github-actions[bot]
commented
1 year ago The Contour project currently lacks enough contributors to adequately respond to all Issues.
This bot triages Issues according to the following rules:
- After 60d of inactivity, lifecycle/stale is applied
- After 30d of inactivity since lifecycle/stale was applied, the Issue is closed
You can:
- Mark this Issue as fresh by commenting
- Close this Issue
- Offer to help out with triage
Please send feedback to the #contour channel in the Kubernetes Slack
As part of fixing a CVE, we have changed Contour to disallow ExternalName type Services by default. However, some users are already using ExternalName services, and would like a way to do this more safely.
We are considering a number of options, but adding example Gatekeeper config to allow a list of (possibly wildcarded) hostnames would go a long way to helping mitigate both the above CVE (
localhostaccess), and the upstream Kubernetes CVE (kubernetes/kubernetes#103675), about using ExternalName Services to expose Services across namespace boundaries.Ideally, you'd be able to pass a list of hostnames, some with glob-style wildcards:
And have only hostnames that matched that list be accepted. Because Gatekeeper is an admission controller, non-valid Services would be rejected at apply-time, which is probably a better UX than having Contour reject them and drop something in a log that the Service owner won't be able to see.