-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
admission-control: validate that Ingress and RouteGroup hosts in hosted zone domain #8436
base: dev
Are you sure you want to change the base?
admission-control: validate that Ingress and RouteGroup hosts in hosted zone domain #8436
Conversation
8cb970f
to
91154d2
Compare
@@ -0,0 +1,56 @@ | |||
# {{ if or (eq .Cluster.ConfigItems.ingresses_validation "enabled") (eq .Cluster.ConfigItems.routegroups_validation "enabled") }} | |||
# {{ $hosted_zone_parent_domain := slice (split .Values.hosted_zone ".") 1 | join "." }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This assumes .Values.hosted_zone
is a three-level domain like foo.bar.test
eb927a5
to
3ae69ac
Compare
…ed zone domain Add ValidatingAdmissionPolicies that validates Ingress and RouteGroup hosts from hosted zone parent domain are in hosted zone domain. E.g. for hosted zone `foo.bar.test` its parent domain is `bar.test` and therefore Ingress and RouteGroup hosts from `bar.test` domain must also be in `foo.bar.test` domain. Signed-off-by: Alexander Yastrebov <[email protected]>
3ae69ac
to
2348432
Compare
@@ -0,0 +1,93 @@ | |||
# {{ $hosted_zone_parent_domain := slice (split .Values.hosted_zone ".") 1 | join "." }} | |||
|
|||
# {{ if eq .Cluster.ConfigItems.ingresses_validation "enabled" }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need another new config to toggle theses policies off?
Maybe this stuff deserves an e2e test? |
There could be multiple hosted zones (e.g. foo.bar.test and qux.bar.test) in the same cluster using the same parent domain (bar.test) so this validation logic will not accept *.qux.bar.test because it only accepts *.foo.bar.test |
Add ValidatingAdmissionPolicy that validates Ingress and RouteGroup hosts from hosted zone parent domain are in hosted zone domain.
E.g. for hosted zone
foo.bar.test
its parent domain isbar.test
and therefore Ingress and RouteGroup hosts frombar.test
domain must also be infoo.bar.test
domain.