kfox1111
commented
7 years ago needs to be optional though.
Closed jon-shanks closed 7 years ago
kfox1111
commented
7 years ago needs to be optional though.
jon-shanks
commented
7 years ago yep, exactly, essentially if it was enabled, it would validate the domain used for that namespace, also has a corresponding annotation on the namespace itself. It's more to put constraints around the service really, (optionally).
pieterlange
commented
7 years ago This will (probably) eventually be solved with Ingress claims (like volume claims). Until then you can use Ingress classes. Some more context:
jon-shanks
commented
7 years ago I'm not quite sure that achieves what we were looking for. This would mean we need to run multiple ingress controllers for each domain, defining a domain at the ingress.class level. What we really want is one ingress that is shared but to affiliate some logic to the namespace that the ingress can validate.
Also if a project defines the claim, then they in theory could just claim that domain is theirs, you'd have no way of validating the authenticity of whether someone could or couldn't use that domain for that namespace in that multitenancy approach, once the DNS was pointing to the same cluster.
aledbf
commented
7 years ago Closing. This must be defined in the ingress spec. There is nothing we can do in a particular ingress controller. Please check the loadbalancer claim https://docs.google.com/document/d/1Kj9OcTQdERZgNkZhdDxnQeT-TI4DLqqg62lShnboT6s/edit?usp=sharing
Not sure on others thoughts on this. But it would be good to be able to control somehow, (though may break the model and hence could be a feature flag), limiting what namespaces are responsible for which domains.
If your cluster is being used in some form of mult-tenancy way i.e. lots of projects self-serving, there is a risk that another service, could in theory, deploy an ingress for another service's domain. As the DNS is already pointing to the cluster.
Also it's possible to redirect a service location to your service, depending on the order i.e. /admin now goes to some pods that are not hosted in the namespace you'd expect for that service.
We are thinking of extending the ingress controller with a feature domain_validation, to check the annotations of a namespace to see if there are listed domains that namespace can use. This would prevent other services either accidentally or deliberately using domains they shouldn't.