diff --git a/core/pkg/ingress/controller/controller.go b/core/pkg/ingress/controller/controller.go index d06b99bb1..6b21589c3 100644 --- a/core/pkg/ingress/controller/controller.go +++ b/core/pkg/ingress/controller/controller.go @@ -119,6 +119,9 @@ type Configuration struct { IngressClass string Namespace string ConfigMapName string + + ForceNamespaceIsolation bool + // optional TCPConfigMapName string // optional @@ -246,6 +249,11 @@ func newIngressController(config *Configuration) *GenericController { }, } + watchNs := api.NamespaceAll + if ic.cfg.ForceNamespaceIsolation && ic.cfg.Namespace != api.NamespaceAll { + watchNs = ic.cfg.Namespace + } + ic.ingLister.Store, ic.ingController = cache.NewInformer( cache.NewListWatchFromClient(ic.cfg.Client.Extensions().RESTClient(), "ingresses", ic.cfg.Namespace, fields.Everything()), &extensions.Ingress{}, ic.cfg.ResyncPeriod, ingEventHandler) @@ -255,11 +263,11 @@ func newIngressController(config *Configuration) *GenericController { &api.Endpoints{}, ic.cfg.ResyncPeriod, eventHandler) ic.secrLister.Store, ic.secrController = cache.NewInformer( - cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "secrets", api.NamespaceAll, fields.Everything()), + cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "secrets", watchNs, fields.Everything()), &api.Secret{}, ic.cfg.ResyncPeriod, secrEventHandler) ic.mapLister.Store, ic.mapController = cache.NewInformer( - cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "configmaps", api.NamespaceAll, fields.Everything()), + cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "configmaps", watchNs, fields.Everything()), &api.ConfigMap{}, ic.cfg.ResyncPeriod, mapEventHandler) ic.svcLister.Store, ic.svcController = cache.NewInformer( diff --git a/core/pkg/ingress/controller/launch.go b/core/pkg/ingress/controller/launch.go index 6c5f0776d..43ca58a0a 100644 --- a/core/pkg/ingress/controller/launch.go +++ b/core/pkg/ingress/controller/launch.go @@ -85,6 +85,10 @@ func NewIngressController(backend ingress.Controller) *GenericController { ingress controller should update the Ingress status IP/hostname. Default is true`) electionID = flags.String("election-id", "ingress-controller-leader", `Election id to use for status update.`) + + forceIsolation = flags.Bool("force-namespace-isolation", false, + `Force namespace isolation. This flag is required to avoid the reference of secrets or + configmaps located in a different namespace than the specified in the flag --watch-namespace.`) ) flags.AddGoFlagSet(flag.CommandLine) @@ -144,21 +148,22 @@ func NewIngressController(backend ingress.Controller) *GenericController { } config := &Configuration{ - UpdateStatus: *updateStatus, - ElectionID: *electionID, - Client: kubeClient, - ResyncPeriod: *resyncPeriod, - DefaultService: *defaultSvc, - IngressClass: *ingressClass, - DefaultIngressClass: backend.DefaultIngressClass(), - Namespace: *watchNamespace, - ConfigMapName: *configMap, - TCPConfigMapName: *tcpConfigMapName, - UDPConfigMapName: *udpConfigMapName, - DefaultSSLCertificate: *defSSLCertificate, - DefaultHealthzURL: *defHealthzURL, - PublishService: *publishSvc, - Backend: backend, + UpdateStatus: *updateStatus, + ElectionID: *electionID, + Client: kubeClient, + ResyncPeriod: *resyncPeriod, + DefaultService: *defaultSvc, + IngressClass: *ingressClass, + DefaultIngressClass: backend.DefaultIngressClass(), + Namespace: *watchNamespace, + ConfigMapName: *configMap, + TCPConfigMapName: *tcpConfigMapName, + UDPConfigMapName: *udpConfigMapName, + DefaultSSLCertificate: *defSSLCertificate, + DefaultHealthzURL: *defHealthzURL, + PublishService: *publishSvc, + Backend: backend, + ForceNamespaceIsolation: *forceIsolation, } ic := newIngressController(config)