Fix #16298: Allow customization of headers in Route#16355
Fix #16298: Allow customization of headers in Route#16355aviralgarg05 wants to merge 3 commits intoknative:mainfrom
Conversation
- Add AppendHeaders to TrafficTarget
- Update Route validation
- Update Ingress generation to propagate AppendHeaders
- Add unit tests
- Manually update DeepCopy for AppendHeaders
knative-prow
Bot
added
size/L
|
Hi @aviralgarg05. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aviralgarg05 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #16355 +/- ##
==========================================
- Coverage 80.23% 80.20% -0.03%
==========================================
Files 216 216
Lines 13440 13450 +10
==========================================
+ Hits 10784 10788 +4
- Misses 2293 2298 +5
- Partials 363 364 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Hi @aviralgarg05 , I'm not experienced enough to know extending the spec would work especially considering that adding headers might not be supported by all implementations, I guess @dprotaso has more background on what could be done? |
|
/hold We don't want to accept spec changes without a discussion. Generally it requires us to follow the feature track process https://github.com/knative/community/blob/main/mechanics/FEATURE-TRACKS.md |
knative-prow
Bot
added
the
do-not-merge/hold
|
Also note the change as is has security concerns because you're able to set any arbitrary header which can mess up scale to zero activation. |
|
So can you guide me on how we will be moving forward with this PR? |
|
@aviralgarg05 frankly I'm unsure. The other issue for me is expanding on our Route type might not be worth it if we can sort out how we can leverage HTTPRoute to point to Knative Revisions directly. |
|
Thanks for the feedback @dprotaso. I understand the concerns regarding security and the potential shift towards Since expanding Alternatively, if the Let me know how you'd prefer to proceed. |
|
It seems the work that would enable this has sorta stalled out upstream - kubernetes-sigs/gateway-api#3608
I think it's probably best for me to get more information. For example if you're baking a fixed header and value in every incoming request is there a reason why this can't be configured in the application? eg. just set that option as an environment variable etc. |
That's a fair point! The reason we can't do it in the app is that these headers are for security tools that check the request before it even arrives. Since those tools see the request first, the app doesn't have a chance to add them. I’m also definitely open to the restricted version you suggested if you think that's a safer way to go! |
|
Also what networking layer are you using?
Can you clarify and expand on that? If you're configuring this security tool to check for these headers and to address this you want to add headers to the inbound request then that seems like you're introducing the constraint on yourself? |
I am using Istio. The security tool is shared infrastructure that requires these headers to identify the application and apply the right policies. Since I don't manage that service directly, adding headers at the Route level is the best way for me to handle the integration |
What's the tool? |
The original issue (#16298) describes it as an Istio External Authorizer handling SSO/JWT/SAML. I'm working from that use case rather than a specific deployment, so I don't have the exact tool name—just that it's a shared ExtAuthz service that uses headers like x-accept-auth to determine which auth flow to apply. |
|
Thanks for the change. But I'm going to close this out as the original issue is actually a big security hole - please see: #16298 (comment) |
3 participants
Pull Request Description
Fixes #16298
Proposed Changes
AppendHeadersfield (typemap[string]string) to theTrafficTargetstruct inpkg/apis/serving/v1/route_types.go. This allows users to specify custom HTTP headers for specific traffic targets in a Knative Route.validateAppendHeadersinpkg/apis/serving/v1/route_validation.goto ensure that all keys provided inAppendHeadersare valid HTTP header names according to RFC 7230 and that the field is not present in the Status of the Route.pkg/reconciler/route/resources/ingress.go. TheAppendHeadersfrom theRoute'sTrafficTargetare now merged with system-level headers (like activator headers) usingkmeta.UnionMapsand propagated to theIngressBackendSplit.pkg/apis/serving/v1/zz_generated.deepcopy.goto include deep copy support for the newAppendHeadersmap, ensuring the field survives reconciliation cycles.pkg/apis/serving/v1/route_validation_test.goto verify valid and invalid header configurations.TestMakeIngressSpecWithAppendHeaderstopkg/reconciler/route/resources/ingress_test.goto confirm that headers are correctly passed through to the networking layer.Release Note