notification-controller icon indicating copy to clipboard operation
notification-controller copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Allow wildcard value for namespaces in Alert eventSources

Open alekspog opened this issue 1 year ago • 8 comments

Allow wildcard value for namespaces in Alert eventSources.

Fix: https://github.com/fluxcd/notification-controller/issues/71

At the moment we have to create a list of all HelmRelease objects, for example, in the eventSources section to be able to get notifications about them. We also need to update the list whenever a new object is added. That requires lots of effort. It seems that the best way is to allow wildcards for namespaces.

How the Alert eventSources definition looks now:

  eventSources:
    - kind: HelmRelease
      name: '*'
      namespace: 'service1'
    - kind: HelmRelease
      name: '*'
      namespace: 'service2'
...
    - kind: HelmRelease
      name: '*'
      namespace: 'service99'

How it would be after the change:

  eventSources:
    - kind: HelmRelease
      name: '*'
      namespace: '*'

alekspog avatar Mar 30 '23 19:03 alekspog

There are security concerns related to this feature that were articulated in #71 (e.g. https://github.com/fluxcd/notification-controller/issues/71#issuecomment-991049078). Given the mentioned RFC has never been merged, we need to think this over.

In any case this will need to be held until notification-controller 1.0.0 has been released. Let's please take the time to completely discuss the threat model and potential mitigations here.

makkes avatar Mar 31 '23 06:03 makkes

I thought that disabling cross-namespace references should solve the security concern as was said there: https://github.com/fluxcd/notification-controller/issues/71#issuecomment-1374690404. I agree that using ReferenceGrant should improve the security boundaries. Still, it seems to be orthogonal to the Alerts setup. notification-controller can listen to events in any namespace anyway if the cross-namespace references flag is enabled. If this is inappropriate cluster admin can disable cross-namespace references.

Are there any ongoing discussions about the threat model? I see that https://github.com/fluxcd/flux2/pull/2092 and https://github.com/fluxcd/flux2/pull/2093 were closed both to wait for https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/3766-referencegrant/README.md

alekspog avatar Apr 03 '23 11:04 alekspog

any update on this?

xTrekStorex avatar Oct 19 '23 10:10 xTrekStorex

How about using regex matching for the namespace(s)?

sebastiangaiser avatar Oct 23 '23 15:10 sebastiangaiser

Hi! Is it correct to say that this PR is still on hold and we are waiting?

gecube avatar Nov 01 '23 09:11 gecube

Hi! Is it correct to say that this PR is still on hold and we are waiting?

Yes, pretty much. Current consensus is that we want to wait for the Kubernetes ReferenceGrant API to become GA which will definitely take a couple of Kubernetes releases to come.

makkes avatar Nov 09 '23 18:11 makkes

This feature request seems irrelevant to ReferenceGrant API; what ReferenceGrant will affect is all of the cross-namespace references filtering - but that'd have to work at a different level. I see no point in holding on with this PR. The current model is pretty secure - this PR does not make it weaker.

MOZGIII avatar Dec 20 '23 03:12 MOZGIII

Hi, any update on this PR?

rinzler-17 avatar Mar 07 '24 05:03 rinzler-17