Merge pull request #12441 from ramr/disable-ns-checks

Merged by openshift-bot
openshift · Jan 19, 2017 · b2508ea · b2508ea
2 parents 00ee096 + b97a0d2
commit b2508ea
Show file tree

Hide file tree

Showing 21 changed files with 276 additions and 38 deletions.
diff --git a/contrib/completions/bash/oadm b/contrib/completions/bash/oadm
@@ -4424,6 +4424,8 @@ _oadm_router()
     local_nonpersistent_flags+=("--create")
     flags+=("--default-cert=")
     local_nonpersistent_flags+=("--default-cert=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--dry-run")
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--expose-metrics")

diff --git a/contrib/completions/bash/oc b/contrib/completions/bash/oc
@@ -4398,6 +4398,8 @@ _oc_adm_router()
     local_nonpersistent_flags+=("--create")
     flags+=("--default-cert=")
     local_nonpersistent_flags+=("--default-cert=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--dry-run")
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--expose-metrics")

diff --git a/contrib/completions/bash/openshift b/contrib/completions/bash/openshift
@@ -4424,6 +4424,8 @@ _openshift_admin_router()
     local_nonpersistent_flags+=("--create")
     flags+=("--default-cert=")
     local_nonpersistent_flags+=("--default-cert=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--dry-run")
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--expose-metrics")
@@ -9164,6 +9166,8 @@ _openshift_cli_adm_router()
     local_nonpersistent_flags+=("--create")
     flags+=("--default-cert=")
     local_nonpersistent_flags+=("--default-cert=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--dry-run")
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--expose-metrics")
@@ -20805,6 +20809,8 @@ _openshift_infra_f5-router()
     local_nonpersistent_flags+=("--context=")
     flags+=("--denied-domains=")
     local_nonpersistent_flags+=("--denied-domains=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--f5-host=")
     local_nonpersistent_flags+=("--f5-host=")
     flags+=("--f5-http-vserver=")
@@ -20988,6 +20994,8 @@ _openshift_infra_router()
     local_nonpersistent_flags+=("--default-certificate-path=")
     flags+=("--denied-domains=")
     local_nonpersistent_flags+=("--denied-domains=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--extended-validation")
     local_nonpersistent_flags+=("--extended-validation")
     flags+=("--fields=")

diff --git a/contrib/completions/zsh/oadm b/contrib/completions/zsh/oadm
@@ -4572,6 +4572,8 @@ _oadm_router()
     local_nonpersistent_flags+=("--create")
     flags+=("--default-cert=")
     local_nonpersistent_flags+=("--default-cert=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--dry-run")
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--expose-metrics")

diff --git a/contrib/completions/zsh/oc b/contrib/completions/zsh/oc
@@ -4546,6 +4546,8 @@ _oc_adm_router()
     local_nonpersistent_flags+=("--create")
     flags+=("--default-cert=")
     local_nonpersistent_flags+=("--default-cert=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--dry-run")
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--expose-metrics")

diff --git a/contrib/completions/zsh/openshift b/contrib/completions/zsh/openshift
@@ -4572,6 +4572,8 @@ _openshift_admin_router()
     local_nonpersistent_flags+=("--create")
     flags+=("--default-cert=")
     local_nonpersistent_flags+=("--default-cert=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--dry-run")
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--expose-metrics")
@@ -9312,6 +9314,8 @@ _openshift_cli_adm_router()
     local_nonpersistent_flags+=("--create")
     flags+=("--default-cert=")
     local_nonpersistent_flags+=("--default-cert=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--dry-run")
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--expose-metrics")
@@ -20953,6 +20957,8 @@ _openshift_infra_f5-router()
     local_nonpersistent_flags+=("--context=")
     flags+=("--denied-domains=")
     local_nonpersistent_flags+=("--denied-domains=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--f5-host=")
     local_nonpersistent_flags+=("--f5-host=")
     flags+=("--f5-http-vserver=")
@@ -21136,6 +21142,8 @@ _openshift_infra_router()
     local_nonpersistent_flags+=("--default-certificate-path=")
     flags+=("--denied-domains=")
     local_nonpersistent_flags+=("--denied-domains=")
+    flags+=("--disable-namespace-ownership-check")
+    local_nonpersistent_flags+=("--disable-namespace-ownership-check")
     flags+=("--extended-validation")
     local_nonpersistent_flags+=("--extended-validation")
     flags+=("--fields=")

diff --git a/docs/man/man1/oadm-router.1 b/docs/man/man1/oadm-router.1
@@ -35,6 +35,10 @@ If a router does not exist with the given name, this command will create a deplo
 \fB\-\-default\-cert\fP=""
     Optional path to a certificate file that be used as the default certificate.  The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate.
 
+.PP
+\fB\-\-disable\-namespace\-ownership\-check\fP=false
+    Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub\-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.
+
 .PP
 \fB\-\-dry\-run\fP=false
     If true, show the result of the operation without performing it.

diff --git a/docs/man/man1/oc-adm-router.1 b/docs/man/man1/oc-adm-router.1
@@ -35,6 +35,10 @@ If a router does not exist with the given name, this command will create a deplo
 \fB\-\-default\-cert\fP=""
     Optional path to a certificate file that be used as the default certificate.  The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate.
 
+.PP
+\fB\-\-disable\-namespace\-ownership\-check\fP=false
+    Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub\-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.
+
 .PP
 \fB\-\-dry\-run\fP=false
     If true, show the result of the operation without performing it.

diff --git a/docs/man/man1/openshift-admin-router.1 b/docs/man/man1/openshift-admin-router.1
@@ -35,6 +35,10 @@ If a router does not exist with the given name, this command will create a deplo
 \fB\-\-default\-cert\fP=""
     Optional path to a certificate file that be used as the default certificate.  The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate.
 
+.PP
+\fB\-\-disable\-namespace\-ownership\-check\fP=false
+    Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub\-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.
+
 .PP
 \fB\-\-dry\-run\fP=false
     If true, show the result of the operation without performing it.

diff --git a/docs/man/man1/openshift-cli-adm-router.1 b/docs/man/man1/openshift-cli-adm-router.1
@@ -35,6 +35,10 @@ If a router does not exist with the given name, this command will create a deplo
 \fB\-\-default\-cert\fP=""
     Optional path to a certificate file that be used as the default certificate.  The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate.
 
+.PP
+\fB\-\-disable\-namespace\-ownership\-check\fP=false
+    Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub\-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.
+
 .PP
 \fB\-\-dry\-run\fP=false
     If true, show the result of the operation without performing it.

diff --git a/docs/man/man1/openshift-infra-f5-router.1 b/docs/man/man1/openshift-infra-f5-router.1
@@ -67,6 +67,10 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa
 \fB\-\-denied\-domains\fP=[]
     List of comma separated domains to deny in routes
 
+.PP
+\fB\-\-disable\-namespace\-ownership\-check\fP=false
+    Disables the namespace ownership checks for a route host with different paths or for overlapping host names in the case of wildcard routes. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub\-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.
+
 .PP
 \fB\-\-f5\-host\fP=""
     The host of F5 BIG\-IP's management interface

diff --git a/docs/man/man1/openshift-infra-router.1 b/docs/man/man1/openshift-infra-router.1
@@ -89,6 +89,10 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa
 \fB\-\-denied\-domains\fP=[]
     List of comma separated domains to deny in routes
 
+.PP
+\fB\-\-disable\-namespace\-ownership\-check\fP=false
+    Disables the namespace ownership checks for a route host with different paths or for overlapping host names in the case of wildcard routes. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub\-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.
+
 .PP
 \fB\-\-extended\-validation\fP=true
     If set, then an additional extended validation step is performed on all routes admitted in by this router. Defaults to true and enables the extended validation checks.

diff --git a/pkg/cmd/admin/router/router.go b/pkg/cmd/admin/router/router.go
@@ -201,6 +201,22 @@ type RouterConfig struct {
 	// boundaries for users and applications.
 	ExternalHostPartitionPath string
 
+	// DisableNamespaceOwnershipCheck overrides the same namespace check
+	// for different paths to a route host or for overlapping host names
+	// in case of wildcard routes.
+	// E.g. Setting this flag to false allows www.example.org/path1 and
+	//      www.example.org/path2 to be claimed by namespaces nsone and
+	//      nstwo respectively. And for wildcard routes, this allows
+	//      overlapping host names (*.example.test vs foo.example.test)
+	//      to be claimed by different namespaces.
+	//
+	// Warning: Please be aware that if namespace ownership checks are
+	//          disabled, routes in a different namespace can use this
+	//          mechanism to "steal" sub-paths for existing domains.
+	//          This is only safe if route creation privileges are
+	//          restricted, or if all the users can be trusted.
+	DisableNamespaceOwnershipCheck bool
+
 	// ExposeMetrics is a hint on whether to expose metrics.
 	ExposeMetrics bool
 
@@ -284,6 +300,7 @@ func NewCmdRouter(f *clientcmd.Factory, parentName, name string, out, errout io.
 	cmd.Flags().StringVar(&cfg.ExternalHostVxLANGateway, "external-host-vxlan-gw", cfg.ExternalHostVxLANGateway, "If the underlying router implementation requires VxLAN access to the pod network, this is the gateway address that should be used in cidr format.")
 	cmd.Flags().BoolVar(&cfg.ExternalHostInsecure, "external-host-insecure", cfg.ExternalHostInsecure, "If the underlying router implementation connects with an external host over a secure connection, this causes the router to skip strict certificate verification with the external host.")
 	cmd.Flags().StringVar(&cfg.ExternalHostPartitionPath, "external-host-partition-path", cfg.ExternalHostPartitionPath, "If the underlying router implementation uses partitions for control boundaries, this is the path to use for that partition.")
+	cmd.Flags().BoolVar(&cfg.DisableNamespaceOwnershipCheck, "disable-namespace-ownership-check", cfg.DisableNamespaceOwnershipCheck, "Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.")
 
 	cmd.MarkFlagFilename("credentials", "kubeconfig")
 	cmd.Flags().MarkDeprecated("credentials", "use --service-account to specify the service account the router will use to make API calls")
@@ -663,6 +680,9 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write
 		env["ROUTER_SUBDOMAIN"] = cfg.ForceSubdomain
 		env["ROUTER_OVERRIDE_HOSTNAME"] = "true"
 	}
+	if cfg.DisableNamespaceOwnershipCheck {
+		env["ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK"] = "true"
+	}
 	env.Add(secretEnv)
 	if len(defaultCert) > 0 {
 		if cfg.SecretsAsEnv {

diff --git a/pkg/cmd/infra/router/f5.go b/pkg/cmd/infra/router/f5.go
@@ -220,8 +220,8 @@ func (o *F5RouterOptions) Run() error {
 	}
 
 	statusPlugin := controller.NewStatusAdmitter(f5Plugin, oc, o.RouterName)
-	uniqueHostPlugin := controller.NewUniqueHost(statusPlugin, o.RouteSelectionFunc(), statusPlugin)
-	plugin := controller.NewHostAdmitter(uniqueHostPlugin, o.F5RouteAdmitterFunc(), false, statusPlugin)
+	uniqueHostPlugin := controller.NewUniqueHost(statusPlugin, o.RouteSelectionFunc(), o.RouterSelection.DisableNamespaceOwnershipCheck, statusPlugin)
+	plugin := controller.NewHostAdmitter(uniqueHostPlugin, o.F5RouteAdmitterFunc(), false, o.RouterSelection.DisableNamespaceOwnershipCheck, statusPlugin)
 
 	factory := o.RouterSelection.NewFactory(oc, kc)
 	watchNodes := (len(o.InternalAddress) != 0 && len(o.VxlanGateway) != 0)

diff --git a/pkg/cmd/infra/router/router.go b/pkg/cmd/infra/router/router.go
@@ -51,8 +51,9 @@ type RouterSelection struct {
 	AllowedDomains     []string
 	WhitelistedDomains sets.String
 
-	AllowWildcardRoutes        bool
-	RestrictSubdomainOwnership bool
+	AllowWildcardRoutes bool
+
+	DisableNamespaceOwnershipCheck bool
 }
 
 // Bind sets the appropriate labels
@@ -68,6 +69,7 @@ func (o *RouterSelection) Bind(flag *pflag.FlagSet) {
 	flag.StringSliceVar(&o.DeniedDomains, "denied-domains", envVarAsStrings("ROUTER_DENIED_DOMAINS", "", ","), "List of comma separated domains to deny in routes")
 	flag.StringSliceVar(&o.AllowedDomains, "allowed-domains", envVarAsStrings("ROUTER_ALLOWED_DOMAINS", "", ","), "List of comma separated domains to allow in routes. If specified, only the domains in this list will be allowed routes. Note that domains in the denied list take precedence over the ones in the allowed list")
 	flag.BoolVar(&o.AllowWildcardRoutes, "allow-wildcard-routes", cmdutil.Env("ROUTER_ALLOW_WILDCARD_ROUTES", "") == "true", "Allow wildcard host names for routes")
+	flag.BoolVar(&o.DisableNamespaceOwnershipCheck, "disable-namespace-ownership-check", cmdutil.Env("ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK", "") == "true", "Disables the namespace ownership checks for a route host with different paths or for overlapping host names in the case of wildcard routes. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.")
 }
 
 // RouteSelectionFunc returns a func that identifies the host for a route.
@@ -204,9 +206,6 @@ func (o *RouterSelection) Complete() error {
 	o.BlacklistedDomains = sets.NewString(o.DeniedDomains...)
 	o.WhitelistedDomains = sets.NewString(o.AllowedDomains...)
 
-	// Restrict subdomains is currently enforced for wildcard routes.
-	o.RestrictSubdomainOwnership = o.AllowWildcardRoutes
-
 	return nil
 }
 

diff --git a/pkg/cmd/infra/router/template.go b/pkg/cmd/infra/router/template.go
@@ -211,8 +211,8 @@ func (o *TemplateRouterOptions) Run() error {
 	if o.ExtendedValidation {
 		nextPlugin = controller.NewExtendedValidator(nextPlugin, controller.RejectionRecorder(statusPlugin))
 	}
-	uniqueHostPlugin := controller.NewUniqueHost(nextPlugin, o.RouteSelectionFunc(), controller.RejectionRecorder(statusPlugin))
-	plugin := controller.NewHostAdmitter(uniqueHostPlugin, o.RouteAdmissionFunc(), o.RestrictSubdomainOwnership, controller.RejectionRecorder(statusPlugin))
+	uniqueHostPlugin := controller.NewUniqueHost(nextPlugin, o.RouteSelectionFunc(), o.RouterSelection.DisableNamespaceOwnershipCheck, controller.RejectionRecorder(statusPlugin))
+	plugin := controller.NewHostAdmitter(uniqueHostPlugin, o.RouteAdmissionFunc(), o.AllowWildcardRoutes, o.RouterSelection.DisableNamespaceOwnershipCheck, controller.RejectionRecorder(statusPlugin))
 
 	factory := o.RouterSelection.NewFactory(oc, kc)
 	controller := factory.Create(plugin, false)