Ignore ingress definitions for other ingressclasses

[liggitt]

NGINX Ingress controller version: v1.0.0-alpha.1

Kubernetes version (use kubectl version): v1.19+

Environment: all

• Cloud provider or hardware configuration: all
• OS (e.g. from /etc/os-release): all
• Kernel (e.g. uname -a): all
• Install tools: all
• Others: all

What happened: ingress definitions created intended to be serviced by other ingress controllers are handled by ingress-nginx

Reviewing the code path ingress-nginx uses to fetch ingress objects, I don't see filtering of ingress objects targeting other ingress classes:

• ingress-nginx/cmd/plugin/request/request.go

  Lines 124 to 129 in 1feec89

  	pods, err := api.Ingresses(namespace).List(context.TODO(), metav1.ListOptions{})
  	if err != nil {
  	return make([]networking.Ingress, 0), err
  	}
  	return pods.Items, nil

• ingress-nginx/cmd/plugin/commands/ingresses/ingresses.go

  Lines 60 to 73 in 1feec89

  	func ingresses(flags *genericclioptions.ConfigFlags, host string, allNamespaces bool) error {
  	var namespace string
  	if allNamespaces {
  	namespace = ""
  	} else {
  	namespace = util.GetNamespace(flags)
  	}
  	ingresses, err := request.GetIngressDefinitions(flags, namespace)
  	if err != nil {
  	return err
  	}
  	rows := getIngressRows(&ingresses)

• ingress-nginx/cmd/plugin/commands/ingresses/ingresses.go

  Lines 134 to 180 in 1feec89

  	func getIngressRows(ingresses *[]networking.Ingress) []ingressRow {
  	rows := make([]ingressRow, 0)
  	for _, ing := range *ingresses {
  	address := ""
  	for _, lbIng := range ing.Status.LoadBalancer.Ingress {
  	if len(lbIng.IP) > 0 {
  	address = address + lbIng.IP + ","
  	}
  	if len(lbIng.Hostname) > 0 {
  	address = address + lbIng.Hostname + ","
  	}
  	}
  	if len(address) > 0 {
  	address = address[:len(address)-1]
  	}
  	tlsHosts := make(map[string]struct{})
  	for _, tls := range ing.Spec.TLS {
  	for _, host := range tls.Hosts {
  	tlsHosts[host] = struct{}{}
  	}
  	}
  	defaultBackendService := ""
  	defaultBackendPort := ""
  	if ing.Spec.DefaultBackend != nil {
  	name, port := serviceToNameAndPort(ing.Spec.DefaultBackend.Service)
  	defaultBackendService = name
  	defaultBackendPort = port.String()
  	}
  	// Handle catch-all ingress
  	if len(ing.Spec.Rules) == 0 && len(defaultBackendService) > 0 {
  	row := ingressRow{
  	Namespace: ing.Namespace,
  	IngressName: ing.Name,
  	Host: "*",
  	ServiceName: defaultBackendService,
  	ServicePort: defaultBackendPort,
  	Address: address,
  	}
  	rows = append(rows, row)
  	continue
  	}

That means that ingress-nginx can't coexist with another ingress controller partitioned by ingress class, which is part of Ingress v1.

/kind bug

[rikatz]

/triage accepted
/priority critical-urgent
/assgn @rikatz

[rikatz]

Thanks @liggitt

I'll take a look into this.

For my future me (or people helping) we need to:

• Implement the filtering
• Implement e2e tests and check if this filtering is working
  • Objects with IngressClass = nginx class should be parsed and served
  • Objects with IngressClass != controller ingress class should be filtered and ignored
  • Check this case with a bunch of ingress objects and the same ingress controller

[rikatz]

/close

Closed in #7341

[k8s-ci-robot]

@rikatz: Closing this issue.

In response to this:

/close

Closed in #7341

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[clarax]

@rikatz Hello, I have a question on a potential bug of Ingress-Nginx. We have two ingress controllers, controller A (v1.2.0) and controller B (v 1.2.1), installed on a Kubernetes cluster(version: v1.22.9) Each controller has a different IngressClass: A and B. When I try to create an ingress of ingress class A, it failed with error "Error from server (InternalError): error when creating "ingress-test.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post https://ingress-nginx-controller-admission.ingress-nginx.svc:443/extensions/v1/ingresses?timeout=30s: context deadline exceeded. The controller B complains "controller I0720 18:12:05.800513 7 store.go:425] "Ignoring ingress because of error while validating ingress class" ingress="ingress-test" error="no object matching key "A" in local store"". Ingress of IngressClass A is ignored because of validating error. If we have the fix, we shouldn't need to validate at all because of the IngressClass. Is this caused by an incomplete fix? Is this expected?