Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The plugin should only consider HTTPProxies from the same namespace as the Rollout resource #17

Closed
mvgmb opened this issue May 16, 2023 · 1 comment · Fixed by #18
Closed

The plugin should only consider HTTPProxies from the same namespace as the Rollout resource #17

mvgmb opened this issue May 16, 2023 · 1 comment · Fixed by #18
Labels
enhancement New feature or request

Comments

@mvgmb
Copy link
Contributor

mvgmb commented May 16, 2023

Summary

The plugin should only consider HTTPProxies from the same namespace as the Rollout resource.

Motivation

As of right now, the plugin is capable of changing the weight of HTTPProxies from other namespaces, i.e.:

apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
  name: api
  namespace: default
spec:
  strategy:
    canary:
      canaryService: api-canary
      stableService: api
      trafficRouting:
        plugins:
          argoproj-labs/contour:
            namespace: another-namespace
            httpProxy: api
      steps:
        - setWeight: 25

The Rollout above can alter the HTTPProxy from the another-namespace, even though it's in the default namespace.

This allows anyone to deploy a Rollout in any namespace and alter any HTTPProxy within the cluster.

Proposal

The plugin should be limited to HTTPProxies from the same namespace as the Rollout resource.

Argo Rollouts follow the same principle, all traffic management configurations only allow changing resources from the same namespace as the Rollout. As an example, we can turn to the NGINX doc:

The stable Ingress field is a reference to an Ingress in the same namespace of the Rollout
@mvgmb mvgmb added the enhancement New feature or request label May 16, 2023
@mvgmb mvgmb mentioned this issue May 16, 2023
Merged
@izturn
Copy link
Collaborator

izturn commented May 26, 2023

@mvgmb thx, i will review it later

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
2 participants
@mvgmb @izturn