From 42e53c9917e015d6b0face962b6ae97a5fbd53f5 Mon Sep 17 00:00:00 2001 From: Michael Pleshakov Date: Fri, 3 Aug 2018 11:21:20 +0100 Subject: [PATCH] Enforce annotations inheritance in minions - minions are only allowed to inherent certain annotations from their master Additional changes: - nginx.org/grpc-services is not allowed in the master anymore - nginx.org/server-snippets is not allowed in the minion anymore --- examples/mergeable-ingress-types/README.md | 16 ++++++++++++++++ nginx-controller/nginx/configurator.go | 8 ++++---- nginx-controller/nginx/configurator_test.go | 1 + nginx-controller/nginx/ingress.go | 17 +++++++++++++++++ 4 files changed, 38 insertions(+), 4 deletions(-) diff --git a/examples/mergeable-ingress-types/README.md b/examples/mergeable-ingress-types/README.md index ccfc61ba02..81711a27a5 100644 --- a/examples/mergeable-ingress-types/README.md +++ b/examples/mergeable-ingress-types/README.md @@ -13,6 +13,7 @@ ingress resource. Masters cannot contain the following annotations: * nginx.org/rewrites * nginx.org/ssl-services +* nginx.org/grpc-services * nginx.org/websocket-services * nginx.com/sticky-cookie-services * nginx.com/health-checks @@ -39,6 +40,21 @@ Minions cannot contain the following annotations: * nginx.com/jwt-realm * nginx.com/jwt-token * nginx.com/jwt-login-url +* nginx.org/server-snippets + +Minions inherent the following annotations from the master, unless they override them: +* nginx.org/proxy-connect-timeout +* nginx.org/proxy-read-timeout +* nginx.org/client-max-body-size +* nginx.org/proxy-buffering +* nginx.org/proxy-buffers +* nginx.org/proxy-buffer-size +* nginx.org/proxy-max-temp-file-size +* nginx.org/location-snippets +* nginx.org/lb-method +* nginx.org/keepalive +* nginx.org/max-fails +* nginx.org/fail-timeout Note: Ingress Resources with more than one host cannot be used. diff --git a/nginx-controller/nginx/configurator.go b/nginx-controller/nginx/configurator.go index 34f54eec23..81c9df8cfd 100644 --- a/nginx-controller/nginx/configurator.go +++ b/nginx-controller/nginx/configurator.go @@ -993,7 +993,7 @@ func filterMasterAnnotations(annotations map[string]string) []string { var removedAnnotations []string for key, _ := range annotations { - if _, ok := masterBlacklist[key]; ok { + if _, notAllowed := masterBlacklist[key]; notAllowed { removedAnnotations = append(removedAnnotations, key) delete(annotations, key) } @@ -1006,7 +1006,7 @@ func filterMinionAnnotations(annotations map[string]string) []string { var removedAnnotations []string for key, _ := range annotations { - if _, ok := minionBlacklist[key]; ok { + if _, notAllowed := minionBlacklist[key]; notAllowed { removedAnnotations = append(removedAnnotations, key) delete(annotations, key) } @@ -1017,8 +1017,8 @@ func filterMinionAnnotations(annotations map[string]string) []string { func mergeMasterAnnotationsIntoMinion(minionAnnotations map[string]string, masterAnnotations map[string]string) { for key, val := range masterAnnotations { - if _, ok := minionAnnotations[key]; !ok { - if _, ok := minionBlacklist[key]; !ok { + if _, exists := minionAnnotations[key]; !exists { + if _, allowed := minionInheritanceList[key]; allowed { minionAnnotations[key] = val } } diff --git a/nginx-controller/nginx/configurator_test.go b/nginx-controller/nginx/configurator_test.go index b6fb49020f..b9d0ef0dfe 100644 --- a/nginx-controller/nginx/configurator_test.go +++ b/nginx-controller/nginx/configurator_test.go @@ -134,6 +134,7 @@ func TestMergeMasterAnnotationsIntoMinion(t *testing.T) { "nginx.org/hsts": "True", "nginx.org/hsts-max-age": "2700000", "nginx.org/proxy-connect-timeout": "50s", + "nginx.com/jwt-token": "$cookie_auth_token", } minionAnnotations := map[string]string{ "nginx.org/client-max-body-size": "2m", diff --git a/nginx-controller/nginx/ingress.go b/nginx-controller/nginx/ingress.go index 3b8eb71760..ce3e514e40 100644 --- a/nginx-controller/nginx/ingress.go +++ b/nginx-controller/nginx/ingress.go @@ -23,6 +23,7 @@ type MergeableIngresses struct { var masterBlacklist = map[string]bool{ "nginx.org/rewrites": true, "nginx.org/ssl-services": true, + "nginx.org/grpc-services": true, "nginx.org/websocket-services": true, "nginx.com/sticky-cookie-services": true, "nginx.com/health-checks": true, @@ -45,4 +46,20 @@ var minionBlacklist = map[string]bool{ "nginx.com/jwt-realm": true, "nginx.com/jwt-token": true, "nginx.com/jwt-login-url": true, + "nginx.org/server-snippets": true, +} + +var minionInheritanceList = map[string]bool{ + "nginx.org/proxy-connect-timeout": true, + "nginx.org/proxy-read-timeout": true, + "nginx.org/client-max-body-size": true, + "nginx.org/proxy-buffering": true, + "nginx.org/proxy-buffers": true, + "nginx.org/proxy-buffer-size": true, + "nginx.org/proxy-max-temp-file-size": true, + "nginx.org/location-snippets": true, + "nginx.org/lb-method": true, + "nginx.org/keepalive": true, + "nginx.org/max-fails": true, + "nginx.org/fail-timeout": true, }