Ingress paths with multiples match does not give precedence to the longest match #32467
Open
3 tasks done
Labels
area/servicemesh
GH issues or PRs regarding servicemesh
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
Is there an existing issue for this?
What happened?
Following an upgrade from Cilium version 1.14.1 to 1.14.2, we observed a change in ingress traffic routing behaviors under specific conditions involving multiple path matches.
Issue Details:
Ingress Configuration:
/
./api
and another with the regex path/(.*)/api
.Observed Behavior:
/(.*)/api
) is incorrectly routed to Service A instead of Service B.Additionally, from version 1.14.4 to 1.14.5, a new issue emerged when TLS is enabled on ingresses. With TLS, all requests are incorrectly routed to Service A, irrespective of the specified path.
These routing errors disrupt expected network traffic flow and service delivery within our Kubernetes environment.
steps and manifests to reproduce the issue:
serviceA.yaml
serviceB.yaml
test.sh
Ensure you change
shareddomain.local
for some domain reachable to your cluster1.- Apply serviceA manifests in servicea namespace
2.- Execute
test.sh
script for quick testingFurthermore we have detected also a change betweent 1.14.4 to 1.14.5 where ingress is sent to the wrong service for most wide cases when you are using TLS for the ingresses.
To reproduce this just add TLS config for the same example than before and all requests will end in service A despite the path you use in the request.
Manifests for TLS:
serviceA.yaml
serviceB.yaml
Change shareddomain.local with a domain that can reach the cluster and set PROTOCOL to https in the test.sh script
Results with TLS config:
Cilium Version
1.14.2
1.14.5
Kernel Version
6.1.84
Kubernetes Version
v1.29.1-eks-61c0bbb
Regression
1.14.1
Sysdump
No response
Relevant log output
No response
Anything else?
No response
Cilium Users Document
Code of Conduct
The text was updated successfully, but these errors were encountered: