search

kubeslice / worker-operator

Kubeslice Worker Operator Opensource Repository: The KubeSlice Worker Operator is a Kubernetes operator that manages the lifecycle of KubeSlice worker clusters.
Apache License 2.0
58 stars 19 forks source link

Reject conflicting alias names for exported services #315

Closed bharath-avesha closed 1 month ago

bharath-avesha commented 9 months ago

πŸ“œ Description

A service can be exported over the slice network by creating a ServiceExport object. Such services are accessible through the slice fqdn: ..svc.slice.local. But the users can choose to use a different fqdn by adding alias names to the ServiceExport object. Currently, there is no validation of the alias names. We cannot have conflicting alias names in the sense that the user should not be allowed to set the same alias name different services.

πŸ‘Ÿ Reproduction steps

Export two services by creating ServiceExport objects. Set the same alias names on both the ServiceExport objects.

The dns resolution of the exported service names will point to incorrect addresses. Service S1 resolution could result in endpoint IP addresses belonging to Service S2.

πŸ‘ Expected behavior

The alias names need to be validated and admission of ServiceExport objects with conflicting alias names should be rejected.

πŸ‘Ž Actual Behavior

ServiceExport objects for different services but with same alias names are allowed to be created.

🐚 Relevant log output

No response

Version

No response

πŸ–₯️ What operating system are you seeing the problem on?

No response

βœ… Proposed Solution

No response

πŸ‘€ Have you spent some time to check if this issue has been raised before?

Code of Conduct

soharab-ic commented 4 months ago

I am researching on the issue and will come up with an approach soon. Can you please assign this to me?

narmidm commented 4 months ago

I am happy to assign this issue to you @soharab-ic, please let us know if you require any help.

soharab-ic commented 4 months ago

A High-Level Approach to Resolve the Issue

  1. Implement a validating webhook for ServiceExport object (slice/reconciler.go) for create,update,patch verbs.
  2. The Webhook will fetch all the existing ServiceExport objects in the namespace. Write a utility function GetAllServiceExport.
  3. Verify the alias names in spec.aliases field of the ServiceExport object do not have conflicting names with other existing ServiceExport objects in the same namespace.
  4. Allow the request if there is no such conflict otherwise deny the request.
  5. Write the relevant test cases as well.

@narmidm @bharath-avesha Please take a look.

bharath-avesha commented 4 months ago

@soharab-ic the approach looks good. Only correction is: On point 3, you will have to look for all service export objects for the slice, not just the same namespace. You could use the namespace labels added by worker-operator to get all namespaces belonging to the slice.

soharab-ic commented 4 months ago

Thanks for the feedback @bharath-avesha