Wildcard hostname matching behavior is not clearly specified #1159
Comments
robscott
added
kind/feature
|
One note in favor of the "1 label" behavior is that TLS verification behaves this way. So if we don't do that, we have inconsistency in certs and routing (which is ok, just inconsistent). I don' have a strong opinion one way or another though; as long as an implementation has regex header matching I think either approach can be implemented in most proxies? |
|
xref #654 and #674 which also had discussion on this topic. Also noting that matching a single label is consistent with the Ingress wildcard host spec: https://kubernetes.io/docs/concepts/services-networking/ingress/#hostname-wildcards |
|
In general, I think it's safe to describe the two options as "single label matching" and "multi label matching". Each have advantages: Single Label Matching:
Multi Label Matching:
I'm biased here because GKE can only support the multi label matching approach here, so I would personally prefer that spec. It also seems like it would be more straightforward and performant for other implementations to support suffix matching than implementing regex matches. Want to see what others think though. |
|
Multi label matching won't work with TLS and practically everything is deployed with TLS. Specifying multi label matching just seems likely to encourage broken configurations that are hard to debug. |
|
I thought I had specified a single label match previously, so I'd kind of prefer that we keep that. |
|
I agree that this was at one point specified in the API, and I'm not actually sure how it ended up being removed from the spec - I think it must have been part of a larger restructuring or rewording. With that said, my strong bias here is to use the most broadly supportable interpretation of this, which is essentially a suffix match. From what I can tell, both GCP and Azure are only able to interpret a wildcard match as a suffix match. That also matches the default behavior of nginx and envoy. Although this would differ from the Ingress spec, I think it would be more in line with how wildcard matches are interpreted across different providers. Because this is a critical decision, I'm going to add it to the v0.5.0 milestone. I think there are two possible actions that could be sufficient to unblock the v0.5.0 for this:
I would prefer 2, but if we can't easily reach consensus on this, I think 1 may be sufficient. |
|
To summarize what I said at the community meeting:
|
What would you like to be added:
As @howardjohn noted in Slack, our hostname matching behavior is not clearly specified. Other than saying "exact matches must be processed before wildcard matches", we don't really cover how wildcard matches should be implemented. Specifically, which of the following should
*.example.commatch?a.example.coma.b.example.comWe recently added a conformance test that stated that only 1 should match. On further thought, I'm not sure that's what we want.
Here's my understanding of the default behavior for a variety of different products:
Given the above, it seems that most underlying implementations treat wildcard host matching as suffix matching as the default, and some may only be able to support that approach. My suggestion would be to adjust the spec and conformance tests to reflect that.
Why this is needed:
This is an important gap in our spec today.
The text was updated successfully, but these errors were encountered: