Allow configuring whether to allow cross namespaces Brokers configuration references

[pierDipi]

Instead of always allowing to specify cross namespace configuration references for Broker allow users to configure whether to disallow such references as it might be problematic in multi tenant environments.

Proposed Changes

• Allow configuring whether to allow cross namespaces Brokers configuration references

Pre-review Checklist

• At least 80% unit test coverage
• E2E tests for any new behavior
• Docs PR for any user-facing impact
• Spec PR for any new API feature
• Conformance test for any change to the spec

Release Note

Allow configuring whether to allow cross namespaces Brokers configuration using the `config-br-defaults` ConfigMap.

For example, to disallow cross namespaces Brokers configuration references cluster wide, the following ConfigMap can be applied:


`
apiVersion: v1
kind: ConfigMap
metadata:
  name: config-br-defaults
  namespace: knative-eventing
  labels:
    app.kubernetes.io/version: devel
    app.kubernetes.io/name: knative-eventing
data:
  # Configures the default for any Broker that does not specify a spec.config or Broker class.
  default-br-config: |
    clusterDefault:
      disallowDifferentNamespaceConfig: true
      # ...
`

Docs

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pierDipi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (360ec60) 76.72% compared to head (68863a1) 76.75%.
Report is 20 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7455      +/-   ##
==========================================
+ Coverage   76.72%   76.75%   +0.03%     
==========================================
  Files         253      253              
  Lines       13903    13974      +71     
==========================================
+ Hits        10667    10726      +59     
- Misses       2702     2712      +10     
- Partials      534      536       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Cali0707]

I think that you need to run codegen, also I was wondering - what happens if I have a broker in one namespace ns1, which is allowed to send to other namespaces and it sends to a broker in namespace ns2 which is not allowed to send to other namespaces. What would happen to a reply in that scenario?

[pierDipi]

This configuration is only for control plane configurations isolation, cross namespace data plane communication is still allowed and need to be handled with a service mesh or eventually when OIDC + authorization are implemented since even with disallowing cross reference for sink, users can still use absolute URLs and pass the check on the references for subscriber/reply/sink.

For example, I'd like to disallow using the same underlying Kafka cluster credentials from 2 different namespaces

[Cali0707]

/lgtm