Add Address Matching to TCPRoute and UDPRoute #735
Comments
robscott
added
the
kind/feature
|
In the case of addresses, whether matching is useful depends on having a listener that is implicitly attached to multiple addresses. The system has out-of-band knowledge of address semantics, so you can know that you want a route attached to address A and not to address B. Can we make a similar argument for ports? |
|
I may be misunderstanding what you're saying here, but either or both of the following scenarios are entirely possible:
Although both of the above are possible and this addition would help, I think this addition becomes significantly more compelling when you take into account mesh implementations that may want to match requests to a given address or port and apply some kind of routing to them. |
@robscott Source or destination or both? The following 5 things identify a byte stream on a TCP/IP networking stack:
We currently capture destination port via listener and the protocol. One could argue that the destination IP is also captured indirectly via the relationship Gateway -> Listener -> Route. +1 to this feature. One place to define matching, rather than ensuring that a route is mapped onto the correct listener would help and make the API more user-friendly.
What if the matching is based on source IP/port instead of destination IP/port?
I'm not sure I understand what is the point you are trying to make here. Could you rephrase please? @jpeach, are you trying to say that a route should not be aware of these addresses/ports because it is a leaky abstraction in that case? While it could be viewed as that, I think the same argument could be applied to the Hostname field in HTTPRoute or TLSRoute. |
|
So, this essentially creates a similar two-directional match to the Alternatively, matching on source address and port seems much more likely to be useful. |
|
Good point @hbagdi! I should have clarified that I was intending to match destination IP and Port with these fields. Given the potential for source IP and port matching in the future, it does probably make sense to make the config explicit here. Maybe something like this: matches:
- destination:
ip: 1.2.3.4
port: 80
That's a great way to summarize this, thanks @youngnick! |
What is your hesitation to include source IP/port in the API right away? |
I actually haven't thought about this as much. This particular idea/feature request was targeted at dest IP and Port despite me not actually saying that :). At first glance, it seems like source IP/Port matching may have slightly less portability, but I'd need to look into it a bit more. |
Ack.
If portability is a concern, maybe we start with a different conformance level for it? Also, regarding destination port/ip based match, we will need to clarify how Proxy Protocol comes into play. |
A route can say that it wants to only match on a specific IP address because there is some out-of-band semantics attached to that address. But what does it mean for a route to only want to be exposed on a specific port, and why would you do that? For example, I have a route and I specify a match for port "21". How is that useful? Are we talking about another programmatic mapping done by a transparent proxy? |
Did you mean source address matching? |
|
I am not sure why port match is any less useful than SNI, hostname, ip, etc. Its just another attribute of the request. For example, maybe I want to match anything on port 22 and deny it or apply some policy. |
My question is why I would care about the port. If I match on a port, then that reduces deployment agility for the gateway owner. It's extremely common to run services on "non-standard" ports. |
So does hostname. There is always a tension between generic routes attached to concrete gateways vs concrete routes attached to generate gateways. I think both are valid, they just depend on the use case. |
Both? Proxy protocol carries source and destination IPs involved, no? I think the tension comes in from the ownership perspective. Who owns and decides ports, IPs, DNS names, hostnames. |
Yep you are right :) |
|
+1 to considering destination ports like any other attribute. Being able to assign a non-standard dest port to a service (or user) is sometimes needed when dealing with L4 protocols. That may be because there isn't a hostname, or the form of security can't be used in that way. Agree with the agility concern but the cases I'm thinking look like @hbagdi's scenario (cluster admin ~= app dev)! |
You can do this today with a gateway listener on the port you want that binds a UDP or TCP route. |
|
So, it seems like there are two things we're talking about here:
tl;dr putting Destination address/port feels like a way to match Routes to individual Listeners, while Source address/port is another form of routing discriminator that lets you have multiple Routes share an individual Listener. |
This sounds right to me.
I have limited expertise here, but it seems more common with applying policy (allowlist/denylist IP) than routing. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
k8s-ci-robot
added
lifecycle/frozen
robscott
changed the title
What would you like to be added:
Add address matching to
TCPRouteMatchandUDPRouteMatch.Why this is needed:
TCP and UDP Routes currently only support custom matching extensions. It would be helpful to include some basic matching capabilities within the Routes. Address matching seems like a natural starting point. Although for most ingress use cases this could be covered by Gateway listeners, this concept could be quite helpful for mesh routing.
Also, see transparent proxy discussion in #727
The text was updated successfully, but these errors were encountered: