[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Headless services without selectors are forbidden in OpenShift



You can grant the role to the user to let them set it.  However, that
lets that app escape any network isolation boundaries so the
multitenant network plugin won’t work.

You can also grant that permission to all users if you don’t need the
protection.

> On Jan 30, 2018, at 3:18 PM, Tomas Nozicka <tnozicka redhat com> wrote:
>
> I need to direct Route/Service traffic from one namespace to another
> which I have permissions to. (Possibly even the same namespace as
> well.) Reading Kubernetes documentation[1] Services without selectors
> seem to be the way to do it. It requires you to set Endpoints manually
> (e.g. to Service or pod in another namespace) but OpenShift will forbid
> you from doing that.
>
> Error from server (Forbidden): error when creating "endpoints.yaml":
> endpoints "my-service" is forbidden: endpoint address 10.131.xxx.xxx is
> not allowed
>
> It requires you to have endpoints/restricted permission regular users
> don't have.
>
> Is that intentional? What are the reasons? (I think this is the place
> forbidding it [2].)
>
> How else can regular user do this? (Except running "redirecting" pod
> which is fragile.)
>
> Thanks,
> Tomas
>
> [1] - https://kubernetes.io/docs/concepts/services-networking/service/#
> headless-services
> [2] - https://github.com/openshift/origin/blob/de21f148d1ca66ca2bfd2011
> 36c2e99ebda767e9/pkg/service/admission/endpoint_admission.go#L121
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]