-
Notifications
You must be signed in to change notification settings - Fork 434
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add webhook validation of redirect usage #1788
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Xunzhuo The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/kind bug |
425e494
to
04384fe
Compare
Signed-off-by: Xunzhuo <mixdeers@gmail.com>
04384fe
to
58ff989
Compare
Hey @Xunzhuo, thanks for working on this! We really need more information in the PR description to help reviewers understand what the goals are. For example, #1753 has good detail for each section. As far as the content of the PR, I think we need to have some broader discussion about this before merging. This PR would effectively prevent a case where redirect loop as proposed by @rainest in #1185 is possible. As I see it, we essentially have two options:
My gut tells me that 2 would be pretty challenging and that 1 is the most viable solution at this point, but we need to be very clear that this is a change to the API Spec and include a release note + API Spec update if that's the direction we go. Since this would be a significant change, I want to hold off until we can discuss this at a community meeting + get some feedback on the high level direction of this PR first. /hold |
@robscott: GitHub didn't allow me to request PR reviews from the following users: rainest. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Yes @robscott, I am also a bit concerned about this change, since this is a user-facing change. We definitely need more discussion before pushing this forward. Take this as a draft PR, changes can make after the final approach is out. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may have missed some discussion here from a community meeting, but in Contour we currently ignore backendrefs if you've set a redirect filter so option 1 Rob describes seems fine
we could also specify that infinite redirect protection is recommended but implementation-specific support (or extended if we can write up a nice conformance test)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the work on this @Xunzhuo!
backendRefs: []gatewayv1a2.HTTPBackendRef{{ | ||
BackendRef: gatewayv1a2.BackendRef{ | ||
BackendObjectReference: gatewayv1a2.BackendObjectReference{ | ||
Name: gatewayv1a2.ObjectName("test"), | ||
Port: ptrTo(gatewayv1b1.PortNumber(8080)), | ||
}, | ||
}, | ||
}}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like this is repeated a lot, can you move the standard set of backendRefs to a var so there's not quite so much repetition here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually it looks like this isn't modified at all for any of the test cases, maybe just add this to the route populated in t.Run
below?
for bi, backendRef := range rule.BackendRefs { | ||
for fi, filter := range backendRef.Filters { | ||
if filter.RequestRedirect != nil { | ||
errs = append(errs, field.Invalid(path.Index(ri).Child("backendRefs").Index(bi).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify backendRef when using redirect filter")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
errs = append(errs, field.Invalid(path.Index(ri).Child("backendRefs").Index(bi).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify backendRef when using redirect filter")) | |
errs = append(errs, field.Invalid(path.Index(ri).Child("backendRefs").Index(bi).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify RequestRedirect filter within a backendRef")) |
for fi, filter := range rule.Filters { | ||
if filter.RequestRedirect != nil { | ||
if len(rule.BackendRefs) != 0 { | ||
errs = append(errs, field.Invalid(path.Index(ri).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify backendRefs when using redirect filter")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
errs = append(errs, field.Invalid(path.Index(ri).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify backendRefs when using redirect filter")) | |
errs = append(errs, field.Invalid(path.Index(ri).Child("filters").Index(fi), filter.RequestRedirect, "cannot specify backendRefs when using RequestRedirect filter")) |
|
||
return true | ||
return *matches[0].Path.Type == gatewayv1b1.PathMatchPathPrefix |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feels not very safe and also not relevant to the rest of the PR, maybe revert this change?
BackendRef: gatewayv1b1.BackendRef{ | ||
BackendObjectReference: gatewayv1b1.BackendObjectReference{ | ||
Name: gatewayv1b1.ObjectName("test"), | ||
Port: ptrTo(gatewayv1b1.PortNumber(8080)), | ||
}, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also looks like it's repeated a lot, can we use a var for this?
Hey @Xunzhuo are you still interested in working on this? If so, please reopen the PR. Closing for now because it seems to have gone stale. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Webhook validation should prevent a HTTPRoute that specifies a redirect filter from specifying a backendRef
Which issue(s) this PR fixes:
Fixes: #1779
Does this PR introduce a user-facing change?: