New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-namespace Ingress #17088
Comments
Nope, not allowing this was a conscious decision (but one that I can be convinced against). Can you describe your use case? The beta model partitions users on namespace boundaries and disallows service sharing across namespaces. You might argue that you want a single loadbalancer for the entire cluster, to which I ask, what is in the namespaces? i.e why not use 1 namespace if you want to allow sharing. |
@bprashanth I'm running multiple projects on a cluster - kubernetes tests, blog, API for a project. I want to address these as subdomains on my domain using a single ingress controller because load balancers and IP addresses are expensive on GCE. |
It was intentionally avoided. Cross namespace references would be a prime source of privilege escalation attacks. cc @kubernetes/kube-iam |
I'll close this for now, makes sense. |
FWIW you can set up a Service in namespace X with no selector and a On Thu, Nov 12, 2015 at 5:14 PM, Jordan Liggitt notifications@github.com
|
I would tend to imagine the use case that @paralin described is common. I'm looking at an ingress controller as a system component and a means of reflecting any service in the cluster to the outside world. Running one (perhaps even in the |
That depends on what you have in your namespaces right (which is why i asked for clarification)? Isn't it only risky IFF you're partitioning users across a namespace security boundry? |
There seems to be demand for cross namespace ingress x service resolution. We should at least reconsider. |
I think we want some kind of admission controller which does:
Then, to modify an ingress you have to have and owner-like permission on all the services it targets. |
Might be good to revisit this now in 2016 :) |
@kubernetes/kube-iam thoughts/volunteers to implement an admission controller? Do we authorize based on the user field of a request today or is that unprecedented? |
I think I'd want some record or indication of the cross-namespace relationship to exist, so the targeted service could know it was exposed. I want to avoid the scenario where someone had access to a service (legitimately or otherwise), set up ingress from other namespaces, then had their access removed and continued accessing the services without the service owner's awareness.
The authorization layer is based on the user info on a request. This would be the first objectref authorization I know of. |
@liggitt's raises some good concerns. I broke them down into two cases when thinking about them.
|
Is this moving into the topic of micro-segmentation and access policy? On Wed, Jan 20, 2016 at 2:19 PM, Eric Tune notifications@github.com wrote:
|
yes. |
The two main models proposed for network segmentation are:
On Thu, Jan 21, 2016 at 11:52 PM, Tim Hockin notifications@github.com
|
@thockin what issue does one go to to learn more and comment? |
It's being discussed in the network SIG mailing list as we haggle over Start here: https://docs.google.com/document/d/1_w77-zG_Xj0zYvEMfQZTQ-wPP4kXkpGD8smVtW_qqWM/edit One proposal: https://docs.google.com/document/d/1_w77-zG_Xj0zYvEMfQZTQ-wPP4kXkpGD8smVtW_qqWM/edit Another is in email: https://groups.google.com/forum/#!topic/kubernetes-sig-network/Zcxl0lfGYLY On Fri, Jan 22, 2016 at 12:46 PM, Eric Tune notifications@github.com
|
Talked to @thockin and @bprashanth |
This would be a nice feature to have. For example, if you want a pseudo multi-tenant solution - with each tenant running in a separate namespace. The ingress could do hostname based routing to the right backend namespace. ${tenant}.example.com -> service "foo" in namespace ${tenant} I suppose one can do this today on GKE, but I gather you end up with one HTTP load balancer per namespace - which could get quite expensive and seems unnecessary. |
By design k8s ingress is only designed to ballance services from within the namespace of the ingress. This is disscuessed a little in kubernetes/kubernetes#17088. For now traefik should only reference the services in the current namespace. For me this was a confusing change of behaviour from the reference implimentations, as I have services with the same name in each namespace.
This limitation throws a big wrench in how my company was planning to use ingresses. Our use case is running multiple copies of the same application stack at different versions, and to keep the stacks isolated from each other, we use namespaces. We'd planned to run a single ingress controller that knows how to determine which applications and versions of those applications by the subdomain of the incoming requests. The reason for using namespaces for isolating these stacks are:
See my unanswered Stack Overflow question, Kubernetes services for different application tracks, for more details on our use case. Our ingress controller is exposed to the outside world via NodePort (80 and 443), and we have an ELB in AWS pointing at the whole cluster. With the namespace restriction for ingresses, we'd need one ingress controller per namespace and there would be no way to have a single ELB forwarding ports 80 and 443 to the cluster. |
Is there currently a solution or workaround availble that works on GKE?
|
Using Istio allows you this kind of things (among others). You can create a "selector-less" service in your Ingress namespace and point your ingress on it. Then, you create a VirtualService that can point to another namespace service. |
@spenceclark EDIT: I managed to describe the behaviour you described by creating an ingress per workspace and tieing to the same host, i.e. AWS ELB dns name. It somehow works. |
Just wanted to +1 implementing this. It would be great if we could use one load balancer/ingress to point to services in different namespaces to isolate the versions, but use one TLS cert, one DNS record, etc on the load balancer. It could even require an annotation like |
On Azure, k8s 1.18, single node in case it matters (this is my 'test ideas out' cluster). in my
I didn't define specific http.paths here in the 'parent' Ingress resource, since it feels more like a concern of the individual service, not the whole ingress. Meanwhile over in the default namespace:
service2:
|
+1 on this. In our case, we separate our environments in different namespaces, each one having its own Ingress. We wanted to transparently redirect to a unique service instance (an IAM) used by all of these environments, by adding rules in each Ingress config, but it turns out ExternalName services are not accepted as targets so we can't. I don't see any obvious solution: IAM service itself is in another namespace so we can't reference it from our Ingresses in other namespaces, ExternalName is not accepted so this trickery (changing our IAM access service from NodePort to ExternalName) is also a no-no, we are just stuck on this issue right now. I read some messages about implementing a "bridge" service, referencing the target ClusterIp of a sevice in another namespace but does this actually work? Has anyone succeeded and if so, how? I'm puzzled. |
@cfecherolle You just need to deploy an ingress and service on a namespace where the service is configured as ExternalName to the service in the other namespace |
Hi @carlosjgp. |
I am not sure if the issue is satisfactorily resolved, in which cases does the externalname trick actually work? Using headless endpoint service
This solution doesn't work (times out) due to kube-proxy not supporting virtualIP (according to docs) and this works if i put the pod ip but obviously not an acceptable solution. Using externalname service (as suggested in above response)
This causes connection refused errors when accesed checks-service-integration-service.NAMESPACEA.svc.cluster.local. Thanks! |
@SpectralHiss were you able to get it to work? |
I would have thought this would have been supported, for blue-green setups using two namespaces... |
I want to suggest a trick for anyone stuck trying to figure out how to route across namespaces, you can deploy an nginx pod or few of them, with config map that has upstream addresses defined manually if your namespaces have known names in advance. but if you're about to also scale namespaces (adding more and removing) then making this config map update itself with a script will be required, and also reload the config in nginxs (dispatch an 'exec' with reload command or smth like that). I'm about to try that but so far seems like the most straightforward solution because k8s internal resources do not support load balancing across namespaces so we have no choice but hack our way manually :) . it's a bad architecture design though, this should not really happen in production (we do it for a quick experiment, but such thing would never go to production lol, it's just awful design for microservices infra)
|
On AWS I use a single network load balancer for a LOT of ingress and services in different name-spaces, one single nginx controller can handle multiple ingresses on different name-spaces normally |
yes but the thread is about ingress rules ability to instruct the ingress-controller about where to route the requests following a rule. at the moment it's impossible to specify inside ingress rule a target service endpoint or name from another namespace (where this ingress rule does not reside). and ingress rules are namespace scoped resources (not global), so this kind of instruction is not possible in them (with no regards of what the ingress-controller can or cannot do :) I hope it clarifies what the thread was about, but thanks for chiming in, a single nginx and aws LBs definitely can be used for a lot of namespaces and very large clusters, that is correct). |
As far as I can tell right now it's only possible to create an ingress to address services inside the namespace in which the Ingress resides. It would be good to be able to address services in any namespace.
It's possible that I'm missing something and this is already possible - if so it'd be great if this was documented.
The text was updated successfully, but these errors were encountered: