kong icon indicating copy to clipboard operation
kong copied to clipboard
Published 1 week ago verified publisher icon Kong

Admissionwebhook misses faulty regex

Open MarkusFlorian79 opened this issue 1 year ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Kong version ($ kong version)

3.6.1

Current Behavior

Adding following faulty HTTPRoute:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: broken-http-route
  annotations:
    konghq.com/strip-path: "false"
    konghq.com/preserve-host: "false"
    konghq.com/protocols: https
spec:
  hostnames:
    - broken.api-ch-dev.balgroupit.com
  rules:
    - matches:
        - path:
            type: RegularExpression
            value: .*\.do
        - path:
            type: RegularExpression
            value: .*\.css
        - path:
            type: RegularExpression
            value: .*\.woff2
        - path:
            type: RegularExpression
            value: .*\.js
        - path:
            type: RegularExpression
            value: .*\.svg
      backendRefs:
        - name: echo-host-service
          kind: Service
          port: 1027

is not rejected by the AdmissionWebhook while the IngressController discovers the error:

Update route httproute.ch-kong-dev.broken-http-route.0.0 failed: HTTP status 400 (message: "5 schema violations (paths.1: should start with: / (fixed path) or ~/ (regex path); paths.2: should start with: / (fixed path) or ~/ (regex path); paths.3: should start with: / (fixed path) or ~/ (regex path); paths.4: should start with: / (fixed path) or ~/ (regex path); paths.5: should start with: / (fixed path) or ~/ (regex path))")

Expected Behavior

Admissionwebhook rejects the HTTPRoute.

Steps To Reproduce

See current behaviour

Anything else?

No response

MarkusFlorian79 avatar Apr 25 '24 10:04 MarkusFlorian79

@randmonkey , could you take a look at this?

chronolaw avatar May 06 '24 03:05 chronolaw

@MarkusFlorian79 KIC enables validation on HTTPRoute to check if the spec is valid (will not generate invalid Kong configuration) since 2.12. Please check if your KIC version is below 2.12 or admission webhooks are not configured correctly.

randmonkey avatar Jul 15 '24 03:07 randmonkey

This issue is marked as stale because it has been open for 14 days with no activity.

github-actions[bot] avatar Jul 30 '24 01:07 github-actions[bot]

Dear contributor,

We are automatically closing this issue because it has not seen any activity for three weeks. We're sorry that your issue could not be resolved. If any new information comes up that could help resolving it, please feel free to reopen it.

Your contribution is greatly appreciated!

Please have a look our pledge to the community for more information.

Sincerely, Your Kong Gateway team

github-actions[bot] avatar Aug 06 '24 01:08 github-actions[bot]