Multi-tennant restrict record names per namespace #2573
binarytemple
started this conversation in
Ideas
Replies: 1 comment
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I've been reading the sources/various readme files, but I haven't seen anything similar.
The problem I'm trying to solve is a namespace per team with a restricted set of allowable domain names per namespace.
Each team should be able to create records under a single top-level domain i.e.
And your project looks like it can solve this in a way that is trivial for users.
We need to restrict domain names specified by the service using a namespace wide restriction so that a workload running in a particular namespace can specify specific domain names
I'll illustrate with an example:
A service(s) definitely in the namespace, bob, will be restricted to setting the following domain names for its services:
<foo>.subdomain.domain.tld<bar>.subdomain.domain.tldAnd a service running in the namespace alice will be restricted to specifying the following domain name
<baz>.subdomain.domain.tldThe goal is to prevent (for misconfiguration or malice) the ability of one team to deploy a workload that "steals" the domain for another team.
I can't think of a way to implement this other than a custom admission controller that will need to perform many string comparisons and separately maintain a list of allowed domain patterns per namespace.
Are there more straightforward ways to accomplish this goal?
Beta Was this translation helpful? Give feedback.
All reactions