netscaler-k8s-ingress-controller icon indicating copy to clipboard operation
netscaler-k8s-ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon netscaler

Improve CSW Policy generation by outsourcing the Hostnames into Patternsets

Open progS1m opened this issue 2 years ago • 0 comments

Is your feature request related to a problem? Please describe. If you have a huge list of hosts inside one Ingress for example to server multiple Top-Level-Domains, there is a max limit as of the policy length has a fixed size limit.

The policy gets with each host longer until you exceed a limit:

(HTTP.REQ.HOSTNAME.SERVER.EQ("www.booksample.ca")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.at")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.be")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.ch")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.co.uk")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.com")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.com.au")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.cz")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.de")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.es")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.fi")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.fr")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.hr")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.ie")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.in")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.it")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.nl")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.no")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.se")||HTTP.REQ.HOSTNAME.SERVER.EQ("partners.sampleusa.com")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.pt")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.dk")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.ee")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.pl")||HTTP.REQ.HOSTNAME.SERVER.EQ("www.sample.ru"))&&(HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/mypath"))

same applies if you have to many paths in a httproute etc. But at least there it is possible to work with wildcards so most of the time no problem.

Describe the solution you'd like Improve the mechanism on how the policies are created by CIC. Suggestion store all domains into a patternset and reference it?

Describe alternatives you've considered Split Ingress into multiple ingresses. Not the best, as it produces more policies.

progS1m avatar Jul 20 '22 11:07 progS1m