Kubernetes 入口:如何限制虚拟主机名包含用户自己的命名空间?
[英]Kubernetes ingress: how to restrict virtual host name to include user's own namespace?
问题描述
Background
背景
We have a server with one external IP, microk8s and k8s ingress (nginx) configured for name-based virtual hosts.我们有一台服务器,其中有一个外部 IP、microk8s 和 k8s 入口(nginx)配置为基于名称的虚拟主机。 The machine is intended as a playground for several devs for testing container technologies.该机器旨在作为多个开发人员测试容器技术的游乐场。 A problem quickly emerged of route names collisions, with two users trying to set up the same route (like test or dev).路由名称冲突的问题很快出现,两个用户试图设置相同的路由(如测试或开发)。 One solution would be to include namespaces in the hostnames, but users would still have to cooperate (as opposed to using someone else's namespace).一种解决方案是在主机名中包含名称空间,但用户仍然必须合作(而不是使用其他人的名称空间)。
Question问题
How to restrict user-generated host names (set up with Ingress config files) to include only user's own namespace in name-based virtual hosting (preferably using Nginx ingress)?如何限制用户生成的主机名(使用 Ingress 配置文件设置)在基于名称的虚拟主机中仅包含用户自己的命名空间(最好使用 Nginx 入口)? It seems to be possible, because this is how our corporate Openshift routes (auto-generated hostnames that include namespaces) work: it is not possible to create a route in a namespace without having access (controlled by RBAC) to it.这似乎是可能的,因为这就是我们公司的 Openshift 路由(包含命名空间的自动生成的主机名)的工作方式:在没有访问权限(由 RBAC 控制)的情况下,不可能在命名空间中创建路由。
1 个解决方案
解决方案1
1 2021-05-05 12:13:10
In openshift 3.x docs is mentioned:在openshift 3.x 文档中提到:
If a host name is not provided as part of the route definition, then OpenShift Container Platform automatically generates one for you.
<route-name>[-<namespace>].<suffix>
So I guess that what you want is to do the same;所以我想你想要做的就是做同样的事情; generate hostname when one is not provided.未提供主机名时生成主机名。
Unfortunately for you, this is not supported by k8s and k8s nginx ingress as far as I know.不幸的是,据我所知,k8s 和 k8s nginx 入口不支持此功能。
What you might want to do is create a mutating webhook to mutate the object in flight when applying to k8s (it can eg generate a host field if one is not provided), or use validating webhook to validate if the object meets the requirements.您可能想要做的是创建一个mutating webhook以在应用到 k8s 时对运行中的 object 进行变异(例如,如果未提供主机字段,它可以生成一个主机字段),或者使用验证 webhook来验证 object 是否满足要求。
Here is a tutorial you might want to check out: kube-mutating-webhook-tutorial这是您可能想要查看的教程: kube-mutating-webhook-tutorial
You can also try to find a different ingress controller that supports the feature you want.您也可以尝试找到支持您想要的功能的不同入口 controller。
One other solution involves removing access to create ingress objects from developers, and pick only one person that will be responsible for creation and validation of ingress objects (probably bad idea but it is a solution).另一种解决方案涉及从开发人员那里删除创建入口对象的访问权限,并只选择一个负责创建和验证入口对象的人(可能是个坏主意,但这是一个解决方案)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.