Add support for wildcard specifiers anywhere in SNI pattern#1698
Merged
jrajahalme merged 2 commits intomainfrom Feb 11, 2026
Merged
Add support for wildcard specifiers anywhere in SNI pattern#1698jrajahalme merged 2 commits intomainfrom
jrajahalme merged 2 commits intomainfrom
Conversation
|
So, @fristonio and I were chatting about this, and I wondered if we should convert to regex in the agent and send that to the proxy. Pros:
Cons:
I'm not sure what the general practice is for c/proxy here. |
|
Conclusion: because spinning a new proto type is annoying, we'll implement it as-is. |
fristonio
force-pushed
the
pr/fristonio/add-server-name-proto-validation
branch
from
d9c7a5e to
5620d48
Compare
nezdolik
reviewed
Feb 2, 2026
jrajahalme
requested changes
Feb 3, 2026
fristonio
force-pushed
the
pr/fristonio/add-server-name-proto-validation
branch
from
5620d48 to
f80c75a
Compare
fristonio
force-pushed
the
pr/fristonio/add-server-name-proto-validation
branch
2 times, most recently
from
778dcb9 to
1f0b2ad
Compare
nezdolik
approved these changes
Feb 6, 2026
fristonio
force-pushed
the
pr/fristonio/add-server-name-proto-validation
branch
2 times, most recently
from
8d4fb6d to
c3ebac2
Compare
Member
Author
|
PR updated with changes as discussed during today's sig-policy meeting. A valid match pattern should:
Wildcard specifier behavior:
With this change cilium-agent needs to normalize the SNI patterns to be conformant with the above match pattern syntax and aligned with DNS match pattern. This will include the below operations:
|
This commit adds support for specifying wildcard('*') anywhere in the
server names match pattern. This allow users to write more compressed
network policies.
With this change users can now write allowed server names as:
- `*.cilium.io` matching all first-level subdomains of `cilium.io`:
- Matches: `www.cilium.io`, `blog.cilium.io`
- Does NOT match: `cilium.io`, `foo.bar.cilium.io`, `kubernetes.io`
- `*cilium.io` matching `cilium.io` and any domain ending with the `cilium.io` suffix:
- Matches: `cilium.io`, `sub-cilium.io`, `subcilium.io`
- Does NOT match: `www.cilium.io`, `blog.cilium.io`
- `sub*.cilium.io` matching subdomains of `cilium.io` that start with the "sub" prefix:
- Matches: `sub.cilium.io`, `subdomain.cilium.io`
- Does NOT match: `www.cilium.io`, `blog-sub.cilium.io`, `blog.sub.cilium.io`, `cilium.io`
- `**.cilium.io` matching all subdomains of `cilium.io` at any depth:
- Matches: `www.cilium.io`, `test.app.cilium.io`
- Does NOT match: `cilium.io`
SNI match patterns are now implemented using regular expressions. The
required regex is derived and compiled once during xDS configuration
update.
If the match pattern doesn't contain any wildcard specifier the
implementation relies on explicit full string match as before.
Signed-off-by: Deepesh Pathak <deepesh.pathak@isovalent.com>
This commit adds regex pattern validation to the `server_names` field of PortNetworkPolicyRule type. The validation pattern (`^([-a-zA-Z0-9_*]+[.]?)+"$`) is in alignment with the supported match pattern as defined for the corresponding k8s type in cilium/cilium. Signed-off-by: Deepesh Pathak <deepesh.pathak@isovalent.com>
fristonio
force-pushed
the
pr/fristonio/add-server-name-proto-validation
branch
from
c3ebac2 to
0e7e83f
Compare
jrajahalme
approved these changes
Feb 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See commit message for more details.
Extends: #1242
Fixes: cilium/cilium#43597