GatewayClass with custom configuration and ReferenceGrant to narrow cross-namespace access
#3345
programmer04
started this conversation in
General
`GatewayClass` with custom configuration and `ReferenceGrant` to narrow cross-namespace access
#3345
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This is an open question, food for thought, which I encountered during work on
Below is a simplified description that includes the core problem.
GatewayClass is a cluster-scoped resource that allows a field ParametersRef filled with an arbitrarily chosen K8s object in any namespace, e.g. custom CRD
GatewayConfigurationwhich is namespace scoped. For this ReferenceGrant can be easily implemented to narrow access.But imagine (this is a real case) that
GatewayConfigurationcan also reference some other namespace-scoped Kubernetes resources (e.g. let's assume it'sCustomPlugin), which would be in another namespace. Furthermore,Gatewaycan be configured in any namespace based onGatewayClassand needs those namespace-scoped objects configured in it.The open question is how
ReferenceGrantshould be implemented and evaluated in such a situation. Also is it possible to implement it robustly? I mean that malicious actors won't be able to bypass it. Or maybe the most reasonable thing to do is to give up and document that for those cross-namespace access is allowed and not restricted...Beta Was this translation helpful? Give feedback.
All reactions