Adding PathType to Ingress
Co-authored-by: Christopher M. Luciano <cmluciano@us.ibm.com>
This commit is contained in:
Rob Scott
@@ -17,6 +17,7 @@ limitations under the License.
|
||||
package validation
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"regexp"
|
||||
"strings"
|
||||
@@ -24,6 +25,7 @@ import (
|
||||
apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
|
||||
pathvalidation "k8s.io/apimachinery/pkg/api/validation/path"
|
||||
unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation"
|
||||
@@ -38,6 +40,16 @@ const (
|
||||
maxLenIngressClassController = 250
|
||||
)
|
||||
|
||||
var (
|
||||
supportedPathTypes = sets.NewString(
|
||||
string(networking.PathTypeExact),
|
||||
string(networking.PathTypePrefix),
|
||||
string(networking.PathTypeImplementationSpecific),
|
||||
)
|
||||
invalidPathSequences = []string{"//", "/./", "/../", "%2f", "%2F"}
|
||||
invalidPathSuffixes = []string{"/..", "/."}
|
||||
)
|
||||
|
||||
// ValidateNetworkPolicyName can be used to check whether the given networkpolicy
|
||||
// name is valid.
|
||||
func ValidateNetworkPolicyName(name string, prefix bool) []string {
|
||||
@@ -184,17 +196,27 @@ func ValidateIPBlock(ipb *networking.IPBlock, fldPath *field.Path) field.ErrorLi
|
||||
// name.
|
||||
var ValidateIngressName = apimachineryvalidation.NameIsDNSSubdomain
|
||||
|
||||
// IngressValidationOptions cover beta to GA transitions for HTTP PathType
|
||||
type IngressValidationOptions struct {
|
||||
requireRegexPath bool
|
||||
}
|
||||
|
||||
// ValidateIngress validates Ingresses on create and update.
|
||||
func ValidateIngress(ingress *networking.Ingress) field.ErrorList {
|
||||
func validateIngress(ingress *networking.Ingress, opts IngressValidationOptions, requestGV schema.GroupVersion) field.ErrorList {
|
||||
allErrs := apivalidation.ValidateObjectMeta(&ingress.ObjectMeta, true, ValidateIngressName, field.NewPath("metadata"))
|
||||
allErrs = append(allErrs, ValidateIngressSpec(&ingress.Spec, field.NewPath("spec"))...)
|
||||
allErrs = append(allErrs, ValidateIngressSpec(&ingress.Spec, field.NewPath("spec"), opts, requestGV)...)
|
||||
return allErrs
|
||||
}
|
||||
|
||||
// ValidateIngressCreate validates Ingresses on create.
|
||||
func ValidateIngressCreate(ingress *networking.Ingress) field.ErrorList {
|
||||
func ValidateIngressCreate(ingress *networking.Ingress, requestGV schema.GroupVersion) field.ErrorList {
|
||||
allErrs := field.ErrorList{}
|
||||
allErrs = append(allErrs, ValidateIngress(ingress)...)
|
||||
var opts IngressValidationOptions
|
||||
opts = IngressValidationOptions{
|
||||
// TODO(robscott): Remove regex validation for 1.19.
|
||||
requireRegexPath: true,
|
||||
}
|
||||
allErrs = append(allErrs, validateIngress(ingress, opts, requestGV)...)
|
||||
annotationVal, annotationIsSet := ingress.Annotations[annotationIngressClass]
|
||||
if annotationIsSet && ingress.Spec.IngressClassName != nil {
|
||||
annotationPath := field.NewPath("annotations").Child(annotationIngressClass)
|
||||
@@ -204,9 +226,17 @@ func ValidateIngressCreate(ingress *networking.Ingress) field.ErrorList {
|
||||
}
|
||||
|
||||
// ValidateIngressUpdate validates ingresses on update.
|
||||
func ValidateIngressUpdate(ingress, oldIngress *networking.Ingress) field.ErrorList {
|
||||
func ValidateIngressUpdate(ingress, oldIngress *networking.Ingress, requestGV schema.GroupVersion) field.ErrorList {
|
||||
allErrs := apivalidation.ValidateObjectMetaUpdate(&ingress.ObjectMeta, &oldIngress.ObjectMeta, field.NewPath("metadata"))
|
||||
allErrs = append(allErrs, ValidateIngress(ingress)...)
|
||||
var opts IngressValidationOptions
|
||||
opts = IngressValidationOptions{
|
||||
// TODO(robscott): Remove regex validation for 1.19.
|
||||
// Only require regex path validation for this Ingress if the previous
|
||||
// version of the Ingress also passed that validation.
|
||||
requireRegexPath: allPathsPassRegexValidation(oldIngress),
|
||||
}
|
||||
|
||||
allErrs = append(allErrs, validateIngress(ingress, opts, requestGV)...)
|
||||
return allErrs
|
||||
}
|
||||
|
||||
@@ -232,16 +262,17 @@ func validateIngressTLS(spec *networking.IngressSpec, fldPath *field.Path) field
|
||||
}
|
||||
|
||||
// ValidateIngressSpec tests if required fields in the IngressSpec are set.
|
||||
func ValidateIngressSpec(spec *networking.IngressSpec, fldPath *field.Path) field.ErrorList {
|
||||
func ValidateIngressSpec(spec *networking.IngressSpec, fldPath *field.Path, opts IngressValidationOptions, requestGV schema.GroupVersion) field.ErrorList {
|
||||
allErrs := field.ErrorList{}
|
||||
// TODO: Is a default backend mandatory?
|
||||
if len(spec.Rules) == 0 && spec.Backend == nil {
|
||||
errMsg := "either `backend` or `rules` must be specified"
|
||||
allErrs = append(allErrs, field.Invalid(fldPath, spec.Rules, errMsg))
|
||||
}
|
||||
if spec.Backend != nil {
|
||||
allErrs = append(allErrs, validateIngressBackend(spec.Backend, fldPath.Child("backend"))...)
|
||||
} else if len(spec.Rules) == 0 {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath, spec.Rules, "either `backend` or `rules` must be specified"))
|
||||
}
|
||||
if len(spec.Rules) > 0 {
|
||||
allErrs = append(allErrs, validateIngressRules(spec.Rules, fldPath.Child("rules"))...)
|
||||
allErrs = append(allErrs, validateIngressRules(spec.Rules, fldPath.Child("rules"), opts)...)
|
||||
}
|
||||
if len(spec.TLS) > 0 {
|
||||
allErrs = append(allErrs, validateIngressTLS(spec, fldPath.Child("tls"))...)
|
||||
@@ -261,7 +292,7 @@ func ValidateIngressStatusUpdate(ingress, oldIngress *networking.Ingress) field.
|
||||
return allErrs
|
||||
}
|
||||
|
||||
func validateIngressRules(ingressRules []networking.IngressRule, fldPath *field.Path) field.ErrorList {
|
||||
func validateIngressRules(ingressRules []networking.IngressRule, fldPath *field.Path, opts IngressValidationOptions) field.ErrorList {
|
||||
allErrs := field.ErrorList{}
|
||||
if len(ingressRules) == 0 {
|
||||
return append(allErrs, field.Required(fldPath, ""))
|
||||
@@ -283,45 +314,74 @@ func validateIngressRules(ingressRules []networking.IngressRule, fldPath *field.
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Index(i).Child("host"), ih.Host, msg))
|
||||
}
|
||||
}
|
||||
allErrs = append(allErrs, validateIngressRuleValue(&ih.IngressRuleValue, fldPath.Index(0))...)
|
||||
allErrs = append(allErrs, validateIngressRuleValue(&ih.IngressRuleValue, fldPath.Index(0), opts)...)
|
||||
}
|
||||
return allErrs
|
||||
}
|
||||
|
||||
func validateIngressRuleValue(ingressRule *networking.IngressRuleValue, fldPath *field.Path) field.ErrorList {
|
||||
func validateIngressRuleValue(ingressRule *networking.IngressRuleValue, fldPath *field.Path, opts IngressValidationOptions) field.ErrorList {
|
||||
allErrs := field.ErrorList{}
|
||||
if ingressRule.HTTP != nil {
|
||||
allErrs = append(allErrs, validateHTTPIngressRuleValue(ingressRule.HTTP, fldPath.Child("http"))...)
|
||||
allErrs = append(allErrs, validateHTTPIngressRuleValue(ingressRule.HTTP, fldPath.Child("http"), opts)...)
|
||||
}
|
||||
return allErrs
|
||||
}
|
||||
|
||||
func validateHTTPIngressRuleValue(httpIngressRuleValue *networking.HTTPIngressRuleValue, fldPath *field.Path) field.ErrorList {
|
||||
func validateHTTPIngressRuleValue(httpIngressRuleValue *networking.HTTPIngressRuleValue, fldPath *field.Path, opts IngressValidationOptions) field.ErrorList {
|
||||
allErrs := field.ErrorList{}
|
||||
if len(httpIngressRuleValue.Paths) == 0 {
|
||||
allErrs = append(allErrs, field.Required(fldPath.Child("paths"), ""))
|
||||
}
|
||||
for i, rule := range httpIngressRuleValue.Paths {
|
||||
if len(rule.Path) > 0 {
|
||||
if !strings.HasPrefix(rule.Path, "/") {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("paths").Index(i).Child("path"), rule.Path, "must be an absolute path"))
|
||||
for i, path := range httpIngressRuleValue.Paths {
|
||||
allErrs = append(allErrs, validateHTTPIngressPath(&path, fldPath.Child("paths").Index(i), opts)...)
|
||||
}
|
||||
return allErrs
|
||||
}
|
||||
|
||||
func validateHTTPIngressPath(path *networking.HTTPIngressPath, fldPath *field.Path, opts IngressValidationOptions) field.ErrorList {
|
||||
allErrs := field.ErrorList{}
|
||||
|
||||
if path.PathType == nil {
|
||||
return append(allErrs, field.Required(fldPath.Child("pathType"), "pathType must be specified"))
|
||||
}
|
||||
|
||||
switch *path.PathType {
|
||||
case networking.PathTypeExact, networking.PathTypePrefix:
|
||||
if !strings.HasPrefix(path.Path, "/") {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), path.Path, "must be an absolute path"))
|
||||
}
|
||||
if len(path.Path) > 0 {
|
||||
for _, invalidSeq := range invalidPathSequences {
|
||||
if strings.Contains(path.Path, invalidSeq) {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), path.Path, fmt.Sprintf("must not contain '%s'", invalidSeq)))
|
||||
}
|
||||
}
|
||||
// TODO: More draconian path regex validation.
|
||||
// Path must be a valid regex. This is the basic requirement.
|
||||
// In addition to this any characters not allowed in a path per
|
||||
// RFC 3986 section-3.3 cannot appear as a literal in the regex.
|
||||
// Consider the example: http://host/valid?#bar, everything after
|
||||
// the last '/' is a valid regex that matches valid#bar, which
|
||||
// isn't a valid path, because the path terminates at the first ?
|
||||
// or #. A more sophisticated form of validation would detect that
|
||||
// the user is confusing url regexes with path regexes.
|
||||
_, err := regexp.CompilePOSIX(rule.Path)
|
||||
if err != nil {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("paths").Index(i).Child("path"), rule.Path, "must be a valid regex"))
|
||||
|
||||
for _, invalidSuff := range invalidPathSuffixes {
|
||||
if strings.HasSuffix(path.Path, invalidSuff) {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), path.Path, fmt.Sprintf("cannot end with '%s'", invalidSuff)))
|
||||
}
|
||||
}
|
||||
}
|
||||
allErrs = append(allErrs, validateIngressBackend(&rule.Backend, fldPath.Child("backend"))...)
|
||||
case networking.PathTypeImplementationSpecific:
|
||||
if len(path.Path) > 0 {
|
||||
if !strings.HasPrefix(path.Path, "/") {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), path.Path, "must be an absolute path"))
|
||||
}
|
||||
}
|
||||
default:
|
||||
allErrs = append(allErrs, field.NotSupported(fldPath.Child("pathType"), *path.PathType, supportedPathTypes.List()))
|
||||
}
|
||||
|
||||
// TODO(robscott): Remove regex validation for 1.19.
|
||||
if opts.requireRegexPath {
|
||||
_, err := regexp.CompilePOSIX(path.Path)
|
||||
if err != nil {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), path.Path, "must be a valid regex"))
|
||||
}
|
||||
}
|
||||
|
||||
allErrs = append(allErrs, validateIngressBackend(&path.Backend, fldPath.Child("backend"))...)
|
||||
return allErrs
|
||||
}
|
||||
|
||||
@@ -408,3 +468,22 @@ func validateIngressClassParameters(params *api.TypedLocalObjectReference, fldPa
|
||||
|
||||
return allErrs
|
||||
}
|
||||
|
||||
// allPathsPassRegexValidation returns true if the Ingress has paths that all
|
||||
// match the Ingress path validation with requireRegexPath enabled.
|
||||
func allPathsPassRegexValidation(ingress *networking.Ingress) bool {
|
||||
for _, rule := range ingress.Spec.Rules {
|
||||
if rule.HTTP == nil {
|
||||
continue
|
||||
}
|
||||
for _, path := range rule.HTTP.Paths {
|
||||
if len(path.Path) == 0 {
|
||||
continue
|
||||
}
|
||||
if _, err := regexp.CompilePOSIX(path.Path); err != nil {
|
||||
return false
|
||||
}
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user