fix: add webhook validation of redirect usage #1788
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Xunzhuo The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/L
|
/kind bug |
Xunzhuo
force-pushed
the
add-redirect-webhook
branch
from
425e494
to
04384fe
Compare
Signed-off-by: Xunzhuo <mixdeers@gmail.com>
Xunzhuo
force-pushed
the
add-redirect-webhook
branch
from
04384fe
to
58ff989
Compare
|
Hey @Xunzhuo, thanks for working on this! We really need more information in the PR description to help reviewers understand what the goals are. For example, #1753 has good detail for each section. As far as the content of the PR, I think we need to have some broader discussion about this before merging. This PR would effectively prevent a case where redirect loop as proposed by @rainest in #1185 is possible. As I see it, we essentially have two options:
My gut tells me that 2 would be pretty challenging and that 1 is the most viable solution at this point, but we need to be very clear that this is a change to the API Spec and include a release note + API Spec update if that's the direction we go. Since this would be a significant change, I want to hold off until we can discuss this at a community meeting + get some feedback on the high level direction of this PR first. /hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
@robscott: GitHub didn't allow me to request PR reviews from the following users: rainest. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Yes @robscott, I am also a bit concerned about this change, since this is a user-facing change. We definitely need more discussion before pushing this forward. Take this as a draft PR, changes can make after the final approach is out. |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
I may have missed some discussion here from a community meeting, but in Contour we currently ignore backendrefs if you've set a redirect filter so option 1 Rob describes seems fine
we could also specify that infinite redirect protection is recommended but implementation-specific support (or extended if we can write up a nice conformance test)
| backendRefs: []gatewayv1a2.HTTPBackendRef{{ | ||
| BackendRef: gatewayv1a2.BackendRef{ | ||
| BackendObjectReference: gatewayv1a2.BackendObjectReference{ | ||
| Name: gatewayv1a2.ObjectName("test"), | ||
| Port: ptrTo(gatewayv1b1.PortNumber(8080)), | ||
| }, | ||
| }, | ||
| }}, |
There was a problem hiding this comment.
It looks like this is repeated a lot, can you move the standard set of backendRefs to a var so there's not quite so much repetition here?
There was a problem hiding this comment.
Actually it looks like this isn't modified at all for any of the test cases, maybe just add this to the route populated in t.Run below?
| for bi, backendRef := range rule.BackendRefs { | ||
| for fi, filter := range backendRef.Filters { | ||
| if filter.RequestRedirect != nil { | ||
| errs = append(errs, field.Invalid(path.Index(ri).Child("backendRefs").Index(bi).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify backendRef when using redirect filter")) |
There was a problem hiding this comment.
| errs = append(errs, field.Invalid(path.Index(ri).Child("backendRefs").Index(bi).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify backendRef when using redirect filter")) | |
| errs = append(errs, field.Invalid(path.Index(ri).Child("backendRefs").Index(bi).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify RequestRedirect filter within a backendRef")) |
| for fi, filter := range rule.Filters { | ||
| if filter.RequestRedirect != nil { | ||
| if len(rule.BackendRefs) != 0 { | ||
| errs = append(errs, field.Invalid(path.Index(ri).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify backendRefs when using redirect filter")) |
There was a problem hiding this comment.
| errs = append(errs, field.Invalid(path.Index(ri).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify backendRefs when using redirect filter")) | |
| errs = append(errs, field.Invalid(path.Index(ri).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify backendRefs when using RequestRedirect filter")) |
|
|
||
| return true | ||
| return *matches[0].Path.Type == gatewayv1b1.PathMatchPathPrefix |
There was a problem hiding this comment.
This feels not very safe and also not relevant to the rest of the PR, maybe revert this change?
| BackendRef: gatewayv1b1.BackendRef{ | ||
| BackendObjectReference: gatewayv1b1.BackendObjectReference{ | ||
| Name: gatewayv1b1.ObjectName("test"), | ||
| Port: ptrTo(gatewayv1b1.PortNumber(8080)), | ||
| }, | ||
| }, |
There was a problem hiding this comment.
This also looks like it's repeated a lot, can we use a var for this?
|
Hey @Xunzhuo are you still interested in working on this? If so, please reopen the PR. Closing for now because it seems to have gone stale. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Webhook validation should prevent a HTTPRoute that specifies a redirect filter from specifying a backendRef
Which issue(s) this PR fixes:
Fixes: #1779
Does this PR introduce a user-facing change?: