: released with v1.42.0
    • Enhance GCP BackupBucket with Lifecycle Management for Delayed Deletion of Immutable Objects gardener-extension-provider-gcp#1002: released with v1.43.0
  • Add AWS S3 bucket level immutability feature. gardener-extension-provider-aws#1261: released with v1.62.0
  • Add support for container-level immutability to Azure Blob Storage Containers gardener-extension-provider-azure#1098: released with v1.52.0
• Update documentation to reflect the changes and new configuration options: Add Usage Documentation for Immutable Backup Buckets #12175