admission-control: validate that Ingress and RouteGroup hosts in hosted zone domain #8436
+107
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AlexanderYastrebov
added
the
major
AlexanderYastrebov
force-pushed
the
admission/validate-ingress-routegroup-hosts
branch
from
8cb970f
to
91154d2
Compare
| @@ -0,0 +1,56 @@ | |||
| # {{ if or (eq .Cluster.ConfigItems.ingresses_validation "enabled") (eq .Cluster.ConfigItems.routegroups_validation "enabled") }} | |||
| # {{ $hosted_zone_parent_domain := slice (split .Values.hosted_zone ".") 1 | join "." }} | |||
There was a problem hiding this comment.
This assumes .Values.hosted_zone is a three-level domain like foo.bar.test
AlexanderYastrebov
force-pushed
the
admission/validate-ingress-routegroup-hosts
branch
11 times, most recently
from
eb927a5
to
3ae69ac
Compare
…ed zone domain Add ValidatingAdmissionPolicies that validates Ingress and RouteGroup hosts from hosted zone parent domain are in hosted zone domain. E.g. for hosted zone `foo.bar.test` its parent domain is `bar.test` and therefore Ingress and RouteGroup hosts from `bar.test` domain must also be in `foo.bar.test` domain. Signed-off-by: Alexander Yastrebov <[email protected]>
AlexanderYastrebov
force-pushed
the
admission/validate-ingress-routegroup-hosts
branch
from
3ae69ac
to
2348432
Compare
| @@ -0,0 +1,93 @@ | |||
| # {{ $hosted_zone_parent_domain := slice (split .Values.hosted_zone ".") 1 | join "." }} | |||
|
|
|||
| # {{ if eq .Cluster.ConfigItems.ingresses_validation "enabled" }} | |||
There was a problem hiding this comment.
Do we need another new config to toggle theses policies off?
|
Maybe this stuff deserves an e2e test? |
There could be multiple hosted zones (e.g. foo.bar.test and qux.bar.test) in the same cluster using the same parent domain (bar.test) so this validation logic will not accept *.qux.bar.test because it only accepts *.foo.bar.test |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add ValidatingAdmissionPolicy that validates Ingress and RouteGroup hosts from hosted zone parent domain are in hosted zone domain.
E.g. for hosted zone
foo.bar.testits parent domain isbar.testand therefore Ingress and RouteGroup hosts frombar.testdomain must also be infoo.bar.testdomain.