Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add namespace attribute on IngressRouteTCP service #6085

Merged
merged 2 commits into from Jan 14, 2020
Merged

Add namespace attribute on IngressRouteTCP service #6085

merged 2 commits into from Jan 14, 2020

Conversation

jbdoumenjou
Copy link
Member

What does this PR do?

Add a namespace attribute on IngressRouteTCP service.

Motivation

Allow to specify a namespace to reference a Kubernetes service from IngressRouteTCP.

More

  • Added/updated tests
  • Added/updated documentation

@jbdoumenjou jbdoumenjou added this to To review in v2 via automation Dec 23, 2019
@jbdoumenjou jbdoumenjou added this to the next milestone Dec 23, 2019
juliens
juliens approved these changes Dec 26, 2019
View reviewed changes
Copy link
Member

@juliens juliens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dtomcej
Copy link
Contributor

dtomcej commented Jan 6, 2020

Cross namespace referencing is discouraged due to fishing, and security/accountability reasons.

Is there a use case where an IngressRouteTCP could not be created in the target namespace?

Also, this does not take into account that the target namespace may not be watched/allowed via RBAC, and the informers may not be up to date with the endpoints...

@dduportal
Copy link
Contributor

There is a long dicussion in Kubernetes tracker about this if you want to deep dive the subject: kubernetes/kubernetes#17088 .

Nginx usage for solving this is interesting though: they have the concept of "merged Ingress": https://github.com/nginxinc/kubernetes-ingress/tree/master/examples-of-custom-resources/cross-namespace-configuration .

@dtomcej
Copy link
Contributor

dtomcej commented Jan 6, 2020
edited

I think that if this was enabled by a feature flag, it would be fine.

--provider.kubernetescrd.crossnamespacereferences=true with a default of false would be enough.

It would keep the current behavior, and allow the defaults to be secure, and allow users to allow references if required. This would require users to explicitly allow cross references, and would be unlikely to complain of the risks of enabling it explicitly.

This could be implemented to the ingressRoute and ingressRouteTCP crds IMO if that feature flag were implemented.

@ldez
Copy link
Member

ldez commented Jan 7, 2020

The namespace is already available for the services in IngressRoute, so we cannot introduce the option with the expected behavior without breaking.

dtomcej
dtomcej approved these changes Jan 7, 2020
View reviewed changes
Copy link
Contributor

@dtomcej dtomcej left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
:shipit:

@mpl
Copy link
Collaborator

mpl commented Jan 13, 2020

LGTM after formatting fix.

@traefiker traefiker merged commit 4f52691 into traefik:master Jan 14, 2020
v2 automation moved this from To review to Done Jan 14, 2020
@jbdoumenjou jbdoumenjou deleted the feature/k8s-service-ns branch February 20, 2020 08:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliens juliens juliens approved these changes

@mpl mpl mpl approved these changes

@dtomcej dtomcej dtomcej approved these changes

Assignees
No one assigned
Labels
area/provider/k8s/crd area/provider/k8s kind/enhancement a new or improved feature. size/M
Projects
No open projects
v2
Done
Milestone
2.2
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@jbdoumenjou @dtomcej @dduportal @ldez @mpl @juliens @traefiker