Explicit Programming of HTTP Rules

Overview

Avi Vantage explicitly adds drop rules for all host/path combinations that are not provided with the user config for the user ingress/route object. This returns a 404 for all path combinations that are not configured in the original ingress/route object in Kubernetes/OpenShift.

Route Ingress Hardening

Starting with Avi Vantage release 18.2.7, the flag enable_route_ingress_hardening, enabled by default, explicitly programs the HTTP rules for host/path combinations that are not recognised by Avi Vantage, and returns a local 404 response.

By setting enable_route_ingress_hardening to false, you can control Avi Vantage from explicitly programming the HTTP rules.

In this case, Avi Vantage will just program the HTTP rules for host/path combinations that are specified in the ingress/route object.

The other unrecognized paths will return a 500 Internal Server Error.

In summary, setting the flag enable_route_ingress_hardening to false, will render the following conditions inapplicable:

• No host header specific checks will be performed.

• No default pool group will be attached to the virtual service.

• No 404 Not found responses will be programatically sent by Avi Vantage.

This feature can only be configured using CLI.

To configure this, log in to Avi controller CLI shell and edit the cloud connector settings as shown below.

> configure cloud *Cloud Name*
cloud> oshiftk8s_configuration 
cloud:oshiftk8s_configuration> no enable_route_ingress_hardening 
+---------------------------------------+---------------------------------------+
|    Field                              |      Value                            |
+---------------------------------------+---------------------------------------+
| enable_route_ingress_hardening        |          False                        |
+---------------------------------------+---------------------------------------+
cloud:oshiftk8s_configuration> save
cloud> save