Safely allowing cross namespace references

301 views
Skip to first unread message

Rob Scott

unread,
Sep 13, 2021, 3:54:38 PM9/13/21
to kubernete...@googlegroups.com, Tim Hockin
Hey sig-auth,

I wanted to get your feedback on a design we have added to Gateway API that will enable some cross namespace references. In our case, we have a common scenario where users want to configure their load balancing infrastructure in an infra namespace and use that to route to apps in different namespaces.

To accomplish this safely, we introduced a handshake mechanism. One side of that handshake is a direct object reference to a resource in a different namespace. The other side of that handshake is a ReferencePolicy in the target namespace. Users can create ReferencePolicy resources in namespaces they control to allow references from other namespaces.

Each ReferencePolicy has 2 sections - from (group, kind, namespace), and to (group, kind). This lets a user allow references from Routes in an infra namespace to Services in their local namespace.

We've received feedback that this pattern could be useful beyond just Gateway API. For example, the Storage Bucket KEP could also use a resource like this. 

I've added this topic to the agenda for this week's sig-auth community meeting, but thought this email might help to get the discussion going.

Thanks!

Rob


Tim Hockin

unread,
Sep 13, 2021, 11:35:53 PM9/13/21
to Rob Scott, kubernetes-sig-auth
Another example would be cross-namespace secrets - it has been asked a hundred times.

Another example would be cross-namespace Ingress - which was a CVE not too long ago.

In short, this keeps coming up, and I would like to see a consistent answer to it.  Namespace is a 95% perfect solution.  The other 5% is fraught.  

This approach doesn't seem awful to me, but I am not an expert in this area at all, and I can't say what other models might work as well or better.

Looking forward to a consult :)

Tim 

Tasha Drew

unread,
Sep 14, 2021, 6:36:04 PM9/14/21
to Tim Hockin, kubernetes-wg-multitenancy, Rob Scott, kubernetes-sig-auth
Adding the @kubernetes-wg-multitenancy to the thread, good convo

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/CAO_RewZz%3DgNwo6o8vaEVW785hRBXDq3%2B4ZANHcZune%3DgzF_4MQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages