Early request header modification

Early request header modification allows you to add, set, or remove HTTP request headers at the listener level, before route selection and other request processing occurs.

This capability is especially useful for security and sanitization use cases, where you want to ensure that sensitive headers cannot be faked by downstream clients and are only set by trusted components such as external authentication services.

Early request header modification is configured on an AgentgatewayPolicy using the transformation field. This policy is attached directly to a proxy and applies header mutations before route selection. You can choose between the following header operations:

• add
• set
• remove

Before you begin

1. Set up an agentgateway proxy.
2. Install the httpbin sample app.

Remove a reserved header

Remove a header that is reserved for use by another service, such as an external authentication service.

1. Create an HTTPRoute resource that routes requests to the httpbin app through the Gateway that you created before you began.

   kubectl apply -f- <<EOF
   apiVersion: gateway.networking.k8s.io/v1
   kind: HTTPRoute
   metadata:
     name: httpbin-route
     namespace: httpbin
   spec:
     hostnames:
     - transformation.example
     parentRefs:
     - name: agentgateway-proxy
       namespace: agentgateway-system
     rules:
     - matches: 
       - path:
           type: PathPrefix
           value: /
       backendRefs:
       - name: httpbin
         namespace: httpbin
         port: 8000
       name: http
   EOF

2. Send a test request to the sample httpbin app with a reserved header, such as x-user-id.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl -i http://$INGRESS_GW_ADDRESS:80/headers -H "host: transformation.example" -H "x-user-id: reserved-user"

   curl -i localhost:8080/headers -H "host: transformation.example" -H "x-user-id: reserved-user"

   Example output: Note that the X-User-Id header is present in the request.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

   { "headers": { "Accept": [ "*/*" ], "Host": [ "transformation.example" ], "User-Agent": [ "curl/8.7.1" ], "X-User-Id": [ "reserved-user" ] } }

3. Create an AgentgatewayPolicy with a transformation to remove the x-user-id header. Apply the removal on the Gateway on the PreRouting phase.

   kubectl apply -f- <<EOF
   apiVersion: agentgateway.dev/v1alpha1
   kind: AgentgatewayPolicy
   metadata:
     name: remove-reserved-header
     namespace: agentgateway-system
   spec:
     targetRefs:
       - group: gateway.networking.k8s.io
         kind: Gateway
         name: agentgateway-proxy
         sectionName: http
     traffic:
       phase: PreRouting
       transformation:
         request:
           remove:
             - x-user-id
   EOF

4. Repeat the test request to the sample httpbin app. The x-user-id header is no longer present in the response.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl -i http://$INGRESS_GW_ADDRESS:8080/headers -H "host: transformation.example" -H "x-user-id: reserved-user"

   curl -i localhost:8080/headers -H "host: transformation.example" -H "x-user-id: reserved-user"
   Example output: Note that the X-User-Id header is not present in the request.

   {
     "headers": {
       "Accept": [
         "*/*"
       ],
       "Host": [
         "transformation.example"
       ],
       "User-Agent": [
         "curl/8.7.1"
       ]
     }
   }

Cleanup

You can remove the resources that you created in this guide. Run the following commands.

kubectl delete httproute httpbin-route -n httpbin
kubectl delete AgentgatewayPolicy remove-reserved-header -n agentgateway-system