From 3072354ca5d61e85d946f0e3839e9d09c5ee24cb Mon Sep 17 00:00:00 2001
From: Daniel Tomcej <daniel.tomcej@gmail.com>
Date: Tue, 13 Jul 2021 02:48:05 -0600
Subject: [PATCH] Disable Cross-Namespace by default for IngressRoute provider

---
 Makefile                                           |  2 +-
 docs/content/migration/v2.md                       |  6 ++++++
 docs/content/providers/kubernetes-crd.md           | 14 +++++---------
 .../reference/static-configuration/cli-ref.md      |  2 +-
 .../reference/static-configuration/env-ref.md      |  2 +-
 pkg/provider/kubernetes/crd/kubernetes.go          | 13 ++++---------
 pkg/provider/kubernetes/crd/kubernetes_http.go     |  2 +-
 pkg/provider/kubernetes/crd/kubernetes_test.go     | 12 ++++--------
 8 files changed, 23 insertions(+), 30 deletions(-)

diff --git a/Makefile b/Makefile
index ec5ee86df..fea41bcfd 100644
--- a/Makefile
+++ b/Makefile
@@ -132,7 +132,7 @@ shell: build-dev-image
 docs:
 	make -C ./docs docs
 
-## Serve the documentation site localy
+## Serve the documentation site locally
 docs-serve:
 	make -C ./docs docs-serve
 
diff --git a/docs/content/migration/v2.md b/docs/content/migration/v2.md
index a34fed323..4d27d856e 100644
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -364,3 +364,9 @@ For more information, please read the [HTTP routers rule](../routing/routers/ind
 ### Tracing Span
 
 In `v2.4.9`, we changed span error to log only server errors (>= 500).
+
+## v2.4.9 to v2.4.10
+
+### K8S CrossNamespace
+
+In `v2.4.10`, the default value for `allowCrossNamespace` has been changed to `false`.
diff --git a/docs/content/providers/kubernetes-crd.md b/docs/content/providers/kubernetes-crd.md
index 814c4fe43..b9e89a4d9 100644
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -260,29 +260,25 @@ providers:
 
 ### `allowCrossNamespace`
 
-_Optional, Default: true_
+_Optional, Default: false_
 
-If the parameter is set to `false`, IngressRoutes are not able to reference any resources in other namespaces than theirs.
-
-!!! warning "Deprecation"
-
-    Please note that the default value for this option will be set to `false` in a future version.
+If the parameter is set to `true`, IngressRoutes are  able to reference  resources in other namespaces than theirs.
 
 ```yaml tab="File (YAML)"
 providers:
   kubernetesCRD:
-    allowCrossNamespace: false
+    allowCrossNamespace: true
     # ...
 ```
 
 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
-  allowCrossNamespace = false
+  allowCrossNamespace = true
   # ...
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.allowCrossNamespace=false
+--providers.kubernetescrd.allowCrossNamespace=true
 ```
 
 ## Full Example
diff --git a/docs/content/reference/static-configuration/cli-ref.md b/docs/content/reference/static-configuration/cli-ref.md
index 4208eef6e..5afe6e696 100644
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -556,7 +556,7 @@ TLS key
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
 `--providers.kubernetescrd.allowcrossnamespace`:  
-Allow cross namespace resource reference. (Default: ```true```)
+Allow cross namespace resource reference. (Default: ```false```)
 
 `--providers.kubernetescrd.certauthfilepath`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
diff --git a/docs/content/reference/static-configuration/env-ref.md b/docs/content/reference/static-configuration/env-ref.md
index 9ea6fa2a9..55c3d3f50 100644
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -556,7 +556,7 @@ TLS key
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_ALLOWCROSSNAMESPACE`:  
-Allow cross namespace resource reference. (Default: ```true```)
+Allow cross namespace resource reference. (Default: ```false```)
 
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
diff --git a/pkg/provider/kubernetes/crd/kubernetes.go b/pkg/provider/kubernetes/crd/kubernetes.go
index ccda4a173..7e107fed4 100644
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@@ -42,18 +42,13 @@ type Provider struct {
 	Token               string          `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
 	CertAuthFilePath    string          `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
 	Namespaces          []string        `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
-	AllowCrossNamespace *bool           `description:"Allow cross namespace resource reference." json:"allowCrossNamespace,omitempty" toml:"allowCrossNamespace,omitempty" yaml:"allowCrossNamespace,omitempty" export:"true"`
+	AllowCrossNamespace bool            `description:"Allow cross namespace resource reference." json:"allowCrossNamespace,omitempty" toml:"allowCrossNamespace,omitempty" yaml:"allowCrossNamespace,omitempty" export:"true"`
 	LabelSelector       string          `description:"Kubernetes label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
 	IngressClass        string          `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
 	ThrottleDuration    ptypes.Duration `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
 	lastConfiguration   safe.Safe
 }
 
-// SetDefaults sets the default values.
-func (p *Provider) SetDefaults() {
-	p.AllowCrossNamespace = func(b bool) *bool { return &b }(true)
-}
-
 func (p *Provider) newK8sClient(ctx context.Context) (*clientWrapper, error) {
 	_, err := labels.Parse(p.LabelSelector)
 	if err != nil {
@@ -103,7 +98,7 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
 		return err
 	}
 
-	if p.AllowCrossNamespace == nil || *p.AllowCrossNamespace {
+	if p.AllowCrossNamespace {
 		logger.Warn("Cross-namespace reference between IngressRoutes and resources is enabled, please ensure that this is expected (see AllowCrossNamespace option)")
 	}
 
@@ -826,7 +821,7 @@ func throttleEvents(ctx context.Context, throttleDuration time.Duration, pool *s
 	return eventsChanBuffered
 }
 
-func isNamespaceAllowed(allowCrossNamespace *bool, parentNamespace, namespace string) bool {
+func isNamespaceAllowed(allowCrossNamespace bool, parentNamespace, namespace string) bool {
 	// If allowCrossNamespace option is not defined the default behavior is to allow cross namespace references.
-	return allowCrossNamespace == nil || *allowCrossNamespace || parentNamespace == namespace
+	return allowCrossNamespace || parentNamespace == namespace
 }
diff --git a/pkg/provider/kubernetes/crd/kubernetes_http.go b/pkg/provider/kubernetes/crd/kubernetes_http.go
index 57a16cab5..b110e9467 100644
--- a/pkg/provider/kubernetes/crd/kubernetes_http.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_http.go
@@ -173,7 +173,7 @@ func (p *Provider) makeMiddlewareKeys(ctx context.Context, ingRouteNamespace str
 
 type configBuilder struct {
 	client              Client
-	allowCrossNamespace *bool
+	allowCrossNamespace bool
 }
 
 // buildTraefikService creates the configuration for the traefik service defined in tService,
diff --git a/pkg/provider/kubernetes/crd/kubernetes_test.go b/pkg/provider/kubernetes/crd/kubernetes_test.go
index 9b2fa2e60..0c1c15637 100644
--- a/pkg/provider/kubernetes/crd/kubernetes_test.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_test.go
@@ -1153,8 +1153,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 				return
 			}
 
-			p := Provider{IngressClass: test.ingressClass}
-			p.SetDefaults()
+			p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true}
 
 			clientMock := newClientMock(test.paths...)
 			conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@@ -3338,8 +3337,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 				return
 			}
 
-			p := Provider{IngressClass: test.ingressClass}
-			p.SetDefaults()
+			p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true}
 
 			clientMock := newClientMock(test.paths...)
 			conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@@ -3655,8 +3653,7 @@ func TestLoadIngressRouteUDPs(t *testing.T) {
 				return
 			}
 
-			p := Provider{IngressClass: test.ingressClass}
-			p.SetDefaults()
+			p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true}
 
 			clientMock := newClientMock(test.paths...)
 			conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@@ -4439,9 +4436,8 @@ func TestCrossNamespace(t *testing.T) {
 			}
 
 			p := Provider{}
-			p.SetDefaults()
 
-			p.AllowCrossNamespace = func(b bool) *bool { return &b }(test.allowCrossNamespace)
+			p.AllowCrossNamespace = test.allowCrossNamespace
 			conf := p.loadConfigurationFromCRD(context.Background(), client)
 			assert.Equal(t, test.expected, conf)
 		})