The plugin should only consider HTTPProxies from the same namespace as the Rollout resource

Question

The plugin should only consider HTTPProxies from the same namespace as the Rollout resource

mvgmb opened this issue 2 years ago · 1 comments

Summary

The plugin should only consider HTTPProxies from the same namespace as the Rollout resource.

Motivation

As of right now, the plugin is capable of changing the weight of HTTPProxies from other namespaces, i.e.:

apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
  name: api
  namespace: default
spec:
  strategy:
    canary:
      canaryService: api-canary
      stableService: api
      trafficRouting:
        plugins:
          argoproj-labs/contour:
            namespace: another-namespace
            httpProxy: api
      steps:
        - setWeight: 25

The Rollout above can alter the HTTPProxy from the another-namespace, even though it's in the default namespace.

This allows anyone to deploy a Rollout in any namespace and alter any HTTPProxy within the cluster.

Proposal

The plugin should be limited to HTTPProxies from the same namespace as the Rollout resource.

Argo Rollouts follow the same principle, all traffic management configurations only allow changing resources from the same namespace as the Rollout. As an example, we can turn to the NGINX doc:

The stable Ingress field is a reference to an Ingress in the same namespace of the Rollout

Answer 1 · 2023-05-26T10:10:39.000Z

@mvgmb thx, i will review it later