Thanks for the insight, Clayton. Running this on Online so extra permissions are out of the way.
In theory that admission could allow only the IPs I have access to per the rules used by multitenant network plugin. (Especially when I am setting the pod IP from the same namespace.) I guess the cost of maintaining that duplicated logic would be too high. On Tue, 2018-01-30 at 16:09 -0500, Clayton Coleman wrote: > You can grant the role to the user to let them set it. However, that > lets that app escape any network isolation boundaries so the > multitenant network plugin won’t work. > > You can also grant that permission to all users if you don’t need the > protection. > > > On Jan 30, 2018, at 3:18 PM, Tomas Nozicka <[email protected]> > > wrote: > > > > I need to direct Route/Service traffic from one namespace to > > another > > which I have permissions to. (Possibly even the same namespace as > > well.) Reading Kubernetes documentation[1] Services without > > selectors > > seem to be the way to do it. It requires you to set Endpoints > > manually > > (e.g. to Service or pod in another namespace) but OpenShift will > > forbid > > you from doing that. > > > > Error from server (Forbidden): error when creating > > "endpoints.yaml": > > endpoints "my-service" is forbidden: endpoint address > > 10.131.xxx.xxx is > > not allowed > > > > It requires you to have endpoints/restricted permission regular > > users > > don't have. > > > > Is that intentional? What are the reasons? (I think this is the > > place > > forbidding it [2].) > > > > How else can regular user do this? (Except running "redirecting" > > pod > > which is fragile.) > > > > Thanks, > > Tomas > > > > [1] - https://kubernetes.io/docs/concepts/services-networking/servi > > ce/# > > headless-services > > [2] - https://github.com/openshift/origin/blob/de21f148d1ca66ca2bfd > > 2011 > > 36c2e99ebda767e9/pkg/service/admission/endpoint_admission.go#L121 > > > > _______________________________________________ > > users mailing list > > [email protected] > > http://lists.openshift.redhat.com/openshiftmm/listinfo/users _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
