You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a security vulnerability or a crashing bug
This is not a question about how to use Istio
Bug Description
When using the withoutHeaders matcher on a http route within a VirtuallService, the header must be present for it to match, which is misleading - not sure if this is a bug or perhaps docs clarification issue.
On the docs page for virtual service there's a field under HTTPMatchRequest named withoutHeaders. The description is:
withoutHeader has the same syntax with the header, but has opposite meaning. If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.
I would have assumed that this is essentially the inverse of the "header" matcher. i.e. if I have a header matcher which matches one header with a specific value:
http:
- match:
- headers:
version:
exact: v1
I would assume that a withoutHeaders should match the inverse:
However, the latter only matches when the header "version" is present AND does not match the given value. My intuition here would be that if the header does not match OR is not present at all, it should be considered a match.
Full example VirtualService using bookinfo example:
When I make a curl from productpage in the bookinfo namespace, I see when I pass the v1 header, it works as expected with the header matching:
/ $ curl -H "version: v1" reviews.bookinfo.svc.cluster.local:9080/reviews/1
{"id": "1","podname": "reviews-v1-ddf8c7659-29vn7","clustername": "null","reviews": [{ "reviewer": "Reviewer1", "text": "An extremely entertaining play by Shakespeare. The slapstick humour is refreshing!"},{ "reviewer": "Reviewer2", "text": "Absolutely fun and entertaining. The play lacks thematic depth when compared to other plays by Shakespeare."}]}/ $
But when I curl without any header at all, I get a 404:
/ $ curl reviews.bookinfo.svc.cluster.local:9080/reviews/1 -v
* Trying 10.43.190.226:9080...
* Connected to reviews.bookinfo.svc.cluster.local (10.43.190.226) port 9080 (#0)> GET /reviews/1 HTTP/1.1
> Host: reviews.bookinfo.svc.cluster.local:9080
> User-Agent: curl/7.76.1-DEV
> Accept: */*>* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< date: Fri, 10 May 2024 17:00:05 GMT
< server: envoy
< content-length: 0
<* Connection #0 to host reviews.bookinfo.svc.cluster.local left intact
Note that if I include the header and use any value other than 'v1', I do get matched as expected:
/ $ curl -H "version: anything-else" reviews.bookinfo.svc.cluster.local:9080/reviews/1
{"id": "1","podname": "reviews-v3-77f796db6-fxlfx","clustername": "null","reviews": [{ "reviewer": "Reviewer1", "text": "An extremely entertaining play by Shakespeare. The slapstick humour is refreshing!", "rating": {"stars": 5, "color": "red"}},{ "reviewer": "Reviewer2", "text": "Absolutely fun and entertaining. The play lacks thematic depth when compared to other plays by Shakespeare.", "rating": {"stars": 4, "color": "red"}}]}/ $
Should the request which does not contain the header match on the route where that header is included in the withoutHeaders matcher?
Version
$ istioctl version
client version: 1.21.0
control plane version: 1.21.0
data plane version: 1.21.0 (6 proxies)
Additional Information
No response
The text was updated successfully, but these errors were encountered:
Is this the right place to submit this?
Bug Description
When using the
withoutHeaders
matcher on a http route within a VirtuallService, the header must be present for it to match, which is misleading - not sure if this is a bug or perhaps docs clarification issue.On the docs page for virtual service there's a field under HTTPMatchRequest named
withoutHeaders
. The description is:I would have assumed that this is essentially the inverse of the "header" matcher. i.e. if I have a header matcher which matches one header with a specific value:
I would assume that a
withoutHeaders
should match the inverse:However, the latter only matches when the header "version" is present AND does not match the given value. My intuition here would be that if the header does not match OR is not present at all, it should be considered a match.
Full example VirtualService using bookinfo example:
Using the standard example DestinationRule which splits reviews by 'version' label:
When I make a curl from productpage in the bookinfo namespace, I see when I pass the v1 header, it works as expected with the header matching:
But when I curl without any header at all, I get a 404:
Note that if I include the header and use any value other than 'v1', I do get matched as expected:
Should the request which does not contain the header match on the route where that header is included in the
withoutHeaders
matcher?Version
Additional Information
No response
The text was updated successfully, but these errors were encountered: