Re: Safely allowing cross namespace references

27 views

Skip to first unread message

Tasha Drew

unread,

Sep 14, 2021, 6:36:04 PM9/14/21

to Tim Hockin, kubernetes-wg-multitenancy, Rob Scott, kubernetes-sig-auth

Adding the @kubernetes-wg-multitenancy to the thread, good convo

On Mon, Sep 13, 2021 at 8:35 PM 'Tim Hockin' via kubernetes-sig-auth <kubernete...@googlegroups.com> wrote:

Another example would be cross-namespace secrets - it has been asked a hundred times.

Another example would be cross-namespace Ingress - which was a CVE not too long ago.

In short, this keeps coming up, and I would like to see a consistent answer to it. Namespace is a 95% perfect solution. The other 5% is fraught.

This approach doesn't seem awful to me, but I am not an expert in this area at all, and I can't say what other models might work as well or better.

Looking forward to a consult :)

Tim

On Mon, Sep 13, 2021, 12:10 PM Rob Scott <robert...@google.com> wrote:
Hey sig-auth,

I wanted to get your feedback on a design we have added to Gateway API that will enable some cross namespace references. In our case, we have a common scenario where users want to configure their load balancing infrastructure in an infra namespace and use that to route to apps in different namespaces.

To accomplish this safely, we introduced a handshake mechanism. One side of that handshake is a direct object reference to a resource in a different namespace. The other side of that handshake is a ReferencePolicy in the target namespace. Users can create ReferencePolicy resources in namespaces they control to allow references from other namespaces.

Each ReferencePolicy has 2 sections - from (group, kind, namespace), and to (group, kind). This lets a user allow references from Routes in an infra namespace to Services in their local namespace.

We've received feedback that this pattern could be useful beyond just Gateway API. For example, the Storage Bucket KEP could also use a resource like this.

I've added this topic to the agenda for this week's sig-auth community meeting, but thought this email might help to get the discussion going.

Thanks!

Rob

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/CAO_RewZz%3DgNwo6o8vaEVW785hRBXDq3%2B4ZANHcZune%3DgzF_4MQ%40mail.gmail.com.

Reply all

Reply to author

Forward

0 new messages