[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Headless services without selectors are forbidden in OpenShift



Thanks for the insight, Clayton.

Running this on Online so extra permissions are out of the way.

In theory that admission could allow only the IPs I have access to per
the rules used by multitenant network plugin. (Especially when I am
setting the pod IP from the same namespace.) I guess the cost of
maintaining that duplicated logic would be too high.


On Tue, 2018-01-30 at 16:09 -0500, Clayton Coleman wrote:
> You can grant the role to the user to let them set it.  However, that
> lets that app escape any network isolation boundaries so the
> multitenant network plugin won’t work.
> 
> You can also grant that permission to all users if you don’t need the
> protection.
> 
> > On Jan 30, 2018, at 3:18 PM, Tomas Nozicka <tnozicka redhat com>
> > wrote:
> > 
> > I need to direct Route/Service traffic from one namespace to
> > another
> > which I have permissions to. (Possibly even the same namespace as
> > well.) Reading Kubernetes documentation[1] Services without
> > selectors
> > seem to be the way to do it. It requires you to set Endpoints
> > manually
> > (e.g. to Service or pod in another namespace) but OpenShift will
> > forbid
> > you from doing that.
> > 
> > Error from server (Forbidden): error when creating
> > "endpoints.yaml":
> > endpoints "my-service" is forbidden: endpoint address
> > 10.131.xxx.xxx is
> > not allowed
> > 
> > It requires you to have endpoints/restricted permission regular
> > users
> > don't have.
> > 
> > Is that intentional? What are the reasons? (I think this is the
> > place
> > forbidding it [2].)
> > 
> > How else can regular user do this? (Except running "redirecting"
> > pod
> > which is fragile.)
> > 
> > Thanks,
> > Tomas
> > 
> > [1] - https://kubernetes.io/docs/concepts/services-networking/servi
> > ce/#
> > headless-services
> > [2] - https://github.com/openshift/origin/blob/de21f148d1ca66ca2bfd
> > 2011
> > 36c2e99ebda767e9/pkg/service/admission/endpoint_admission.go#L121
> > 
> > _______________________________________________
> > users mailing list
> > users lists openshift redhat com
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]