Adding PathType to Ingress

Co-authored-by: Christopher M. Luciano <cmluciano@us.ibm.com>

pkg/apis/networking/fuzzer/fuzzer.go

@@ -44,5 +44,10 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 				np.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeIngress}
 			}
 		},
+		func(path *networking.HTTPIngressPath, c fuzz.Continue) {
+			c.FuzzNoCustom(path) // fuzz self without calling this function again
+			pathTypes := []networking.PathType{networking.PathTypeExact, networking.PathTypePrefix, networking.PathTypeImplementationSpecific}
+			path.PathType = &pathTypes[c.Rand.Intn(len(pathTypes))]
+		},
 	}
 }

pkg/apis/networking/types.go

@@ -345,8 +345,9 @@ type IngressStatus struct {
 }
 
 // IngressRule represents the rules mapping the paths under a specified host to
-// the related backend services. Incoming requests are first evaluated for a host
-// match, then routed to the backend associated with the matching IngressRuleValue.
+// the related backend services. Incoming requests are first evaluated for a
+// host match, then routed to the backend associated with the matching
+// IngressRuleValue.
 type IngressRule struct {
 	// Host is the fully qualified domain name of a network host, as defined
 	// by RFC 3986. Note the following deviations from the "host" part of the
@@ -362,11 +363,12 @@ type IngressRule struct {
 	// specified IngressRuleValue.
 	// +optional
 	Host string
-	// IngressRuleValue represents a rule to route requests for this IngressRule.
-	// If unspecified, the rule defaults to a http catch-all. Whether that sends
-	// just traffic matching the host to the default backend or all traffic to the
-	// default backend, is left to the controller fulfilling the Ingress. Http is
-	// currently the only supported IngressRuleValue.
+	// IngressRuleValue represents a rule to route requests for this
+	// IngressRule. If unspecified, the rule defaults to a http catch-all.
+	// Whether that sends just traffic matching the host to the default backend
+	// or all traffic to the default backend, is left to the controller
+	// fulfilling the Ingress. Http is currently the only supported
+	// IngressRuleValue.
 	// +optional
 	IngressRuleValue
 }
@@ -398,19 +400,52 @@ type HTTPIngressRuleValue struct {
 	// options usable by a loadbalancer, like http keep-alive.
 }
 
-// HTTPIngressPath associates a path regex with a backend. Incoming urls matching
-// the path are forwarded to the backend.
+// PathType represents the type of path referred to by a HTTPIngressPath.
+type PathType string
+
+const (
+	// PathTypeExact matches the URL path exactly and with case sensitivity.
+	PathTypeExact = PathType("Exact")
+
+	// PathTypePrefix matches based on a URL path prefix split by '/'. Matching
+	// is case sensitive and done on a path element by element basis. A path
+	// element refers to the list of labels in the path split by the '/'
+	// separator. A request is a match for path p if every p is an element-wise
+	// prefix of p of the request path. Note that if the last element of the
+	// path is a substring of the last element in request path, it is not a
+	// match (e.g. /foo/bar matches /foo/bar/baz, but does not match
+	// /foo/barbaz). If multiple matching paths exist in an Ingress spec, the
+	// longest matching path is given priority.
+	// Examples:
+	// - /foo/bar does not match requests to /foo/barbaz
+	// - /foo/bar matches request to /foo/bar and /foo/bar/baz
+	// - /foo and /foo/ both match requests to /foo and /foo/. If both paths are
+	//   present in an Ingress spec, the longest matching path (/foo/) is given
+	//   priority.
+	PathTypePrefix = PathType("Prefix")
+
+	// PathTypeImplementationSpecific matching is up to the IngressClass.
+	// Implementations can treat this as a separate PathType or treat it
+	// identically to Prefix or Exact path types.
+	PathTypeImplementationSpecific = PathType("ImplementationSpecific")
+)
+
+// HTTPIngressPath associates a path with a backend. Incoming urls matching the
+// path are forwarded to the backend.
 type HTTPIngressPath struct {
-	// Path is an extended POSIX regex as defined by IEEE Std 1003.1,
-	// (i.e this follows the egrep/unix syntax, not the perl syntax)
-	// matched against the path of an incoming request. Currently it can
-	// contain characters disallowed from the conventional "path"
-	// part of a URL as defined by RFC 3986. Paths must begin with
-	// a '/'. If unspecified, the path defaults to a catch all sending
-	// traffic to the backend.
+	// Path is matched against the path of an incoming request. Currently it can
+	// contain characters disallowed from the conventional "path" part of a URL
+	// as defined by RFC 3986. Paths must begin with a '/'. When unspecified,
+	// all paths from incoming requests are matched.
 	// +optional
 	Path string
 
+	// PathType determines the interpretation of the Path matching. PathType can
+	// be one of Exact, Prefix, or ImplementationSpecific. Implementations are
+	// required to support all path types.
+	// +optional
+	PathType *PathType
+
 	// Backend defines the referenced service endpoint to which the traffic
 	// will be forwarded to.
 	Backend IngressBackend

pkg/apis/networking/v1/defaults_test.go

@@ -21,7 +21,6 @@ import (
 	"testing"
 
 	networkingv1 "k8s.io/api/networking/v1"
-
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -236,6 +235,7 @@ func TestSetDefaultNetworkPolicy(t *testing.T) {
 }
 
 func roundTrip(t *testing.T, obj runtime.Object) runtime.Object {
+	t.Helper()
 	data, err := runtime.Encode(legacyscheme.Codecs.LegacyCodec(SchemeGroupVersion), obj)
 	if err != nil {
 		t.Errorf("%v\n %#v", err, obj)

pkg/apis/networking/v1beta1/BUILD

@@ -1,6 +1,6 @@
 package(default_visibility = ["//visibility:public"])
 
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 
 go_library(
     name = "go_default_library",
@@ -36,3 +36,16 @@ filegroup(
     srcs = [":package-srcs"],
     tags = ["automanaged"],
 )
+
+go_test(
+    name = "go_default_test",
+    srcs = ["defaults_test.go"],
+    embed = [":go_default_library"],
+    deps = [
+        "//pkg/api/legacyscheme:go_default_library",
+        "//pkg/apis/networking/install:go_default_library",
+        "//staging/src/k8s.io/api/networking/v1beta1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
+    ],
+)

pkg/apis/networking/v1beta1/defaults.go

@@ -17,9 +17,17 @@ limitations under the License.
 package v1beta1
 
 import (
+	networkingv1beta1 "k8s.io/api/networking/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
 func addDefaultingFuncs(scheme *runtime.Scheme) error {
 	return RegisterDefaults(scheme)
 }
+
+func SetDefaults_HTTPIngressPath(obj *networkingv1beta1.HTTPIngressPath) {
+	var defaultPathType = networkingv1beta1.PathTypeImplementationSpecific
+	if obj.PathType == nil {
+		obj.PathType = &defaultPathType
+	}
+}

pkg/apis/networking/v1beta1/defaults_test.go

@@ -0,0 +1,101 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1_test
+
+import (
+	"reflect"
+	"testing"
+
+	networkingv1beta1 "k8s.io/api/networking/v1beta1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	_ "k8s.io/kubernetes/pkg/apis/networking/install"
+	. "k8s.io/kubernetes/pkg/apis/networking/v1beta1"
+)
+
+func TestSetIngressPathDefaults(t *testing.T) {
+	pathTypeImplementationSpecific := networkingv1beta1.PathTypeImplementationSpecific
+	pathTypeExact := networkingv1beta1.PathTypeExact
+
+	testCases := map[string]struct {
+		original *networkingv1beta1.HTTPIngressPath
+		expected *networkingv1beta1.HTTPIngressPath
+	}{
+		"empty pathType should default to ImplementationSpecific": {
+			original: &networkingv1beta1.HTTPIngressPath{},
+			expected: &networkingv1beta1.HTTPIngressPath{PathType: &pathTypeImplementationSpecific},
+		},
+		"ImplementationSpecific pathType should not change": {
+			original: &networkingv1beta1.HTTPIngressPath{PathType: &pathTypeImplementationSpecific},
+			expected: &networkingv1beta1.HTTPIngressPath{PathType: &pathTypeImplementationSpecific},
+		},
+		"Exact pathType should not change": {
+			original: &networkingv1beta1.HTTPIngressPath{PathType: &pathTypeExact},
+			expected: &networkingv1beta1.HTTPIngressPath{PathType: &pathTypeExact},
+		},
+	}
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			ingressOriginal := wrapIngressPath(testCase.original)
+			ingressExpected := wrapIngressPath(testCase.expected)
+			runtimeObj := roundTrip(t, runtime.Object(ingressOriginal))
+			ingressActual, ok := runtimeObj.(*networkingv1beta1.Ingress)
+			if !ok {
+				t.Fatalf("Unexpected object: %v", ingressActual)
+			}
+			if !apiequality.Semantic.DeepEqual(ingressActual.Spec, ingressExpected.Spec) {
+				t.Errorf("Expected: %+v, got: %+v", ingressExpected.Spec, ingressActual.Spec)
+			}
+		})
+	}
+}
+
+func wrapIngressPath(path *networkingv1beta1.HTTPIngressPath) *networkingv1beta1.Ingress {
+	return &networkingv1beta1.Ingress{
+		Spec: networkingv1beta1.IngressSpec{
+			Rules: []networkingv1beta1.IngressRule{{
+				IngressRuleValue: networkingv1beta1.IngressRuleValue{
+					HTTP: &networkingv1beta1.HTTPIngressRuleValue{
+						Paths: []networkingv1beta1.HTTPIngressPath{*path},
+					},
+				},
+			}},
+		},
+	}
+}
+
+func roundTrip(t *testing.T, obj runtime.Object) runtime.Object {
+	t.Helper()
+	data, err := runtime.Encode(legacyscheme.Codecs.LegacyCodec(SchemeGroupVersion), obj)
+	if err != nil {
+		t.Errorf("%v\n %#v", err, obj)
+		return nil
+	}
+	obj2, err := runtime.Decode(legacyscheme.Codecs.UniversalDecoder(), data)
+	if err != nil {
+		t.Errorf("%v\nData: %s\nSource: %#v", err, string(data), obj)
+		return nil
+	}
+	obj3 := reflect.New(reflect.TypeOf(obj).Elem()).Interface().(runtime.Object)
+	err = legacyscheme.Scheme.Convert(obj2, obj3, nil)
+	if err != nil {
+		t.Errorf("%v\nSource: %#v", err, obj2)
+		return nil
+	}
+	return obj3
+}

pkg/apis/networking/v1beta1/zz_generated.conversion.go

@@ -174,6 +174,7 @@ func RegisterConversions(s *runtime.Scheme) error {
 
 func autoConvert_v1beta1_HTTPIngressPath_To_networking_HTTPIngressPath(in *v1beta1.HTTPIngressPath, out *networking.HTTPIngressPath, s conversion.Scope) error {
 	out.Path = in.Path
+	out.PathType = (*networking.PathType)(unsafe.Pointer(in.PathType))
 	if err := Convert_v1beta1_IngressBackend_To_networking_IngressBackend(&in.Backend, &out.Backend, s); err != nil {
 		return err
 	}
@@ -187,6 +188,7 @@ func Convert_v1beta1_HTTPIngressPath_To_networking_HTTPIngressPath(in *v1beta1.H
 
 func autoConvert_networking_HTTPIngressPath_To_v1beta1_HTTPIngressPath(in *networking.HTTPIngressPath, out *v1beta1.HTTPIngressPath, s conversion.Scope) error {
 	out.Path = in.Path
+	out.PathType = (*v1beta1.PathType)(unsafe.Pointer(in.PathType))
 	if err := Convert_networking_IngressBackend_To_v1beta1_IngressBackend(&in.Backend, &out.Backend, s); err != nil {
 		return err
 	}

pkg/apis/networking/v1beta1/zz_generated.defaults.go

@@ -21,6 +21,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	v1beta1 "k8s.io/api/networking/v1beta1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -28,5 +29,26 @@ import (
 // Public to allow building arbitrary schemes.
 // All generated defaulters are covering - they call all nested defaulters.
 func RegisterDefaults(scheme *runtime.Scheme) error {
+	scheme.AddTypeDefaultingFunc(&v1beta1.Ingress{}, func(obj interface{}) { SetObjectDefaults_Ingress(obj.(*v1beta1.Ingress)) })
+	scheme.AddTypeDefaultingFunc(&v1beta1.IngressList{}, func(obj interface{}) { SetObjectDefaults_IngressList(obj.(*v1beta1.IngressList)) })
 	return nil
 }
+
+func SetObjectDefaults_Ingress(in *v1beta1.Ingress) {
+	for i := range in.Spec.Rules {
+		a := &in.Spec.Rules[i]
+		if a.IngressRuleValue.HTTP != nil {
+			for j := range a.IngressRuleValue.HTTP.Paths {
+				b := &a.IngressRuleValue.HTTP.Paths[j]
+				SetDefaults_HTTPIngressPath(b)
+			}
+		}
+	}
+}
+
+func SetObjectDefaults_IngressList(in *v1beta1.IngressList) {
+	for i := range in.Items {
+		a := &in.Items[i]
+		SetObjectDefaults_Ingress(a)
+	}
+}

pkg/apis/networking/validation/BUILD

@@ -17,8 +17,11 @@ go_test(
         "//pkg/apis/core:go_default_library",
         "//pkg/apis/networking:go_default_library",
         "//pkg/features:go_default_library",
+        "//staging/src/k8s.io/api/networking/v1:go_default_library",
+        "//staging/src/k8s.io/api/networking/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/validation:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
@@ -43,6 +46,7 @@ go_library(
         "//staging/src/k8s.io/apimachinery/pkg/api/validation:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/validation/path:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library",

pkg/apis/networking/validation/validation.go

@@ -17,6 +17,7 @@ limitations under the License.
 package validation
 
 import (
+	"fmt"
 	"net"
 	"regexp"
 	"strings"
@@ -24,6 +25,7 @@ import (
 	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
 	pathvalidation "k8s.io/apimachinery/pkg/api/validation/path"
 	unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation"
@@ -38,6 +40,16 @@ const (
 	maxLenIngressClassController = 250
 )
 
+var (
+	supportedPathTypes = sets.NewString(
+		string(networking.PathTypeExact),
+		string(networking.PathTypePrefix),
+		string(networking.PathTypeImplementationSpecific),
+	)
+	invalidPathSequences = []string{"//", "/./", "/../", "%2f", "%2F"}
+	invalidPathSuffixes  = []string{"/..", "/."}
+)
+
 // ValidateNetworkPolicyName can be used to check whether the given networkpolicy
 // name is valid.
 func ValidateNetworkPolicyName(name string, prefix bool) []string {
@@ -184,17 +196,27 @@ func ValidateIPBlock(ipb *networking.IPBlock, fldPath *field.Path) field.ErrorLi
 // name.
 var ValidateIngressName = apimachineryvalidation.NameIsDNSSubdomain
 
+// IngressValidationOptions cover beta to GA transitions for HTTP PathType
+type IngressValidationOptions struct {
+	requireRegexPath bool
+}
+
 // ValidateIngress validates Ingresses on create and update.
-func ValidateIngress(ingress *networking.Ingress) field.ErrorList {
+func validateIngress(ingress *networking.Ingress, opts IngressValidationOptions, requestGV schema.GroupVersion) field.ErrorList {
 	allErrs := apivalidation.ValidateObjectMeta(&ingress.ObjectMeta, true, ValidateIngressName, field.NewPath("metadata"))
-	allErrs = append(allErrs, ValidateIngressSpec(&ingress.Spec, field.NewPath("spec"))...)
+	allErrs = append(allErrs, ValidateIngressSpec(&ingress.Spec, field.NewPath("spec"), opts, requestGV)...)
 	return allErrs
 }
 
 // ValidateIngressCreate validates Ingresses on create.
-func ValidateIngressCreate(ingress *networking.Ingress) field.ErrorList {
+func ValidateIngressCreate(ingress *networking.Ingress, requestGV schema.GroupVersion) field.ErrorList {
 	allErrs := field.ErrorList{}
-	allErrs = append(allErrs, ValidateIngress(ingress)...)
+	var opts IngressValidationOptions
+	opts = IngressValidationOptions{
+		// TODO(robscott): Remove regex validation for 1.19.
+		requireRegexPath: true,
+	}
+	allErrs = append(allErrs, validateIngress(ingress, opts, requestGV)...)
 	annotationVal, annotationIsSet := ingress.Annotations[annotationIngressClass]
 	if annotationIsSet && ingress.Spec.IngressClassName != nil {
 		annotationPath := field.NewPath("annotations").Child(annotationIngressClass)
@@ -204,9 +226,17 @@ func ValidateIngressCreate(ingress *networking.Ingress) field.ErrorList {
 }
 
 // ValidateIngressUpdate validates ingresses on update.
-func ValidateIngressUpdate(ingress, oldIngress *networking.Ingress) field.ErrorList {
+func ValidateIngressUpdate(ingress, oldIngress *networking.Ingress, requestGV schema.GroupVersion) field.ErrorList {
 	allErrs := apivalidation.ValidateObjectMetaUpdate(&ingress.ObjectMeta, &oldIngress.ObjectMeta, field.NewPath("metadata"))
-	allErrs = append(allErrs, ValidateIngress(ingress)...)
+	var opts IngressValidationOptions
+	opts = IngressValidationOptions{
+		// TODO(robscott): Remove regex validation for 1.19.
+		// Only require regex path validation for this Ingress if the previous
+		// version of the Ingress also passed that validation.
+		requireRegexPath: allPathsPassRegexValidation(oldIngress),
+	}
+
+	allErrs = append(allErrs, validateIngress(ingress, opts, requestGV)...)
 	return allErrs
 }
 
@@ -232,16 +262,17 @@ func validateIngressTLS(spec *networking.IngressSpec, fldPath *field.Path) field
 }
 
 // ValidateIngressSpec tests if required fields in the IngressSpec are set.
-func ValidateIngressSpec(spec *networking.IngressSpec, fldPath *field.Path) field.ErrorList {
+func ValidateIngressSpec(spec *networking.IngressSpec, fldPath *field.Path, opts IngressValidationOptions, requestGV schema.GroupVersion) field.ErrorList {
 	allErrs := field.ErrorList{}
-	// TODO: Is a default backend mandatory?
+	if len(spec.Rules) == 0 && spec.Backend == nil {
+		errMsg := "either `backend` or `rules` must be specified"
+		allErrs = append(allErrs, field.Invalid(fldPath, spec.Rules, errMsg))
+	}
 	if spec.Backend != nil {
 		allErrs = append(allErrs, validateIngressBackend(spec.Backend, fldPath.Child("backend"))...)
-	} else if len(spec.Rules) == 0 {
-		allErrs = append(allErrs, field.Invalid(fldPath, spec.Rules, "either `backend` or `rules` must be specified"))
 	}
 	if len(spec.Rules) > 0 {
-		allErrs = append(allErrs, validateIngressRules(spec.Rules, fldPath.Child("rules"))...)
+		allErrs = append(allErrs, validateIngressRules(spec.Rules, fldPath.Child("rules"), opts)...)
 	}
 	if len(spec.TLS) > 0 {
 		allErrs = append(allErrs, validateIngressTLS(spec, fldPath.Child("tls"))...)
@@ -261,7 +292,7 @@ func ValidateIngressStatusUpdate(ingress, oldIngress *networking.Ingress) field.
 	return allErrs
 }
 
-func validateIngressRules(ingressRules []networking.IngressRule, fldPath *field.Path) field.ErrorList {
+func validateIngressRules(ingressRules []networking.IngressRule, fldPath *field.Path, opts IngressValidationOptions) field.ErrorList {
 	allErrs := field.ErrorList{}
 	if len(ingressRules) == 0 {
 		return append(allErrs, field.Required(fldPath, ""))
@@ -283,45 +314,74 @@ func validateIngressRules(ingressRules []networking.IngressRule, fldPath *field.
 				allErrs = append(allErrs, field.Invalid(fldPath.Index(i).Child("host"), ih.Host, msg))
 			}
 		}
-		allErrs = append(allErrs, validateIngressRuleValue(&ih.IngressRuleValue, fldPath.Index(0))...)
+		allErrs = append(allErrs, validateIngressRuleValue(&ih.IngressRuleValue, fldPath.Index(0), opts)...)
 	}
 	return allErrs
 }
 
-func validateIngressRuleValue(ingressRule *networking.IngressRuleValue, fldPath *field.Path) field.ErrorList {
+func validateIngressRuleValue(ingressRule *networking.IngressRuleValue, fldPath *field.Path, opts IngressValidationOptions) field.ErrorList {
 	allErrs := field.ErrorList{}
 	if ingressRule.HTTP != nil {
-		allErrs = append(allErrs, validateHTTPIngressRuleValue(ingressRule.HTTP, fldPath.Child("http"))...)
+		allErrs = append(allErrs, validateHTTPIngressRuleValue(ingressRule.HTTP, fldPath.Child("http"), opts)...)
 	}
 	return allErrs
 }
 
-func validateHTTPIngressRuleValue(httpIngressRuleValue *networking.HTTPIngressRuleValue, fldPath *field.Path) field.ErrorList {
+func validateHTTPIngressRuleValue(httpIngressRuleValue *networking.HTTPIngressRuleValue, fldPath *field.Path, opts IngressValidationOptions) field.ErrorList {
 	allErrs := field.ErrorList{}
 	if len(httpIngressRuleValue.Paths) == 0 {
 		allErrs = append(allErrs, field.Required(fldPath.Child("paths"), ""))
 	}
-	for i, rule := range httpIngressRuleValue.Paths {
-		if len(rule.Path) > 0 {
-			if !strings.HasPrefix(rule.Path, "/") {
-				allErrs = append(allErrs, field.Invalid(fldPath.Child("paths").Index(i).Child("path"), rule.Path, "must be an absolute path"))
+	for i, path := range httpIngressRuleValue.Paths {
+		allErrs = append(allErrs, validateHTTPIngressPath(&path, fldPath.Child("paths").Index(i), opts)...)
+	}
+	return allErrs
+}
+
+func validateHTTPIngressPath(path *networking.HTTPIngressPath, fldPath *field.Path, opts IngressValidationOptions) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if path.PathType == nil {
+		return append(allErrs, field.Required(fldPath.Child("pathType"), "pathType must be specified"))
+	}
+
+	switch *path.PathType {
+	case networking.PathTypeExact, networking.PathTypePrefix:
+		if !strings.HasPrefix(path.Path, "/") {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), path.Path, "must be an absolute path"))
+		}
+		if len(path.Path) > 0 {
+			for _, invalidSeq := range invalidPathSequences {
+				if strings.Contains(path.Path, invalidSeq) {
+					allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), path.Path, fmt.Sprintf("must not contain '%s'", invalidSeq)))
+				}
 			}
-			// TODO: More draconian path regex validation.
-			// Path must be a valid regex. This is the basic requirement.
-			// In addition to this any characters not allowed in a path per
-			// RFC 3986 section-3.3 cannot appear as a literal in the regex.
-			// Consider the example: http://host/valid?#bar, everything after
-			// the last '/' is a valid regex that matches valid#bar, which
-			// isn't a valid path, because the path terminates at the first ?
-			// or #. A more sophisticated form of validation would detect that
-			// the user is confusing url regexes with path regexes.
-			_, err := regexp.CompilePOSIX(rule.Path)
-			if err != nil {
-				allErrs = append(allErrs, field.Invalid(fldPath.Child("paths").Index(i).Child("path"), rule.Path, "must be a valid regex"))
+
+			for _, invalidSuff := range invalidPathSuffixes {
+				if strings.HasSuffix(path.Path, invalidSuff) {
+					allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), path.Path, fmt.Sprintf("cannot end with '%s'", invalidSuff)))
+				}
 			}
 		}
-		allErrs = append(allErrs, validateIngressBackend(&rule.Backend, fldPath.Child("backend"))...)
+	case networking.PathTypeImplementationSpecific:
+		if len(path.Path) > 0 {
+			if !strings.HasPrefix(path.Path, "/") {
+				allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), path.Path, "must be an absolute path"))
+			}
+		}
+	default:
+		allErrs = append(allErrs, field.NotSupported(fldPath.Child("pathType"), *path.PathType, supportedPathTypes.List()))
 	}
+
+	// TODO(robscott): Remove regex validation for 1.19.
+	if opts.requireRegexPath {
+		_, err := regexp.CompilePOSIX(path.Path)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), path.Path, "must be a valid regex"))
+		}
+	}
+
+	allErrs = append(allErrs, validateIngressBackend(&path.Backend, fldPath.Child("backend"))...)
 	return allErrs
 }
 
@@ -408,3 +468,22 @@ func validateIngressClassParameters(params *api.TypedLocalObjectReference, fldPa
 
 	return allErrs
 }
+
+// allPathsPassRegexValidation returns true if the Ingress has paths that all
+// match the Ingress path validation with requireRegexPath enabled.
+func allPathsPassRegexValidation(ingress *networking.Ingress) bool {
+	for _, rule := range ingress.Spec.Rules {
+		if rule.HTTP == nil {
+			continue
+		}
+		for _, path := range rule.HTTP.Paths {
+			if len(path.Path) == 0 {
+				continue
+			}
+			if _, err := regexp.CompilePOSIX(path.Path); err != nil {
+				return false
+			}
+		}
+	}
+	return true
+}

pkg/apis/networking/validation/validation_test.go

@@ -18,19 +18,22 @@ package validation
 
 import (
 	"fmt"
-	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-	utilpointer "k8s.io/utils/pointer"
 	"strings"
 	"testing"
 
+	networkingv1 "k8s.io/api/networking/v1"
+	networkingv1beta1 "k8s.io/api/networking/v1beta1"
+	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/networking"
 	"k8s.io/kubernetes/pkg/features"
+	utilpointer "k8s.io/utils/pointer"
 )
 
 func TestValidateNetworkPolicy(t *testing.T) {
@@ -897,106 +900,265 @@ func TestValidateIngress(t *testing.T) {
 		ServiceName: "default-backend",
 		ServicePort: intstr.FromInt(80),
 	}
+	pathTypePrefix := networking.PathTypePrefix
+	pathTypeImplementationSpecific := networking.PathTypeImplementationSpecific
+	pathTypeFoo := networking.PathType("foo")
 
-	newValid := func() networking.Ingress {
-		return networking.Ingress{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "foo",
-				Namespace: metav1.NamespaceDefault,
+	baseIngress := networking.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo",
+			Namespace: metav1.NamespaceDefault,
+		},
+		Spec: networking.IngressSpec{
+			Backend: &networking.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
 			},
-			Spec: networking.IngressSpec{
-				Backend: &networking.IngressBackend{
-					ServiceName: "default-backend",
-					ServicePort: intstr.FromInt(80),
-				},
-				Rules: []networking.IngressRule{
-					{
-						Host: "foo.bar.com",
-						IngressRuleValue: networking.IngressRuleValue{
-							HTTP: &networking.HTTPIngressRuleValue{
-								Paths: []networking.HTTPIngressPath{
-									{
-										Path:    "/foo",
-										Backend: defaultBackend,
-									},
+			Rules: []networking.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{
+								{
+									Path:     "/foo",
+									PathType: &pathTypeImplementationSpecific,
+									Backend:  defaultBackend,
 								},
 							},
 						},
 					},
 				},
 			},
-			Status: networking.IngressStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{
-						{IP: "127.0.0.1"},
-					},
+		},
+		Status: networking.IngressStatus{
+			LoadBalancer: api.LoadBalancerStatus{
+				Ingress: []api.LoadBalancerIngress{
+					{IP: "127.0.0.1"},
 				},
 			},
-		}
-	}
-	servicelessBackend := newValid()
-	servicelessBackend.Spec.Backend.ServiceName = ""
-	invalidNameBackend := newValid()
-	invalidNameBackend.Spec.Backend.ServiceName = "defaultBackend"
-	noPortBackend := newValid()
-	noPortBackend.Spec.Backend = &networking.IngressBackend{ServiceName: defaultBackend.ServiceName}
-	noForwardSlashPath := newValid()
-	noForwardSlashPath.Spec.Rules[0].IngressRuleValue.HTTP.Paths = []networking.HTTPIngressPath{
-		{
-			Path:    "invalid",
-			Backend: defaultBackend,
 		},
 	}
-	noPaths := newValid()
-	noPaths.Spec.Rules[0].IngressRuleValue.HTTP.Paths = []networking.HTTPIngressPath{}
-	badHost := newValid()
-	badHost.Spec.Rules[0].Host = "foobar:80"
-	badRegexPath := newValid()
-	badPathExpr := "/invalid["
-	badRegexPath.Spec.Rules[0].IngressRuleValue.HTTP.Paths = []networking.HTTPIngressPath{
-		{
-			Path:    badPathExpr,
-			Backend: defaultBackend,
+
+	testCases := map[string]struct {
+		groupVersion       *schema.GroupVersion
+		tweakIngress       func(ing *networking.Ingress)
+		expectErrsOnFields []string
+	}{
+		"empty path (implementation specific)": {
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].Path = ""
+			},
+			expectErrsOnFields: []string{},
+		},
+		"valid path": {
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].Path = "/valid"
+			},
+			expectErrsOnFields: []string{},
+		},
+		// invalid use cases
+		"backend (v1beta1) with no service": {
+			groupVersion: &networkingv1beta1.SchemeGroupVersion,
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Backend.ServiceName = ""
+			},
+			expectErrsOnFields: []string{
+				"spec.backend.serviceName",
+			},
+		},
+		"invalid path type": {
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathTypeFoo
+			},
+			expectErrsOnFields: []string{
+				"spec.rules[0].http.paths[0].pathType",
+			},
+		},
+		"empty path (prefix)": {
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].Path = ""
+				ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathTypePrefix
+			},
+			expectErrsOnFields: []string{
+				"spec.rules[0].http.paths[0].path",
+			},
+		},
+		"no paths": {
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths = []networking.HTTPIngressPath{}
+			},
+			expectErrsOnFields: []string{
+				"spec.rules[0].http.paths",
+			},
+		},
+		"invalid host (foobar:80)": {
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Rules[0].Host = "foobar:80"
+			},
+			expectErrsOnFields: []string{
+				"spec.rules[0].host",
+			},
+		},
+		"invalid host (127.0.0.1)": {
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Rules[0].Host = "127.0.0.1"
+			},
+			expectErrsOnFields: []string{
+				"spec.rules[0].host",
+			},
 		},
 	}
-	badPathErr := fmt.Sprintf("spec.rules[0].http.paths[0].path: Invalid value: '%v'", badPathExpr)
-	hostIP := "127.0.0.1"
-	badHostIP := newValid()
-	badHostIP.Spec.Rules[0].Host = hostIP
-	badHostIPErr := fmt.Sprintf("spec.rules[0].host: Invalid value: '%v'", hostIP)
 
-	errorCases := map[string]networking.Ingress{
-		"spec.backend.serviceName: Required value":        servicelessBackend,
-		"spec.backend.serviceName: Invalid value":         invalidNameBackend,
-		"spec.backend.servicePort: Invalid value":         noPortBackend,
-		"spec.rules[0].host: Invalid value":               badHost,
-		"spec.rules[0].http.paths: Required value":        noPaths,
-		"spec.rules[0].http.paths[0].path: Invalid value": noForwardSlashPath,
-	}
-	errorCases[badPathErr] = badRegexPath
-	errorCases[badHostIPErr] = badHostIP
-
-	wildcardHost := "foo.*.bar.com"
-	badWildcard := newValid()
-	badWildcard.Spec.Rules[0].Host = wildcardHost
-	badWildcardErr := fmt.Sprintf("spec.rules[0].host: Invalid value: '%v'", wildcardHost)
-	errorCases[badWildcardErr] = badWildcard
-
-	for k, v := range errorCases {
-		errs := ValidateIngress(&v)
-		if len(errs) == 0 {
-			t.Errorf("expected failure for %q", k)
-		} else {
-			s := strings.Split(k, ":")
-			err := errs[0]
-			if err.Field != s[0] || !strings.Contains(err.Error(), s[1]) {
-				t.Errorf("unexpected error: %q, expected: %q", err, k)
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			ingress := baseIngress.DeepCopy()
+			testCase.tweakIngress(ingress)
+			gv := testCase.groupVersion
+			if gv == nil {
+				gv = &networkingv1.SchemeGroupVersion
 			}
-		}
+			errs := validateIngress(ingress, IngressValidationOptions{requireRegexPath: true}, *gv)
+			if len(testCase.expectErrsOnFields) != len(errs) {
+				t.Fatalf("Expected %d errors, got %d errors: %v", len(testCase.expectErrsOnFields), len(errs), errs)
+			}
+			for i, err := range errs {
+				if err.Field != testCase.expectErrsOnFields[i] {
+					t.Errorf("Expected error on field: %s, got: %s", testCase.expectErrsOnFields[i], err.Error())
+				}
+			}
+		})
+	}
+}
+
+func TestValidateIngressRuleValue(t *testing.T) {
+	fldPath := field.NewPath("testing.http.paths[0].path")
+	testCases := map[string]struct {
+		pathType         networking.PathType
+		path             string
+		requireRegexPath bool
+		expectedErrs     field.ErrorList
+	}{
+		"implementation specific: no leading slash": {
+			pathType:     networking.PathTypeImplementationSpecific,
+			path:         "foo",
+			expectedErrs: field.ErrorList{field.Invalid(fldPath, "foo", "must be an absolute path")},
+		},
+		"implementation specific: leading slash": {
+			pathType:     networking.PathTypeImplementationSpecific,
+			path:         "/foo",
+			expectedErrs: field.ErrorList{},
+		},
+		"implementation specific: many slashes": {
+			pathType:     networking.PathTypeImplementationSpecific,
+			path:         "/foo/bar/foo",
+			expectedErrs: field.ErrorList{},
+		},
+		"implementation specific: repeating slashes": {
+			pathType:     networking.PathTypeImplementationSpecific,
+			path:         "/foo//bar/foo",
+			expectedErrs: field.ErrorList{},
+		},
+		"prefix: no leading slash": {
+			pathType:     networking.PathTypePrefix,
+			path:         "foo",
+			expectedErrs: field.ErrorList{field.Invalid(fldPath, "foo", "must be an absolute path")},
+		},
+		"prefix: leading slash": {
+			pathType:     networking.PathTypePrefix,
+			path:         "/foo",
+			expectedErrs: field.ErrorList{},
+		},
+		"prefix: many slashes": {
+			pathType:     networking.PathTypePrefix,
+			path:         "/foo/bar/foo",
+			expectedErrs: field.ErrorList{},
+		},
+		"prefix: repeating slashes": {
+			pathType:     networking.PathTypePrefix,
+			path:         "/foo//bar/foo",
+			expectedErrs: field.ErrorList{field.Invalid(fldPath, "/foo//bar/foo", "must not contain '//'")},
+		},
+		"exact: no leading slash": {
+			pathType:     networking.PathTypeExact,
+			path:         "foo",
+			expectedErrs: field.ErrorList{field.Invalid(fldPath, "foo", "must be an absolute path")},
+		},
+		"exact: leading slash": {
+			pathType:     networking.PathTypeExact,
+			path:         "/foo",
+			expectedErrs: field.ErrorList{},
+		},
+		"exact: many slashes": {
+			pathType:     networking.PathTypeExact,
+			path:         "/foo/bar/foo",
+			expectedErrs: field.ErrorList{},
+		},
+		"exact: repeating slashes": {
+			pathType:     networking.PathTypeExact,
+			path:         "/foo//bar/foo",
+			expectedErrs: field.ErrorList{field.Invalid(fldPath, "/foo//bar/foo", "must not contain '//'")},
+		},
+		"prefix: with /./": {
+			pathType:     networking.PathTypePrefix,
+			path:         "/foo/./foo",
+			expectedErrs: field.ErrorList{field.Invalid(fldPath, "/foo/./foo", "must not contain '/./'")},
+		},
+		"exact: with /../": {
+			pathType:     networking.PathTypeExact,
+			path:         "/foo/../foo",
+			expectedErrs: field.ErrorList{field.Invalid(fldPath, "/foo/../foo", "must not contain '/../'")},
+		},
+		"prefix: with %2f": {
+			pathType:     networking.PathTypePrefix,
+			path:         "/foo/%2f/foo",
+			expectedErrs: field.ErrorList{field.Invalid(fldPath, "/foo/%2f/foo", "must not contain '%2f'")},
+		},
+		"exact: with %2F": {
+			pathType:     networking.PathTypeExact,
+			path:         "/foo/%2F/foo",
+			expectedErrs: field.ErrorList{field.Invalid(fldPath, "/foo/%2F/foo", "must not contain '%2F'")},
+		},
+	}
+
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			irv := &networking.IngressRuleValue{
+				HTTP: &networking.HTTPIngressRuleValue{
+					Paths: []networking.HTTPIngressPath{
+						{
+							Path:     testCase.path,
+							PathType: &testCase.pathType,
+							Backend: networking.IngressBackend{
+								ServiceName: "default-backend",
+								ServicePort: intstr.FromInt(80),
+							},
+						},
+					},
+				},
+			}
+
+			errs := validateIngressRuleValue(irv, field.NewPath("testing"), IngressValidationOptions{requireRegexPath: true})
+
+			if len(errs) != len(testCase.expectedErrs) {
+				t.Fatalf("Expected %d errors, got %d (%+v)", len(testCase.expectedErrs), len(errs), errs)
+			}
+
+			for i, err := range errs {
+				if err.Error() != testCase.expectedErrs[i].Error() {
+					t.Fatalf("Expected error: %v, got %v", testCase.expectedErrs[i], err)
+				}
+			}
+		})
 	}
 }
 
 func TestValidateIngressCreate(t *testing.T) {
+	implementationPathType := networking.PathTypeImplementationSpecific
+	defaultBackend := networking.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
 	baseIngress := networking.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            "test123",
@@ -1004,10 +1166,8 @@ func TestValidateIngressCreate(t *testing.T) {
 			ResourceVersion: "1234",
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
-			},
+			Backend: &defaultBackend,
+			Rules:   []networking.IngressRule{},
 		},
 	}
 
@@ -1034,6 +1194,40 @@ func TestValidateIngressCreate(t *testing.T) {
 			},
 			expectedErrs: field.ErrorList{field.Invalid(field.NewPath("annotations").Child(annotationIngressClass), "foo", "can not be set when the class field is also set")},
 		},
+		"valid regex path": {
+			tweakIngress: func(ingress *networking.Ingress) {
+				ingress.Spec.Rules = []networking.IngressRule{{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{{
+								Path:     "/([a-z0-9]*)",
+								PathType: &implementationPathType,
+								Backend:  defaultBackend,
+							}},
+						},
+					},
+				}}
+			},
+			expectedErrs: field.ErrorList{},
+		},
+		"invalid regex path": {
+			tweakIngress: func(ingress *networking.Ingress) {
+				ingress.Spec.Rules = []networking.IngressRule{{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{{
+								Path:     "/([a-z0-9]*)[",
+								PathType: &implementationPathType,
+								Backend:  defaultBackend,
+							}},
+						},
+					},
+				}}
+			},
+			expectedErrs: field.ErrorList{field.Invalid(field.NewPath("spec.rules[0].http.paths[0].path"), "/([a-z0-9]*)[", "must be a valid regex")},
+		},
 	}
 
 	for name, testCase := range testCases {
@@ -1041,7 +1235,7 @@ func TestValidateIngressCreate(t *testing.T) {
 			newIngress := baseIngress.DeepCopy()
 			testCase.tweakIngress(newIngress)
 
-			errs := ValidateIngressCreate(newIngress)
+			errs := ValidateIngressCreate(newIngress, networkingv1beta1.SchemeGroupVersion)
 			if len(errs) != len(testCase.expectedErrs) {
 				t.Fatalf("Expected %d errors, got %d (%+v)", len(testCase.expectedErrs), len(errs), errs)
 			}
@@ -1056,6 +1250,11 @@ func TestValidateIngressCreate(t *testing.T) {
 }
 
 func TestValidateIngressUpdate(t *testing.T) {
+	implementationPathType := networking.PathTypeImplementationSpecific
+	defaultBackend := networking.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
 	baseIngress := networking.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            "test123",
@@ -1063,10 +1262,7 @@ func TestValidateIngressUpdate(t *testing.T) {
 			ResourceVersion: "1234",
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
-			},
+			Backend: &defaultBackend,
 		},
 	}
 
@@ -1093,6 +1289,122 @@ func TestValidateIngressUpdate(t *testing.T) {
 			},
 			expectedErrs: field.ErrorList{},
 		},
+		"valid regex path -> valid regex path": {
+			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
+				oldIngress.Spec.Rules = []networking.IngressRule{{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{{
+								Path:     "/([a-z0-9]*)",
+								PathType: &implementationPathType,
+								Backend:  defaultBackend,
+							}},
+						},
+					},
+				}}
+				newIngress.Spec.Rules = []networking.IngressRule{{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{{
+								Path:     "/([a-z0-9%]*)",
+								PathType: &implementationPathType,
+								Backend:  defaultBackend,
+							}},
+						},
+					},
+				}}
+			},
+			expectedErrs: field.ErrorList{},
+		},
+		"valid regex path -> invalid regex path": {
+			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
+				oldIngress.Spec.Rules = []networking.IngressRule{{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{{
+								Path:     "/([a-z0-9]*)",
+								PathType: &implementationPathType,
+								Backend:  defaultBackend,
+							}},
+						},
+					},
+				}}
+				newIngress.Spec.Rules = []networking.IngressRule{{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{{
+								Path:     "/bar[",
+								PathType: &implementationPathType,
+								Backend:  defaultBackend,
+							}},
+						},
+					},
+				}}
+			},
+			expectedErrs: field.ErrorList{field.Invalid(field.NewPath("spec.rules[0].http.paths[0].path"), "/bar[", "must be a valid regex")},
+		},
+		"invalid regex path -> valid regex path": {
+			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
+				oldIngress.Spec.Rules = []networking.IngressRule{{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{{
+								Path:     "/bar[",
+								PathType: &implementationPathType,
+								Backend:  defaultBackend,
+							}},
+						},
+					},
+				}}
+				newIngress.Spec.Rules = []networking.IngressRule{{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{{
+								Path:     "/([a-z0-9]*)",
+								PathType: &implementationPathType,
+								Backend:  defaultBackend,
+							}},
+						},
+					},
+				}}
+			},
+			expectedErrs: field.ErrorList{},
+		},
+		"invalid regex path -> invalid regex path": {
+			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
+				oldIngress.Spec.Rules = []networking.IngressRule{{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{{
+								Path:     "/foo[",
+								PathType: &implementationPathType,
+								Backend:  defaultBackend,
+							}},
+						},
+					},
+				}}
+				newIngress.Spec.Rules = []networking.IngressRule{{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{{
+								Path:     "/bar[",
+								PathType: &implementationPathType,
+								Backend:  defaultBackend,
+							}},
+						},
+					},
+				}}
+			},
+			expectedErrs: field.ErrorList{},
+		},
 	}
 
 	for name, testCase := range testCases {
@@ -1101,7 +1413,7 @@ func TestValidateIngressUpdate(t *testing.T) {
 			oldIngress := baseIngress.DeepCopy()
 			testCase.tweakIngresses(newIngress, oldIngress)
 
-			errs := ValidateIngressUpdate(newIngress, oldIngress)
+			errs := ValidateIngressUpdate(newIngress, oldIngress, networkingv1beta1.SchemeGroupVersion)
 
 			if len(errs) != len(testCase.expectedErrs) {
 				t.Fatalf("Expected %d errors, got %d (%+v)", len(testCase.expectedErrs), len(errs), errs)
@@ -1360,7 +1672,7 @@ func TestValidateIngressTLS(t *testing.T) {
 	errorCases[badWildcardTLSErr] = badWildcardTLS
 
 	for k, v := range errorCases {
-		errs := ValidateIngress(&v)
+		errs := validateIngress(&v, IngressValidationOptions{requireRegexPath: true}, networkingv1beta1.SchemeGroupVersion)
 		if len(errs) == 0 {
 			t.Errorf("expected failure for %q", k)
 		} else {

pkg/apis/networking/zz_generated.deepcopy.go

@@ -30,6 +30,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPIngressPath) DeepCopyInto(out *HTTPIngressPath) {
 	*out = *in
+	if in.PathType != nil {
+		in, out := &in.PathType, &out.PathType
+		*out = new(PathType)
+		**out = **in
+	}
 	out.Backend = in.Backend
 	return
 }
@@ -50,7 +55,9 @@ func (in *HTTPIngressRuleValue) DeepCopyInto(out *HTTPIngressRuleValue) {
 	if in.Paths != nil {
 		in, out := &in.Paths, &out.Paths
 		*out = make([]HTTPIngressPath, len(*in))
-		copy(*out, *in)
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	return
 }