@@ -1039,71 +1039,4 @@ $ oc expose service/<name> --hostname="api.openshift.org"
10391039$ oc expose service/<name> --hostname="m.api.openshift.org"
10401040$ oc expose service/<name> --hostname="kates.net"
10411041$ oc expose service/<name> --hostname="api.kates.net"
1042- ----
1043-
1044-
1045- [[disable-namespace-ownership-check]]
1046- == Disabling the Namespace Ownership Check
1047-
1048- Hosts and subdomains are owned by the namespace of the route that first
1049- makes the claim. Other routes created in the namespace can make claims on
1050- the subdomain. All other namespaces are prevented from making claims on
1051- the claimed hosts and subdomains. The namespace that owns the host also
1052- owns all paths associated with the host, for example `*_www.abc.xyz/path1_*`.
1053-
1054- For example, if the host `*_www.abc.xyz_*` is not claimed by any route.
1055- Creating route `r1` with host `*_www.abc.xyz_*` in namespace `ns1` makes
1056- namespace `ns1` the owner of host `*_www.abc.xyz_*` and subdomain `abc.xyz`
1057- for wildcard routes. If another namespace, `ns2`, tries to create a route
1058- with say a different path `*_www.abc.xyz/path1/path2_*`, it would fail
1059- because a route in another namespace (`ns1` in this case) owns that host.
1060-
1061- With wildcard routes the namespace that owns the subdomain owns all hosts in the subdomain.
1062- If a namespace owns subdomain `*abc.xyz*` as in the above example,
1063- another namespace cannot claim `z.abc.xyz`.
1064-
1065- By disabling the namespace ownership rules, you can disable these restrictions
1066- and allow hosts (and subdomains) to be claimed across namespaces.
1067-
1068- [WARNING]
1069- ====
1070- If you decide to disable the namespace ownership checks in your router,
1071- be aware that this allows end users to claim ownership of hosts
1072- across namespaces. While this change can be desirable in certain
1073- development environments, use this feature with caution in production
1074- environments, and ensure that your cluster policy has locked down untrusted end
1075- users from creating routes.
1076- ====
1077-
1078- For example, with `ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK=true`, if
1079- namespace `ns1` creates the oldest route `r1` `*_www.abc.xyz_*`, it owns only
1080- the hostname (+ path). Another namespace can create a wildcard route
1081- even though it does not have the oldest route in that subdomain (`abc.xyz`)
1082- and we could potentially have other namespaces claiming other
1083- non-wildcard overlapping hosts (for example, `foo.abc.xyz`, `bar.abc.xyz`,
1084- `baz.abc.xyz`) and their claims would be granted.
1085-
1086- Any other namespace (for example, `ns2`) can now create
1087- a route `r2` `*_www.abc.xyz/p1/p2_*`, and it would be admitted. Similarly
1088- another namespace (`ns3`) can also create a route `wildthing.abc.xyz`
1089- with a subdomain wildcard policy and it can own the wildcard.
1090-
1091- As this example demonstrates, the policy `ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK=true` is more
1092- lax and allows claims across namespaces. The only time the router would
1093- reject a route with the namespace ownership disabled is if the host+path
1094- is already claimed.
1095-
1096- For example, if a new route `rx` tries to claim `*_www.abc.xyz/p1/p2_*`, it
1097- would be rejected as route `r2` owns that host+path combination. This is true whether route `rx`
1098- is in the same namespace or other namespace since the exact host+path is already claimed.
1099-
1100- This feature can be set during router creation or by setting an environment
1101- variable in the router's deployment configuration.
1102-
1103- ----
1104- $ oadm router ... --disable-namespace-ownership-check=true
1105- ----
1106-
1107- ----
1108- $ oc env dc/router ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK=true
1109- ----
1042+ ----
0 commit comments