Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

request help: Support for grayscale scenes #399

Closed
pioneer-hash opened this issue Apr 22, 2021 · 2 comments
Closed

request help: Support for grayscale scenes #399

pioneer-hash opened this issue Apr 22, 2021 · 2 comments

Comments

@pioneer-hash
Copy link

pioneer-hash commented Apr 22, 2021
edited

Issue description

In a grayscale scenario, the grayscale upstream service and the production upstream service belong to different namespaces when switching environments.Routing configuration based on apisix-ingress-Controller is now cumbersome: only one namespace can be specified in each route configuration file and that namespace must be in the same namespace as the service below. Can the namespace configuration be placed in each route for greater flexibility
My needs are as follows:
Now this is all for production time configuration

apiVersion: apisix.apache.org/v2alpha1
kind: ApisixRoute
metadata:
 name: test-cookie
 namespace: prod-namespace
spec:
 http:
 - name: rule1
   priority: 1
   match:
     paths:
       - /*
   backends:
     - serviceName: web3
       servicePort: 81
       weight: 70
     - serviceName: web2
       servicePort: 81
       weight: 30
 - name: rule2
   priority: 0
   match:
     paths:
       - /*
     exprs:
     - subject:
         scope: Cookie
         name: name
       op: Equal
       value: zhangsan
     - subject:
         scope: Header
         name: name
       op: NotEqual
       value: lisi
   backend:
     serviceName: web2
     servicePort: 81

But next time I need to switch the upstream of Routed rule2 ,and Routed rule2 current upstream service is in gray-namespace.
To do this, you have to split one configuration file into two yaml
one

apiVersion: apisix.apache.org/v2alpha1
kind: ApisixRoute
metadata:
 name: test-cookie
 namespace: gray-namespace
spec:
 http:
 - name: rule1
   priority: 1
   match:
     paths:
       - /*
   backends:
     - serviceName: web3
       servicePort: 81
       weight: 70
     - serviceName: web2
       servicePort: 81
       weight: 30

another

apiVersion: apisix.apache.org/v2alpha1
kind: ApisixRoute
metadata:
 name: test-cookie-111
 namespace:  prod-namespace
spec:
 http:
  - name: rule2
   priority: 0
   match:
     paths:
       - /*
     exprs:
     - subject:
         scope: Cookie
         name: name
       op: Equal
       value: zhangsan
     - subject:
         scope: Header
         name: name
       op: NotEqual
       value: lisi
   backend:
     serviceName: web2
     servicePort: 81

Environment

  • your apisix-ingress-controller version (output of apisix-ingress-controller version --long);
    apisix-ingress-controller verison : 0.5.0
  • your Kubernetes cluster version (output of kubectl version);
  • if you run apisix-ingress-controller in Bare-metal environment, also show your OS version (uname -a).
@tokers
Copy link
Contributor

tokers commented Apr 22, 2021

@pioneer-hash Why we don't support cross namespace reference is because crossing namespace might be the main course of privilege escalation attacks. See kubernetes/kubernetes#17088.

For your case, you can still put them into one YAML file.

apiVersion: apisix.apache.org/v2alpha1
kind: ApisixRoute
metadata:
 name: test-cookie
 namespace: gray-namespace
spec:
 http:
 - name: rule1
   priority: 1
   match:
     paths:
       - /*
   backends:
     - serviceName: web3
       servicePort: 81
       weight: 70
     - serviceName: web2
       servicePort: 81
       weight: 30
---
apiVersion: apisix.apache.org/v2alpha1
kind: ApisixRoute
metadata:
 name: test-cookie-111
 namespace:  prod-namespace
spec:
 http:
  - name: rule2
   priority: 0
   match:
     paths:
       - /*
     exprs:
     - subject:
         scope: Cookie
         name: name
       op: Equal
       value: zhangsan
     - subject:
         scope: Header
         name: name
       op: NotEqual
       value: lisi
   backend:
     serviceName: web2
     servicePort: 81

@pioneer-hash
Copy link
Author

@pioneer-hash Why we don't support cross namespace reference is because crossing namespace might be the main course of privilege escalation attacks. See kubernetes/kubernetes#17088.

For your case, you can still put them into one YAML file.

apiVersion: apisix.apache.org/v2alpha1
kind: ApisixRoute
metadata:
 name: test-cookie
 namespace: gray-namespace
spec:
 http:
 - name: rule1
   priority: 1
   match:
     paths:
       - /*
   backends:
     - serviceName: web3
       servicePort: 81
       weight: 70
     - serviceName: web2
       servicePort: 81
       weight: 30
---
apiVersion: apisix.apache.org/v2alpha1
kind: ApisixRoute
metadata:
 name: test-cookie-111
 namespace:  prod-namespace
spec:
 http:
  - name: rule2
   priority: 0
   match:
     paths:
       - /*
     exprs:
     - subject:
         scope: Cookie
         name: name
       op: Equal
       value: zhangsan
     - subject:
         scope: Header
         name: name
       op: NotEqual
       value: lisi
   backend:
     serviceName: web2
     servicePort: 81

Thanks for your answer

@tokers tokers closed this as completed Apr 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tokers @pioneer-hash