Allow limiting Contour to watch certain namespaces (#5214)

Signed-off-by: Niklas Simons <[email protected]>

Author: nsimons

Makefile

@@ -20,6 +20,9 @@ CONTOUR_E2E_LOCAL_HOST ?= $(LOCALIP)
 CONTOUR_UPGRADE_FROM_VERSION ?= $(shell ./test/scripts/get-contour-upgrade-from-version.sh)
 CONTOUR_E2E_IMAGE ?= ghcr.io/projectcontour/contour:main
 CONTOUR_E2E_PACKAGE_FOCUS ?= ./test/e2e
+# Optional variables
+# Run specific test specs (matched by regex)
+CONTOUR_E2E_TEST_FOCUS ?=
 
 TAG_LATEST ?= false
 
@@ -322,8 +325,8 @@ e2e: | setup-kind-cluster load-contour-image-kind run-e2e cleanup-kind ## Run E2
 .PHONY: run-e2e
 run-e2e:
 	CONTOUR_E2E_LOCAL_HOST=$(CONTOUR_E2E_LOCAL_HOST) \
-		CONTOUR_E2E_IMAGE=$(CONTOUR_E2E_IMAGE) \
-		go run github.com/onsi/ginkgo/v2/ginkgo -tags=e2e -mod=readonly -skip-package=upgrade,bench -keep-going -randomize-suites -randomize-all -poll-progress-after=120s -r $(CONTOUR_E2E_PACKAGE_FOCUS)
+	CONTOUR_E2E_IMAGE=$(CONTOUR_E2E_IMAGE) \
+	go run github.com/onsi/ginkgo/v2/ginkgo -tags=e2e -mod=readonly -skip-package=upgrade,bench -keep-going -randomize-suites -randomize-all -poll-progress-after=120s --focus '$(CONTOUR_E2E_TEST_FOCUS)' -r $(CONTOUR_E2E_PACKAGE_FOCUS)
 
 .PHONY: cleanup-kind
 cleanup-kind:

changelogs/unreleased/5214-nsimons-minor.md

@@ -0,0 +1,14 @@
+## Watching specific namespaces
+
+The `contour serve` command takes a new optional flag, `--watch-namespaces`, that can
+be used to restrict the namespaces where the Contour instance watches for resources.
+Consequently, resources in other namespaces will not be known to Contour and will not
+be acted upon.
+
+You can watch a single or multiple namespaces, and you can further restrict the root
+namespaces with `--root-namespaces` just like before. Root namespaces must be a subset
+of the namespaces being watched, for example:
+
+`--watch-namespaces=my-admin-namespace,my-app-namespace --root-namespaces=my-admin-namespace`
+
+If the `--watch-namespaces` flag is not used, then all namespaces will be watched by default.

cmd/contour/serve.go

@@ -166,6 +166,8 @@ func registerServe(app *kingpin.Application) (*kingpin.CmdClause, *serveContext)
 
 	serve.Flag("use-proxy-protocol", "Use PROXY protocol for all listeners.").BoolVar(&ctx.useProxyProto)
 
+	serve.Flag("watch-namespaces", "Restrict contour to watch resources in these namespaces only.").PlaceHolder("<ns,ns>").StringVar(&ctx.watchNamespaces)
+
 	serve.Flag("xds-address", "xDS gRPC API address.").PlaceHolder("<ipaddr>").StringVar(&ctx.xdsAddr)
 	serve.Flag("xds-port", "xDS gRPC API port.").PlaceHolder("<port>").IntVar(&ctx.xdsPort)
 
@@ -256,6 +258,12 @@ func NewServer(log logrus.FieldLogger, ctx *serveContext) (*Server, error) {
 			},
 		},
 	}
+
+	if watchedNamespaces := ctx.watchedNamespaces(); watchedNamespaces != nil {
+		log.WithField("namespaces", watchedNamespaces).Info("watching subset of namespaces")
+		options.Cache.Namespaces = watchedNamespaces
+	}
+
 	if ctx.LeaderElection.Disable {
 		log.Info("Leader election disabled")
 		options.LeaderElection = false
@@ -345,26 +353,47 @@ func (s *Server) doServe() error {
 		return err
 	}
 
-	// informerNamespaces is a set of namespaces that we should start informers for.
-	// If empty, informers will be started for all namespaces.
-	informerNamespaces := sets.NewString()
+	// Check that all the necessary namespaces are being watched
+	watchedNamespaces := sets.New(s.ctx.watchedNamespaces()...)
+	rootNamespaces := contourConfiguration.HTTPProxy.RootNamespaces
+
+	if len(watchedNamespaces) > 0 {
+		if !watchedNamespaces.IsSuperset(sets.New(rootNamespaces...)) {
+			return fmt.Errorf("not all root namespaces are being watched")
+		}
+
+		if fallbackCert := contourConfiguration.HTTPProxy.FallbackCertificate; fallbackCert != nil {
+			if !watchedNamespaces.Has(fallbackCert.Namespace) {
+				return fmt.Errorf("the fallbackCertificate namespace (%s) must be watched", fallbackCert.Namespace)
+			}
+		}
+		if clientCert := contourConfiguration.Envoy.ClientCertificate; clientCert != nil {
+			if !watchedNamespaces.Has(clientCert.Namespace) {
+				return fmt.Errorf("the clientCertificate namespace (%s) must be watched", clientCert.Namespace)
+			}
+		}
+	}
+
+	// secretNamespaces is a set of namespaces that we should start secret informer for.
+	// If empty, secret informer will be started for all namespaces.
+	secretNamespaces := sets.New[string]()
 
-	if rootNamespaces := contourConfiguration.HTTPProxy.RootNamespaces; len(rootNamespaces) > 0 {
+	if len(rootNamespaces) > 0 {
 		s.log.WithField("context", "root-namespaces").Infof("watching root namespaces %q", rootNamespaces)
-		informerNamespaces.Insert(rootNamespaces...)
+		secretNamespaces.Insert(rootNamespaces...)
 
-		// The fallback cert and client cert's namespaces only need to be added to informerNamespaces
-		// if we're processing specifici root namespaces, because otherwise, the informers will start
+		// The fallback cert and client cert's namespaces only need to be added to secretNamespaces
+		// if we're processing specific root namespaces, because otherwise, the informer will start
 		// for all namespaces so the below will automatically be included.
 
 		if fallbackCert := contourConfiguration.HTTPProxy.FallbackCertificate; fallbackCert != nil {
 			s.log.WithField("context", "fallback-certificate").Infof("watching fallback certificate namespace %q", fallbackCert.Namespace)
-			informerNamespaces.Insert(fallbackCert.Namespace)
+			secretNamespaces.Insert(fallbackCert.Namespace)
 		}
 
 		if clientCert := contourConfiguration.Envoy.ClientCertificate; clientCert != nil {
 			s.log.WithField("context", "envoy-client-certificate").Infof("watching client certificate namespace %q", clientCert.Namespace)
-			informerNamespaces.Insert(clientCert.Namespace)
+			secretNamespaces.Insert(clientCert.Namespace)
 		}
 	}
 
@@ -536,8 +565,8 @@ func (s *Server) doServe() error {
 	var handler cache.ResourceEventHandler = eventHandler
 
 	// If root namespaces are defined, filter for secrets in only those namespaces.
-	if len(informerNamespaces) > 0 {
-		handler = k8s.NewNamespaceFilter(informerNamespaces.List(), eventHandler)
+	if len(secretNamespaces) > 0 {
+		handler = k8s.NewNamespaceFilter(sets.List(secretNamespaces), eventHandler)
 	}
 
 	if err := informOnResource(&corev1.Secret{}, handler, s.mgr.GetCache()); err != nil {

cmd/contour/servecontext.go

@@ -62,6 +62,9 @@ type serveContext struct {
 	// httpproxy root namespaces
 	rootNamespaces string
 
+	// Watch only these namespaces to allow running with limited RBAC permissions.
+	watchNamespaces string
+
 	// ingress class
 	ingressClassName string
 
@@ -249,6 +252,17 @@ func (ctx *serveContext) proxyRootNamespaces() []string {
 	return ns
 }
 
+func (ctx *serveContext) watchedNamespaces() []string {
+	if strings.TrimSpace(ctx.watchNamespaces) == "" {
+		return nil
+	}
+	var ns []string
+	for _, s := range strings.Split(ctx.watchNamespaces, ",") {
+		ns = append(ns, strings.TrimSpace(s))
+	}
+	return ns
+}
+
 // parseDefaultHTTPVersions parses a list of supported HTTP versions
 // (of the form "HTTP/xx") into a slice of unique version constants.
 func parseDefaultHTTPVersions(versions []contour_api_v1alpha1.HTTPVersionType) []envoy_v3.HTTPVersionType {

examples/namespaced/kustomization.yaml

@@ -0,0 +1,57 @@
+# This kustomize file can be used as an example for deploying Contour without ClusterRole and
+# ClusterRoleBinding RBAC privileges.
+# It changes the cluster-wide RBAC rules in the example deployment manifest to namespaced RBAC rules.
+# It is meant to be used together with contour serve --watch-namespaces=<ns> option to restrict
+# Contour to a certain namespace.
+# Run with:
+#   kubectl kustomize examples/namespaced/
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../render/
+patches:
+  - patch: |-
+      - op: replace
+        path: /kind
+        value: RoleBinding
+      - op: replace
+        path: /metadata/name
+        value: contour-resources
+      - op: replace
+        path: /roleRef/kind
+        value: Role
+      - op: replace
+        path: /roleRef/name
+        value: contour-resources
+      - op: add
+        path: /metadata/namespace
+        value: projectcontour
+    target:
+      group: rbac.authorization.k8s.io
+      kind: ClusterRoleBinding
+      name: contour
+      version: v1
+  - patch: |-
+      - op: replace
+        path: /kind
+        value: Role
+      - op: replace
+        path: /metadata/name
+        value: contour-resources
+      - op: add
+        path: /metadata/namespace
+        value: projectcontour
+    target:
+      group: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: contour
+      version: v1
+  - patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --watch-namespaces=projectcontour
+    target:
+      group: apps
+      kind: Deployment
+      name: contour
+      version: v1

site/content/docs/main/config/inclusion-delegation.md

@@ -91,6 +91,8 @@ spec:
 Inclusion can also happen across Namespaces by specifying a `namespace` in the `inclusion`.
 This is a particularly powerful paradigm for enabling multi-team Ingress management.
 
+If the `--watch-namespaces` configuration flag is used, it must define all namespaces that will be referenced by the inclusion.
+
 In this example, the root HTTPProxy has included configuration for paths matching `/blog` to the `blog` HTTPProxy object in the `marketing` namespace.
 
 ```yaml

site/content/docs/main/config/tls-delegation.md

@@ -4,6 +4,8 @@ In order to support wildcard certificates, TLS certificates for a `*.somedomain.
 This facility allows the owner of a TLS certificate to delegate, for the purposes of referencing the TLS certificate, permission to Contour to read the Secret object from another namespace.
 Delegation works for both HTTPProxy and Ingress resources, however it needs an annotation to work with Ingress v1.
 
+If the `--watch-namespaces` configuration flag is used, it must define all namespaces that will be referenced by the delegation.
+
 The [`TLSCertificateDelegation`][1] resource defines a set of `delegations` in the `spec`.
 Each delegation references a `secretName` from the namespace where the `TLSCertificateDelegation` is created as well as describing a set of `targetNamespaces` in which the certificate can be referenced.
 If all namespaces should be able to reference the secret, then set `"*"` as the value of `targetNamespaces` (see example below).
@@ -24,7 +26,7 @@ spec:
       - "*"
 ```
 
-In this example, the permission for Contour to reference the Secret `example-com-wildcard` in the `admin` namespace has been delegated to HTTPProxy and Ingress objects in the `example-com` namespace.
+In this example, the permission for Contour to reference the Secret `example-com-wildcard` in the `www-admin` namespace has been delegated to HTTPProxy and Ingress objects in the `example-com` namespace.
 Also, the permission for Contour to reference the Secret `another-com-wildcard` from all namespaces has been delegated to all HTTPProxy and Ingress objects in the cluster.
 
 To reference the secret from an HTTPProxy or Ingress v1beta1 you must use the slash syntax in the `secretName`:

site/content/docs/main/config/virtual-hosts.md

@@ -132,7 +132,7 @@ Proper RBAC rules should also be created to restrict what namespaces Contour has
 An example of this is included in the [examples directory][1] and shows how you might create a namespace called `root-httproxy`.
 
 _**Note:** The restricted root namespace feature is only supported for HTTPProxy CRDs.
-`--root-namespaces` does not affect the operation of Ingress objects._
+`--root-namespaces` does not affect the operation of Ingress objects. In order to limit other resources, see the `--watch-namespaces` configuration flag._
 
 [1]: {{< param github_url>}}/tree/{{< param branch >}}/examples/root-rbac
 [2]: api/#projectcontour.io/v1.VirtualHost

site/content/docs/main/configuration.md

@@ -37,6 +37,7 @@ Many of these flags are mirrored in the [Contour Configuration File](#configurat
 | `--contour-key-file=</path/to/file\|CONTOUR_KEY_FILE>`          | Contour key file name for serving gRPC over TLS                                         |
 | `--insecure`                                                    | Allow serving without TLS secured gRPC                                                  |
 | `--root-namespaces=<ns,ns>`                                     | Restrict contour to searching these namespaces for root ingress routes                  |
+| `--watch-namespaces=<ns,ns>`                                    | Restrict contour to searching these namespaces for all resources                        |
 | `--ingress-class-name=<name>`                                   | Contour IngressClass name (comma-separated list allowed)                                |
 | `--ingress-status-address=<address>`                            | Address to set in Ingress object status                                                 |
 | `--envoy-http-access-log=</path/to/file>`                       | Envoy HTTP access log                                                                   |

site/content/docs/main/deploy-options.md

@@ -223,6 +223,9 @@ Also see the [upgrade guides][15] on steps to roll out a new version of Contour.
 
 It's possible to run multiple instances of Contour within a single Kubernetes cluster.
 This can be useful for separating external vs. internal ingress, for having separate ingress controllers for different ingress classes, and more.
+Each Contour instance can also be configured via the `--watch-namespaces` flag to handle their own namespaces. This allows the Kubernetes RBAC objects
+to be restricted further.
+
 The recommended way to deploy multiple Contour instances is to put each instance in its own namespace.
 This avoids most naming conflicts that would otherwise occur, and provides better logical separation between the instances.
 However, it is also possible to deploy multiple instances in a single namespace if needed; this approach requires more modifications to the example manifests to function properly.