pub const ANNOTATION_ALLOW_ZONE_NAMESPACES: &str = "bindy.firestoned.io/allow-zone-namespaces";Expand description
Annotation key on Bind9Instance that lists namespaces from which a
DNSZone (in a different namespace) is permitted to target this
instance via spec.bind9InstancesFrom selectors.
F-003 mitigation. A label-selector match alone is not enough to
enrol a cross-namespace Bind9Instance in a zone — the platform admin
who owns the instance must also annotate it with the zone’s namespace.
Same-namespace targeting (zone and instance in the same namespace) is
always permitted and does not require this annotation.
Value format: comma-separated list of namespace names. The literal
value * re-enables the pre-F-003 cluster-wide behaviour for
platform admins who explicitly accept the risk.
Examples:
"tenant-a,tenant-b"— only zones in tenant-a or tenant-b may claim this instance."*"— any namespace may claim (back to pre-F-003 behaviour).- annotation absent — only same-namespace zones may claim.
Why an annotation rather than a CRD field on ClusterBind9Provider?
The platform-admin contract for a cluster-wide operator is “platform
admin labels their instances; tenants match those labels.” The
security gate must live on the side the tenant cannot forge — i.e.
metadata on the platform-owned Bind9Instance — and an annotation
keeps the admin’s mental model intact without requiring tenants to
add a clusterRef they had no reason to set previously.