-
Notifications
You must be signed in to change notification settings - Fork 457
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic header matching in HTTPRoute #2198
Comments
This came up in a conversation between myself, @kflynn and @robscott a few weeks back and I have been slow at starting the write-up. |
Another use case which is similar is just things like Standardization seems near impossible - but nice as an extension? |
I wonder if combined with here #2166 , a generalized case here is implementation specific routing - data plane provides some parameters which can be used to make a routing decision. Perhaps something like this could work: Client IP based routing: - matches:
proxyKeys:
- name: $client_ip # proxy specific
type: CIDR # proxy specific
value: 192.168.0.0
backendRefs:
- name: backend-local
port: 80 JWT claim based routing: - matches:
proxyKeys:
- name: $jwt_claim_group # proxy specific
type: Exact # proxy specific
value: group-1
backendRefs:
- name: backend-group1
port: 80 Cookie based routing: - matches:
proxyKeys:
- name: $cookie_version # proxy specific
type: Exact # proxy specific
value: v2
backendRefs:
- name: backend-v2
port: 80 |
Okay. |
I think it comes down to: Policy with extensions, or Policy and Extensions. |
@brianehlert If you'd like to use this issue to start the GEP, then I think you just create a PR with a file named |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle rotten |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What would you like to be added:
A standard API for routing based on matching metadata derived from dynamically evaluated request headers.
Why this is needed:
Users want to be able to route HTTP requests based on a validated JWT associated with the request.
Istio, for example, supports this by using header names with a special prefix (
@
) in a httproute header match configuration, to indicate that the matching is not against a static header value, but rather the metadata associated with the validated JWT: https://istio.io/latest/docs/tasks/security/authentication/jwt-route/#configuring-ingress-routing-based-on-jwt-claimsAlthough Istio could support this in Gateway API routes with some implementation specific (e.g., prefix) solution, it would be better to define an optional standard API for this kind of routing in Gateway API.
Maybe simply allowing some prefix (e.g.,
@
) in a header name to allow for implementation-specific dynamic header matching would be minimally sufficient? Beyond that, defining some standard dynamic header names (like the one to use to match JWT metadata, for example) would also be nice to have in the Gateway spec.The text was updated successfully, but these errors were encountered: