pkg/contour: Disable Ingress & IngressRoute resources via flag or config item

[stevesloka]

Describe the solution you'd like If users are utilizing HTTPProxies, we should have a way to disable Ingress as well as IngressRoute resources as they don't follow the same delegation mechanism and could possibly allow users to introduce unpredicted configurations within their Ingress infrastructure.

// #1234

[bgagnon]

As a workaround, can this be achieved by removing Contour’s RBAC permission to read/list/watch Ingress objects?

[davecheney]

Thanks for raising this issue. I think for the moment the answer is to prevent Ingress via RBAC. I'm going to move this to the unplanned milestone and we'll re-evaluate post Contour 1.0

[bgagnon]

We've neutralized the Ingress object in our clusters in two ways:

• blocking Contour from seeing any Ingress objects, via RBAC
• enforcing a ResourceQuota of max: 0 objects of type Ingress in namespaces

For us, the quota was necessary to avoid having confused users wondering why their Ingress objecs are ignored. We felt the resource quota approach gave a better user and developer experience:

• the error message is clearer than an RBAC problem
• it's not possible to write RBAC roles that target everything except Ingress, which is annoying to maintain as would have needed to list everything else explicitly
• should a particular namespace require a different ingress controller, we can deploy it there and lift the quota restriction on that namespace

We intend to use the same strategy to support only HTTPProxy and forbid IngressRoute. In that case however, it might be helped by not deploying the IngressRoute CRD at all.

[davecheney]

Thank you for your reply. At the moment the way we expect admins to restrict which k8s objects are used inside their cluster is RBAC. The resource quote method is really nice. I’d like to document that in the , as yet to start, learning and solutions section of the website.

FWIW: if —root-namespaces is used to restrict root ingressroute and HTTPProxy objects untraceable objects will have their status set to orphaned. We could probably do better than that to notify end users that their object is unreachable by policy, not just typo.

[bgagnon]

This issue should be revised to disable Ingress and/or IngressRoute objects. This lets an operator support only HTTPProxy objects.

[davecheney]

For the record my suggestion on the k8s slack was to address this with RBAC in the cluster rather than introduce logic into contour.

Rbac would let the user know immediately that objects are disallowed by policy. Communicating this after the fact if Contour was programmed to ignore certain objects would be less effective.

On 11 Feb 2020, at 08:04, Benoit Gagnon [email protected] wrote:



This issue should be revised to disable Ingress and/or IngressRoute objects. This lets an operator support only HTTPProxy objects.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprojectcontour%2Fcontour%2Fissues%2F1241%3Femail_source%3Dnotifications%26email_token%3DAAABYAZT2MHBRAKMBL7J3CLRCG6NXA5CNFSM4IBN6HDKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELKIL6Q%23issuecomment-584353274&data=02%7C01%7Ccheneyd%40vmware.com%7C95ed5c602a524236d9e208d7ae6cd0f5%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637169654702579404&sdata=5Ld7ZjULv%2BnQRV3KUiAFW62RtMvadz4%2FfkC7DooWHDk%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAABYAYBQ3XTRXPTCL67G3TRCG6NXANCNFSM4IBN6HDA&data=02%7C01%7Ccheneyd%40vmware.com%7C95ed5c602a524236d9e208d7ae6cd0f5%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637169654702589398&sdata=tf%2FAiqwxdEog6j8IMJdwRNSEjChA8EAdnAZVoEQ7an8%3D&reserved=0.