Service blacklist fix (#83)

* Add namespace check to service blacklist
kyma-project · Oct 10, 2019 · c1d35a0 · c1d35a0
1 parent a5892d6
commit c1d35a0
Show file tree

Hide file tree

Showing 15 changed files with 130 additions and 23 deletions.
diff --git a/Makefile b/Makefile
@@ -19,6 +19,11 @@ ifndef JWKS_URI
 override JWKS_URI = change-me
 endif
 
+# kubernetes.default service.namespace
+ifndef SERVICE_BLACKLIST
+override SERVICE_BLACKLIST = kubernetes.default,kube-dns.kube-system
+endif
+
 # kyma.local foo.bar bar
 ifndef DOMAIN_WHITELIST
 override DOMAIN_WHITELIST = change-me
@@ -86,6 +91,7 @@ patch-gen:
 	@cat config/default/manager_args_patch.yaml.tmpl |\
 		sed -e 's|OATHKEEPER_SVC_ADDRESS|${OATHKEEPER_SVC_ADDRESS}|g' |\
 		sed -e 's|OATHKEEPER_SVC_PORT|${OATHKEEPER_SVC_PORT}|g' |\
+		sed -e 's|SERVICE_BLACKLIST|${SERVICE_BLACKLIST}|g' |\
 		sed -e 's|DOMAIN_WHITELIST|${DOMAIN_WHITELIST}|g' |\
 		sed -e 's|JWKS_URI|${JWKS_URI}|g' |\
 		sed -e 's|CORS_ALLOW_ORIGIN|${CORS_ALLOW_ORIGIN}|g' |\
@@ -123,7 +129,7 @@ CONTROLLER_GEN=$(shell which controller-gen)
 endif
 
 run: build
-	go run . --oathkeeper-svc-address=${OATHKEEPER_SVC_ADDRESS} --oathkeeper-svc-port=${OATHKEEPER_SVC_PORT} --jwks-uri=${JWKS_URI} --domain-whitelist=${DOMAIN_WHITELIST}
+	go run . --oathkeeper-svc-address=${OATHKEEPER_SVC_ADDRESS} --oathkeeper-svc-port=${OATHKEEPER_SVC_PORT} --jwks-uri=${JWKS_URI} --service-blacklist=${SERVICE_BLACKLIST} --domain-whitelist=${DOMAIN_WHITELIST}
 
 samples-clean:
 	kubectl delete -f config/samples/valid.yaml --ignore-not-found=true

diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ This procedure is useful to test your own Controller build end-to-end in a local
 | **oathkeeper-svc-address** | yes | ory oathkeeper-proxy service address. | `ory-oathkeeper-proxy.kyma-system.svc.cluster.local` |
 | **oathkeeper-svc-port** | yes | ory oathkeeper-proxy service port. | `4455` |
 | **jwks-uri** | yes | default jwksUri in the Policy. | any string |
-| **service-blacklist** | no | list of services to be blacklisted | `kubernetes` <br> `kube-dns` |
+| **service-blacklist** | no | list of services to be blacklisted | `kubernetes.default` <br> `kube-dns.kube-system` |
 | **domain-whitelist** | yes | list of domains that can be exposed | `kyma.local` <br> `foo.bar` |
 | **cors-allow-origin**  | no | comma-separated list of allowed origins | `*`, `https://developer.org` |
 | **cors-allow-methods** | no | comma-separated list of allowed methods | `GET,POST,DELETE` |

diff --git a/config/default/manager_args_patch.yaml b/config/default/manager_args_patch.yaml
@@ -12,7 +12,7 @@ spec:
           - --oathkeeper-svc-address=change-me
           - --oathkeeper-svc-port=change-me
           - --jwks-uri=change-me
-          - --service-blacklist=kubernetes
+          - --service-blacklist=kubernetes.default,service.namespace
           - --domain-whitelist=kyma.local
           - --cors-allow-origin=*
           - --cors-allow-methods=GET,POST,PUT,DELETE

diff --git a/config/default/manager_args_patch.yaml.tmpl b/config/default/manager_args_patch.yaml.tmpl
@@ -12,7 +12,7 @@ spec:
           - --oathkeeper-svc-address=OATHKEEPER_SVC_ADDRESS
           - --oathkeeper-svc-port=OATHKEEPER_SVC_PORT
           - --jwks-uri=JWKS_URI
-          - --service-blacklist=kubernetes
+          - --service-blacklist=SERVICE_BLACKLIST
           - --domain-whitelist=DOMAIN_WHITELIST
           - --cors-allow-origin=CORS_ALLOW_ORIGIN
           - --cors-allow-methods=CORS_ALLOW_METHODS

diff --git a/go.mod b/go.mod
@@ -16,4 +16,5 @@ require (
 	k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible
 	knative.dev/pkg v0.0.0-20190807140856-4707aad818fe
 	sigs.k8s.io/controller-runtime v0.2.0-beta.4
+	sigs.k8s.io/controller-tools v0.2.0-beta.2 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -38,6 +38,9 @@ github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nA
 github.com/go-openapi/spec v0.19.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
 github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
+github.com/gobuffalo/envy v1.6.5/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ=
+github.com/gobuffalo/envy v1.6.15 h1:OsV5vOpHYUpP7ZLS6sem1y40/lNX1BZj+ynMiRi21lQ=
+github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
@@ -61,6 +64,8 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO
 github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
 github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
+github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs=
@@ -75,6 +80,8 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/markbates/inflect v1.0.4 h1:5fh1gzTFhfae06u3hzHYO9xe3l3v3nW5Pwt3naLTP5g=
+github.com/markbates/inflect v1.0.4/go.mod h1:1fR9+pO2KHEO9ZRtto13gDwwZaAKstQzferVeWqbgNs=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
@@ -112,8 +119,12 @@ github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e h1:n/3MEhJQjQxrO
 github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273 h1:agujYaXJSxSo18YNX3jzl+4G6Bstwt+kqv47GS12uL0=
 github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.2.2 h1:J7U/N7eRtzjhs26d6GqMh2HBuXP8/Z64Densiiieafo=
+github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
@@ -143,6 +154,7 @@ golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190514140710-3ec191127204/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -182,6 +194,7 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
@@ -202,6 +215,7 @@ k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible h1:U5Bt+dab9
 k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.2.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0 h1:0VPpR+sizsiivjIfIAQH/rl8tan6jvWkS7lU+0di3lE=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/kube-openapi v0.0.0-20180731170545-e3762e86a74c/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
@@ -214,6 +228,8 @@ knative.dev/pkg v0.0.0-20190807140856-4707aad818fe/go.mod h1:pgODObA1dTyhNoFxPZT
 sigs.k8s.io/controller-runtime v0.2.0-beta.2/go.mod h1:TSH2R0nSz4WAlUUlNnOFcOR/VUhfwBLlmtq2X6AiQCA=
 sigs.k8s.io/controller-runtime v0.2.0-beta.4 h1:S1XVfRWR1MuIXZdkYx3jN8JDw+bbQxmWZroy0i87z/A=
 sigs.k8s.io/controller-runtime v0.2.0-beta.4/go.mod h1:HweyYKQ8fBuzdu2bdaeBJvsFgAi/OqBBnrVGXcqKhME=
+sigs.k8s.io/controller-tools v0.2.0-beta.2 h1:ucniFzEuW7PFfFDuUxacdY4Fy4q065wPguVl+BE2/t0=
+sigs.k8s.io/controller-tools v0.2.0-beta.2/go.mod h1:gC5UAnK1jbxWnDaqTi0yxKIsRsRwshzeRtTUGbM9vos=
 sigs.k8s.io/kind v0.4.0/go.mod h1:bgGo2cWxKGQ7esVxtGp9H17Ttlexju92CTMjCg08HNQ=
 sigs.k8s.io/kustomize v2.0.3+incompatible/go.mod h1:MkjgH3RdOWrievjo6c9T245dYlB5QeXV4WCbnt/PEpU=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190426204423-ea680f03cc65/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=

diff --git a/install/helm/api-gateway/templates/_helpers.tpl b/install/helm/api-gateway/templates/_helpers.tpl
@@ -42,4 +42,12 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "api-gateway.serviceBlackList" -}}
+{{- range $i, $e := .Values.config.serviceBlackList -}}
+{{- range $e -}}
+{{ printf "%s.%s," . $i -}}
+{{- end }}
+{{- end }}
 {{- end -}}
diff --git a/install/helm/api-gateway/templates/deployment.yaml b/install/helm/api-gateway/templates/deployment.yaml
@@ -35,9 +35,7 @@ spec:
             - --oathkeeper-svc-address={{ .Values.config.oathkeeper.service }}
             - --oathkeeper-svc-port={{ .Values.config.oathkeeper.port }}
             - --jwks-uri={{ .Values.config.jwksURI }}
-            {{- with .Values.config.serviceBlackList }}
-            - --service-blacklist={{ . | join ", " }}
-            {{- end }}
+            - --service-blacklist={{ include "api-gateway.serviceBlackList" . | trimAll "," }}
             {{- with .Values.config.domainWhiteList }}
             - --domain-whitelist={{ . | join ", " }}
             {{- end }}

diff --git a/install/helm/api-gateway/values.yaml b/install/helm/api-gateway/values.yaml
@@ -26,8 +26,10 @@ config:
     port: 4455
   jwksURI: https://example.com/.well-known/jwks.json
   serviceBlackList:
-    - kubernetes
-    - kube-dns
+    default:
+      - kubernetes
+    kube-system:
+      - kube-dns
   domainWhiteList:
     - kyma.local
   cors: # values listed below will be used to set corsPolicy in created VirtualServices (https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service/#CorsPolicy)

diff --git a/install/k8s/apps_v1_deployment_api-gateway-controller-manager.yaml b/install/k8s/apps_v1_deployment_api-gateway-controller-manager.yaml
@@ -20,7 +20,7 @@ spec:
         - --oathkeeper-svc-address=change-me
         - --oathkeeper-svc-port=change-me
         - --jwks-uri=change-me
-        - --service-blacklist=kubernetes
+        - --service-blacklist=kubernetes.default,kube-dns.kube-system
         - --domain-whitelist=kyma.local
         command:
         - /manager

diff --git a/internal/validation/helpers.go b/internal/validation/helpers.go
@@ -32,3 +32,8 @@ func ValidateDomainName(domain string) bool {
 	RegExp := regexp.MustCompile(`^([a-zA-Z0-9][a-zA-Z0-9-_]*\.)*[a-zA-Z0-9]*[a-zA-Z0-9-_]*[[a-zA-Z0-9]+$`)
 	return RegExp.MatchString(domain)
 }
+
+func ValidateServiceName(service string) bool {
+	regExp := regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?\.[a-z0-9]([-a-z0-9]*[a-z0-9])?$`)
+	return regExp.MatchString(service)
+}
diff --git a/internal/validation/helpers_test.go b/internal/validation/helpers_test.go
@@ -70,3 +70,49 @@ var _ = Describe("ValidateDomainName function", func() {
 	})
 
 })
+var _ = Describe("ValidateServiceName function", func() {
+
+	It("Should return true for kubernetes.default service", func() {
+		//given
+		testService := "kubernetes.default"
+
+		//when
+		valid := ValidateServiceName(testService)
+
+		//then
+		Expect(valid).To(BeTrue())
+	})
+
+	It("Should return false for service containing more than one .", func() {
+		//given
+		testService := "kubernetes.default.example"
+
+		//when
+		valid := ValidateServiceName(testService)
+
+		//then
+		Expect(valid).To(BeFalse())
+	})
+
+	It("Should return false for service name ending with -", func() {
+		//given
+		testService := "kubernetes-.default"
+
+		//when
+		valid := ValidateServiceName(testService)
+
+		//then
+		Expect(valid).To(BeFalse())
+	})
+
+	It("Should return false for service containing forbidden character /", func() {
+		//given
+		testService := "kubernetes.de/fault"
+
+		//when
+		valid := ValidateServiceName(testService)
+
+		//then
+		Expect(valid).To(BeFalse())
+	})
+})
diff --git a/internal/validation/validate.go b/internal/validation/validate.go
@@ -38,7 +38,7 @@ func configNotEmpty(config *runtime.RawExtension) bool {
 
 //APIRule is used to validate github.com/kyma-incubator/api-gateway/api/v1alpha1/APIRule instances
 type APIRule struct {
-	ServiceBlackList []string
+	ServiceBlackList map[string][]string
 	DomainWhiteList  []string
 }
 
@@ -75,12 +75,14 @@ func (v *APIRule) validateService(attributePath string, vsList v1alpha3.VirtualS
 	}
 
 	domainFound := false
-	for _, svc := range v.ServiceBlackList {
-		if svc == *api.Spec.Service.Name {
-			problems = append(problems, Failure{
-				AttributePath: attributePath + ".name",
-				Message:       "This service has been blacklisted",
-			})
+	for namespace, services := range v.ServiceBlackList {
+		for _, svc := range services {
+			if svc == *api.Spec.Service.Name && namespace == api.ObjectMeta.Namespace {
+				problems = append(problems, Failure{
+					AttributePath: attributePath + ".name",
+					Message:       fmt.Sprintf("Service %s in namespace %s is blacklisted", svc, namespace),
+				})
+			}
 		}
 	}
 	for _, domain := range v.DomainWhiteList {

diff --git a/internal/validation/validate_test.go b/internal/validation/validate_test.go
@@ -47,9 +47,14 @@ var _ = Describe("Validate function", func() {
 
 	It("Should fail for blacklisted service", func() {
 		//given
-		testBlackList := []string{"kubernetes", "kube-dns", "kubernetes.default"}
+		testBlackList := map[string][]string{
+			"default": []string{"kubernetes", "kube-dns"},
+			"example": []string{"service"}}
 		testWhiteList := []string{"foo.bar", "bar.foo", "kyma.local"}
 		input := &gatewayv1alpha1.APIRule{
+			ObjectMeta: v1.ObjectMeta{
+				Namespace: "default",
+			},
 			Spec: gatewayv1alpha1.APIRuleSpec{
 				Service: getService("kubernetes", uint32(443), "kubernetes.foo.bar"),
 				Rules: []gatewayv1alpha1.Rule{
@@ -72,12 +77,14 @@ var _ = Describe("Validate function", func() {
 		//then
 		Expect(problems).To(HaveLen(1))
 		Expect(problems[0].AttributePath).To(Equal(".spec.service.name"))
-		Expect(problems[0].Message).To(Equal("This service has been blacklisted"))
+		Expect(problems[0].Message).To(Equal("Service kubernetes in namespace default is blacklisted"))
 	})
 
 	It("Should fail for not whitelisted domain", func() {
 		//given
-		testBlackList := []string{"kubernetes", "kube-dns", "kubernetes.default"}
+		testBlackList := map[string][]string{
+			"default": []string{"kubernetes", "kube-dns"},
+			"example": []string{"service"}}
 		testWhiteList := []string{"foo.bar", "bar.foo", "kyma.local"}
 		input := &gatewayv1alpha1.APIRule{
 			Spec: gatewayv1alpha1.APIRuleSpec{
@@ -107,7 +114,9 @@ var _ = Describe("Validate function", func() {
 
 	It("Should fail for serviceHost containing duplicated whitelisted domain", func() {
 		//given
-		testBlackList := []string{"kubernetes", "kube-dns", "kubernetes.default"}
+		testBlackList := map[string][]string{
+			"default": []string{"kubernetes", "kube-dns"},
+			"example": []string{"service"}}
 		testWhiteList := []string{"foo.bar", "bar.foo", "kyma.local"}
 		input := &gatewayv1alpha1.APIRule{
 			Spec: gatewayv1alpha1.APIRuleSpec{

diff --git a/main.go b/main.go
@@ -63,7 +63,7 @@ func main() {
 	flag.StringVar(&jwksURI, "jwks-uri", "", "URL of the provider's public key set to validate signature of the JWT")
 	flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
 		"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
-	flag.StringVar(&blackListedServices, "service-blacklist", "kubernetes", "List of services to be blacklisted from exposure.")
+	flag.StringVar(&blackListedServices, "service-blacklist", "kubernetes.default,kube-dns.kube-system", "List of services to be blacklisted from exposure.")
 	flag.StringVar(&whiteListedDomains, "domain-whitelist", "", "List of domains to be allowed.")
 	flag.StringVar(&corsAllowOrigin, "cors-allow-origin", "*", "list of allowed origins")
 	flag.StringVar(&corsAllowMethods, "cors-allow-methods", "GET,POST,PUT,DELETE", "list of allowed methods")
@@ -114,7 +114,7 @@ func main() {
 		OathkeeperSvcPort: uint32(oathkeeperSvcPort),
 		JWKSURI:           jwksURI,
 		Validator: &validation.APIRule{
-			ServiceBlackList: getList(blackListedServices),
+			ServiceBlackList: getNamespaceServiceMap(blackListedServices),
 			DomainWhiteList:  getList(whiteListedDomains),
 		},
 		CorsConfig: &processing.CorsConfig{
@@ -145,3 +145,17 @@ func getList(raw string) []string {
 	}
 	return result
 }
+func getNamespaceServiceMap(raw string) map[string][]string {
+	result := make(map[string][]string)
+	for _, s := range getList(raw) {
+		if !validation.ValidateServiceName(s) {
+			setupLog.Error(fmt.Errorf("invalid service in service-blacklist"), "unable to create controller", "controller", "Api")
+			os.Exit(1)
+		}
+		namespacedService := strings.Split(s, ".")
+		namespace := namespacedService[1]
+		service := namespacedService[0]
+		result[namespace] = append(result[namespace], service)
+	}
+	return result
+}