Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for empty host in ingress rules (#941) #945

Merged
merged 2 commits into from
May 1, 2024
Merged

Support for empty host in ingress rules (#941) #945

merged 2 commits into from
May 1, 2024

Conversation

kralicky
Copy link
Contributor

Summary

This adds support for empty host values in ingress rules, which act as wildcards and will match any hostname (or IP address).

There are many cases where an ingress configured this way can cause destructive or unintended behavior. Because it is very easy to (perhaps mistakenly) omit the host field in an ingress rule, the special annotation ingress.pomerium.io/subtle_allow_empty_host: "true" must be added to any ingress object containing rules with empty host fields.

Related issues

Closes #941

Checklist

  • reference any related issues
  • updated docs
  • updated unit tests
  • updated UPGRADING.md
  • add appropriate tag (improvement / bug / etc)
  • ready for review

@kralicky kralicky added the enhancement New feature or request label Apr 30, 2024
@kralicky kralicky requested a review from a team as a code owner April 30, 2024 19:57
@kralicky kralicky requested review from calebdoxsey, kenjenkins and wasaga and removed request for a team and kenjenkins April 30, 2024 19:57
calebdoxsey
calebdoxsey approved these changes May 1, 2024
View reviewed changes
Copy link
Contributor

@calebdoxsey calebdoxsey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kralicky kralicky force-pushed the kralicky/ingress-rule-empty-host branch from 62e17fd to 555c44e Compare May 1, 2024 19:29
@kralicky
Support for empty host in ingress rules (#941)
0a62e04 
This adds support for empty host values in ingress rules, which act as
wildcards and will match any hostname. A special annotation is required
to enable this feature, so as to prevent unexpected behavior if the host
name is unintentionally omitted.
@kralicky kralicky force-pushed the kralicky/ingress-rule-empty-host branch from 555c44e to 37ffe3f Compare May 1, 2024 22:22
@kralicky kralicky force-pushed the kralicky/ingress-rule-empty-host branch from 37ffe3f to da20e5c Compare May 1, 2024 22:26
@kralicky kralicky merged commit 2da8531 into main May 1, 2024
7 checks passed
@kralicky kralicky deleted the kralicky/ingress-rule-empty-host branch May 1, 2024 23:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wasaga wasaga wasaga approved these changes

@calebdoxsey calebdoxsey calebdoxsey approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for wildcard / catch-all host
3 participants
@kralicky @calebdoxsey @wasaga