Skip to content

Ingress Sharding#

Ingress Sharding on Kubernetes using MTO#

Tenant
apiVersion: tenantoperator.stakater.com/v1beta3
kind: Tenant
metadata:
  name: tenant-sample
spec:
  # other fields
  ingressClasses:
    allowed:
    - nginx
    - traefik

The ingressClasses field in the Tenant specification is used to filter and control which ingress classes are allowed for the tenant. By specifying an allowed list, you can restrict the creation of ingress resources to only those with the specified ingress class names. In the example above, only ingress resources with the class names nginx and traefik are permitted for the tenant.

This ensures that tenants can only use the ingress controllers that are explicitly allowed, providing better control and security over the ingress resources within the Kubernetes cluster.

Behavior#

This field follows a secure-by-default model. Configuring this field enables both the filtering functionality and automatic RBAC configuration for IngressClasses:

Spec State Behavior
Field not specified (nil) Feature disabled - no RBAC is configured by the operator; it is left to the platform administrator to configure appropriate RBAC for IngressClasses (if any)
Empty struct {} or {allowed: []} Allow all - the operator automatically configures RBAC so that tenants can use any ingress class in the cluster
Specific values {allowed: ["nginx"]} Only allow specified - the operator automatically configures RBAC so that tenants can only use the listed ingress classes

Note

The filtering functionality only works when the ingressClasses field is explicitly configured. Without it, the operator does not manage IngressClass access for the tenant.

Tip

Tenant users can use the kubectl-tenant plugin to list the IngressClasses available to them: kubectl tenant get ingressclasses <tenant-name>

Demo#

Ingress Class Demo

Ingress Sharding on OpenShift Container Platform#

You can use Ingress sharding, also known as router sharding, to distribute a set of routes across multiple routers by adding labels to routes, namespaces, or both. The Ingress Controller uses a corresponding set of selectors to admit only the routes that have a specified label. Each Ingress shard comprises the routes that are filtered using a given selection expression.

Example#

An Ingress Controller finops-router is configured with the label selector to handle the routes in tenant finops

apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: finops-router
  namespace: openshift-ingress-operator
spec:
  - namespaceSelector:
      matchLabels:
        stakater.com/tenant: finops