From a1fc04486c78abf63e5a297e6b9f61dac75c8f4b Mon Sep 17 00:00:00 2001 From: ikethecoder Date: Thu, 6 Feb 2025 16:56:17 -0800 Subject: [PATCH] allow exact match upstream host validation --- microservices/gatewayApi/utils/validators.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/microservices/gatewayApi/utils/validators.py b/microservices/gatewayApi/utils/validators.py index 09c3b01..afb287f 100644 --- a/microservices/gatewayApi/utils/validators.py +++ b/microservices/gatewayApi/utils/validators.py @@ -52,7 +52,7 @@ def validate_upstream_host(_host, errors, allow_protected_ns, protected_kube_nam if host in restricted: errors.append("service upstream is invalid (e1)") - elif host.endswith('svc'): + elif host.endswith('.svc'): partials = host.split('.') # get the namespace, and make sure it is not in the protected_kube_namespaces list if len(partials) != 3: @@ -61,7 +61,7 @@ def validate_upstream_host(_host, errors, allow_protected_ns, protected_kube_nam errors.append("service upstream is invalid (e3)") elif do_validate_upstreams and (partials[1] in perm_upstreams) is False: errors.append("service upstream is invalid (e6)") - elif host.endswith('svc.cluster.local'): + elif host.endswith('.svc.cluster.local'): partials = host.split('.') # get the namespace, and make sure it is not in the protected_kube_namespaces list if len(partials) != 5: @@ -71,4 +71,6 @@ def validate_upstream_host(_host, errors, allow_protected_ns, protected_kube_nam elif do_validate_upstreams and (partials[1] in perm_upstreams) is False: errors.append("service upstream is invalid (e6)") elif do_validate_upstreams: - errors.append("service upstream is invalid (e6)") + # allow exact matches for upstreams that are outside of cluster + if host not in perm_upstreams: + errors.append("service upstream is invalid (e6)")