Add cross namespace verification in Kubernetes CRD

2021-09-20 12:54:05 +02:00 · 2021-09-20 12:54:05 +02:00 · 6906a022ca
commit 6906a022ca
parent bda0dba131
8 changed files with 418 additions and 129 deletions
--- a/pkg/provider/kubernetes/crd/kubernetes_tcp.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_tcp.go
@ -93,7 +93,7 @@ func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client
 				conf.Services[serviceName].Weighted.Services = append(conf.Services[serviceName].Weighted.Services, srv)
 			}

-			conf.Routers[serviceName] = &dynamic.TCPRouter{
+			r := &dynamic.TCPRouter{
 				EntryPoints: ingressRouteTCP.Spec.EntryPoints,
 				Middlewares: mds,
 				Rule:        route.Match,
@ -101,32 +101,38 @@ func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client
 			}

 			if ingressRouteTCP.Spec.TLS != nil {
-				conf.Routers[serviceName].TLS = &dynamic.RouterTCPTLSConfig{
+				r.TLS = &dynamic.RouterTCPTLSConfig{
 					Passthrough:  ingressRouteTCP.Spec.TLS.Passthrough,
 					CertResolver: ingressRouteTCP.Spec.TLS.CertResolver,
 					Domains:      ingressRouteTCP.Spec.TLS.Domains,
 				}

-				if ingressRouteTCP.Spec.TLS.Options == nil || len(ingressRouteTCP.Spec.TLS.Options.Name) == 0 {
-					continue
-				}
-
-				tlsOptionsName := ingressRouteTCP.Spec.TLS.Options.Name
-				// Is a Kubernetes CRD reference (i.e. not a cross-provider reference)
-				ns := ingressRouteTCP.Spec.TLS.Options.Namespace
-				if !strings.Contains(tlsOptionsName, "@") {
-					if len(ns) == 0 {
-						ns = ingressRouteTCP.Namespace
+				if ingressRouteTCP.Spec.TLS.Options != nil && len(ingressRouteTCP.Spec.TLS.Options.Name) > 0 {
+					tlsOptionsName := ingressRouteTCP.Spec.TLS.Options.Name
+					// Is a Kubernetes CRD reference (i.e. not a cross-provider reference)
+					ns := ingressRouteTCP.Spec.TLS.Options.Namespace
+					if !strings.Contains(tlsOptionsName, providerNamespaceSeparator) {
+						if len(ns) == 0 {
+							ns = ingressRouteTCP.Namespace
+						}
+						tlsOptionsName = makeID(ns, tlsOptionsName)
+					} else if len(ns) > 0 {
+						logger.
+							WithField("TLSOption", ingressRouteTCP.Spec.TLS.Options.Name).
+							Warnf("Namespace %q is ignored in cross-provider context", ns)
 					}
-					tlsOptionsName = makeID(ns, tlsOptionsName)
-				} else if len(ns) > 0 {
-					logger.
-						WithField("TLSoptions", ingressRouteTCP.Spec.TLS.Options.Name).
-						Warnf("namespace %q is ignored in cross-provider context", ns)
-				}

-				conf.Routers[serviceName].TLS.Options = tlsOptionsName
+					if !isNamespaceAllowed(p.AllowCrossNamespace, ingressRouteTCP.Namespace, ns) {
+						logger.Errorf("TLSOption %s/%s is not in the IngressRouteTCP namespace %s",
+							ns, ingressRouteTCP.Spec.TLS.Options.Name, ingressRouteTCP.Namespace)
+						continue
+					}
+
+					r.TLS.Options = tlsOptionsName
+				}
 			}
+
+			conf.Routers[serviceName] = r
 		}
 	}