Multi-tennant restrict record names per namespace #2573
binarytemple
started this conversation in
Ideas
Replies: 1 comment
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I've been reading the sources/various readme files, but I haven't seen anything similar.
The problem I'm trying to solve is a namespace per team with a restricted set of allowable domain names per namespace.
Each team should be able to create records under a single top-level domain i.e.
And your project looks like it can solve this in a way that is trivial for users.
We need to restrict domain names specified by the service using a namespace wide restriction so that a workload running in a particular namespace can specify specific domain names
I'll illustrate with an example:
A service(s) definitely in the namespace, bob, will be restricted to setting the following domain names for its services:
<foo>.subdomain.domain.tld<bar>.subdomain.domain.tldAnd a service running in the namespace alice will be restricted to specifying the following domain name
<baz>.subdomain.domain.tldThe goal is to prevent (for misconfiguration or malice) the ability of one team to deploy a workload that "steals" the domain for another team.
I can't think of a way to implement this other than a custom admission controller that will need to perform many string comparisons and separately maintain a list of allowed domain patterns per namespace.
Are there more straightforward ways to accomplish this goal?
Beta Was this translation helpful? Give feedback.
All reactions