Disable Cross-Namespace by default for IngressRoute provider

2021-07-13 02:48:05 -06:00 · 2021-07-13 02:48:05 -06:00 · 3072354ca5
commit 3072354ca5
parent 14499cd6e5
8 changed files with 23 additions and 30 deletions
--- a/2
+++ b/2
@ -132,7 +132,7 @@ shell: build-dev-image
 docs:
 	make -C ./docs docs
-## Serve the documentation site localy
+## Serve the documentation site locally
 docs-serve:
 	make -C ./docs docs-serve
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@ -364,3 +364,9 @@ For more information, please read the [HTTP routers rule](../routing/routers/ind
 ### Tracing Span
 In `v2.4.9`, we changed span error to log only server errors (>= 500).
 ## v2.4.9 to v2.4.10
 ### K8S CrossNamespace
 In `v2.4.10`, the default value for `allowCrossNamespace` has been changed to `false`.
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@ -260,29 +260,25 @@ providers:
 ### `allowCrossNamespace`
-_Optional, Default: true_
+_Optional, Default: false_
-If the parameter is set to `false`, IngressRoutes are not able to reference any resources in other namespaces than theirs.
+If the parameter is set to `true`, IngressRoutes are  able to reference  resources in other namespaces than theirs.
 !!! warning "Deprecation"
    Please note that the default value for this option will be set to `false` in a future version.
 ```yaml tab="File (YAML)"
 providers:
  kubernetesCRD:
-    allowCrossNamespace: false
+    allowCrossNamespace: true
    # ...
 ```
 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
-  allowCrossNamespace = false
+  allowCrossNamespace = true
  # ...
 ```
 ```bash tab="CLI"
--providers.kubernetescrd.allowCrossNamespace=false
+--providers.kubernetescrd.allowCrossNamespace=true
 ```
 ## Full Example
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@ -556,7 +556,7 @@ TLS key
 Enable Kubernetes backend with default settings. (Default: ```false```)
 `--providers.kubernetescrd.allowcrossnamespace`:  
-Allow cross namespace resource reference. (Default: ```true```)
+Allow cross namespace resource reference. (Default: ```false```)
 `--providers.kubernetescrd.certauthfilepath`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@ -556,7 +556,7 @@ TLS key
 Enable Kubernetes backend with default settings. (Default: ```false```)
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_ALLOWCROSSNAMESPACE`:  
-Allow cross namespace resource reference. (Default: ```true```)
+Allow cross namespace resource reference. (Default: ```false```)
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@ -42,18 +42,13 @@ type Provider struct {
 	Token               string          `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
 	CertAuthFilePath    string          `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
 	Namespaces          []string        `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
-	AllowCrossNamespace *bool           `description:"Allow cross namespace resource reference." json:"allowCrossNamespace,omitempty" toml:"allowCrossNamespace,omitempty" yaml:"allowCrossNamespace,omitempty" export:"true"`
+	AllowCrossNamespace bool            `description:"Allow cross namespace resource reference." json:"allowCrossNamespace,omitempty" toml:"allowCrossNamespace,omitempty" yaml:"allowCrossNamespace,omitempty" export:"true"`
 	LabelSelector       string          `description:"Kubernetes label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
 	IngressClass        string          `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
 	ThrottleDuration    ptypes.Duration `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
 	lastConfiguration   safe.Safe
 }
 // SetDefaults sets the default values.
 func (p *Provider) SetDefaults() {
 	p.AllowCrossNamespace = func(b bool) *bool { return &b }(true)
 }
 func (p *Provider) newK8sClient(ctx context.Context) (*clientWrapper, error) {
 	_, err := labels.Parse(p.LabelSelector)
 	if err != nil {
@ -103,7 +98,7 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
 		return err
 	}
-	if p.AllowCrossNamespace == nil || *p.AllowCrossNamespace {
+	if p.AllowCrossNamespace {
 		logger.Warn("Cross-namespace reference between IngressRoutes and resources is enabled, please ensure that this is expected (see AllowCrossNamespace option)")
 	}
@ -826,7 +821,7 @@ func throttleEvents(ctx context.Context, throttleDuration time.Duration, pool *s
 	return eventsChanBuffered
 }
-func isNamespaceAllowed(allowCrossNamespace *bool, parentNamespace, namespace string) bool {
+func isNamespaceAllowed(allowCrossNamespace bool, parentNamespace, namespace string) bool {
 	// If allowCrossNamespace option is not defined the default behavior is to allow cross namespace references.
-	return allowCrossNamespace == nil || *allowCrossNamespace || parentNamespace == namespace
+	return allowCrossNamespace || parentNamespace == namespace
 }
--- a/pkg/provider/kubernetes/crd/kubernetes_http.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_http.go
@ -173,7 +173,7 @@ func (p *Provider) makeMiddlewareKeys(ctx context.Context, ingRouteNamespace str
 type configBuilder struct {
 	client              Client
-	allowCrossNamespace *bool
+	allowCrossNamespace bool
 }
 // buildTraefikService creates the configuration for the traefik service defined in tService,
--- a/pkg/provider/kubernetes/crd/kubernetes_test.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_test.go
@ -1153,8 +1153,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 				return
 			}
-			p := Provider{IngressClass: test.ingressClass}
+			p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true}
 			p.SetDefaults()
 			clientMock := newClientMock(test.paths...)
 			conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@ -3338,8 +3337,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 				return
 			}
-			p := Provider{IngressClass: test.ingressClass}
+			p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true}
 			p.SetDefaults()
 			clientMock := newClientMock(test.paths...)
 			conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@ -3655,8 +3653,7 @@ func TestLoadIngressRouteUDPs(t *testing.T) {
 				return
 			}
-			p := Provider{IngressClass: test.ingressClass}
+			p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true}
 			p.SetDefaults()
 			clientMock := newClientMock(test.paths...)
 			conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@ -4439,9 +4436,8 @@ func TestCrossNamespace(t *testing.T) {
 			}
 			p := Provider{}
 			p.SetDefaults()
-			p.AllowCrossNamespace = func(b bool) *bool { return &b }(test.allowCrossNamespace)
+			p.AllowCrossNamespace = test.allowCrossNamespace
 			conf := p.loadConfigurationFromCRD(context.Background(), client)
 			assert.Equal(t, test.expected, conf)
 		})