smi-spec
smi-spec copied to clipboard
Published
20 hours ago •
servicemeshinterface
servicemeshinterface
Namespace question/inconsistency in Traffic Access Control
Take the example definition in the Traffic Access Control page:
---
kind: TrafficTarget
apiVersion: access.smi-spec.io/v1alpha1
metadata:
name: path-specific
namespace: default
destination:
kind: ServiceAccount
name: service-a
namespace: default
port: 8080
specs:
- kind: HTTPRouteGroup
name: the-routes
matches:
- metrics
sources:
- kind: ServiceAccount
name: prometheus
namespace: default
I am wondering if you could shed some light on the reason that TrafficTarget is a namespaced resource. Each source in the sources list specifies a namespace, as well as the destination. What is the point of the TrafficTarget itself being namespaced? For example:
---
kind: TrafficTarget
apiVersion: access.smi-spec.io/v1alpha1
metadata:
name: path-specific
namespace: other-namespace
destination:
kind: ServiceAccount
name: service-a
namespace: default
port: 8080
specs:
- kind: HTTPRouteGroup
name: the-routes
matches:
- metrics
sources:
- kind: ServiceAccount
name: prometheus
namespace: default
Do you see this as valid yaml? Both the destination and sources have namespace default, but the TrafficTarget resource itself has namespace other-namespace. If this is valid, how should the namespace in TrafficTarget influence the namespaces specified in destination and sources? Should it influence them at all? If not, what's the point of having TrafficTarget be a namespaced resource?
