dustin-decker
commented
4 years ago Hey @evilrussianhacker, have we met before? You seem familiar.
Ingress host collisions are certainly an issue. We should build a policy to prevent this.
My first thought is that the policy should read a cluster's current ingresses to build a cache during instantiation, and then update that cache based on resource changes that come into the ValidationWebhook. It could reject any Ingress update or create that matches the host of a different Ingress in the cache.
This would be a good change to introduce into the Ingress controller itself too.
I'm going to update the issue title so that others can find the issue more easily.
Hello,
Evil Russian hacker here.
When I hack, if I hack into person with k8 ingress control access, I can hack traffic into cluster to go to my namespace, instead of original namespace.
Preventing hosts from jumping namespaces after creation could prevent this type of hacking. K-rail could do this, but this would make my hacking life harder.
-ERH
Я большой русский медведь. Причудливый и уютный.