Skip to content

Cross ns attachment#8676

Draft
zhaohuabing wants to merge 16 commits intoenvoyproxy:mainfrom
zhaohuabing:cross-ns-attachment
Draft

Cross ns attachment#8676
zhaohuabing wants to merge 16 commits intoenvoyproxy:mainfrom
zhaohuabing:cross-ns-attachment

Conversation

@zhaohuabing
Copy link
Copy Markdown
Member

@zhaohuabing zhaohuabing commented Apr 5, 2026
edited
Loading

Picking up #5145 and continuing the work from here. Thanks, @guydc, for the earlier work on this.

guydc added 4 commits February 2, 2025 11:16
@guydc @zirain
api: cross-namespace policy target selectors
97753a8 
Signed-off-by: Guy Daich <guy.daich@sap.com>
@guydc @zirain
use gw-api style for namespace selector
d28eb68 
Signed-off-by: Guy Daich <guy.daich@sap.com>
@guydc @zirain
fix json tag
e672802 
Signed-off-by: Guy Daich <guy.daich@sap.com>
@guydc
Merge branch 'main' into cross-ns-attachment
ba7b099
@zhaohuabing zhaohuabing requested a review from a team as a code owner April 5, 2026 14:17
@zhaohuabing zhaohuabing marked this pull request as draft April 5, 2026 14:18
@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 5, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 canceled.

Name Link
🔨 Latest commit 044fc0c
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69e732ac36f50f0008115638

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 5, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 86.08247% with 54 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.49%. Comparing base (a7545ce) to head (82c7813).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/gatewayapi/envoyextensionpolicy.go 44.00% 12 Missing and 2 partials ⚠️
internal/gatewayapi/securitypolicy.go 58.82% 12 Missing and 2 partials ⚠️
internal/gatewayapi/helpers.go 91.66% 7 Missing and 5 partials ⚠️
internal/gatewayapi/clienttrafficpolicy.go 83.33% 6 Missing and 1 partial ⚠️
internal/provider/kubernetes/controller.go 91.02% 5 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8676      +/-   ##
==========================================
+ Coverage   74.40%   74.49%   +0.08%     
==========================================
  Files         245      245              
  Lines       38973    39275     +302     
==========================================
+ Hits        28998    29258     +260     
- Misses       7971     8002      +31     
- Partials     2004     2015      +11

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zhaohuabing
Merge remote-tracking branch 'origin/main' into cross-ns-attachment
b7422f9
@zhaohuabing
update API
9044f4e 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
update API
7dbee3d 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
zhaohuabing
zhaohuabing commented Apr 7, 2026
View reviewed changes
Comment thread api/v1alpha1/policy_helpers.go
@zhaohuabing zhaohuabing added this to the v1.8.0-rc.1 Release milestone Apr 7, 2026
@zhaohuabing zhaohuabing requested a review from kkk777-7 April 8, 2026 01:20
@zhaohuabing zhaohuabing mentioned this pull request Apr 8, 2026
Open
rudrakhp
rudrakhp reviewed Apr 10, 2026
View reviewed changes
Comment thread api/v1alpha1/policy_helpers.go
@zhaohuabing zhaohuabing marked this pull request as ready for review April 13, 2026 00:32
@zhaohuabing zhaohuabing marked this pull request as draft April 14, 2026 07:37
@zhaohuabing
implmentation
7d277a7 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing force-pushed the cross-ns-attachment branch from 479741a to 7d277a7 Compare April 15, 2026 10:42
@zhaohuabing
Merge remote-tracking branch 'origin/main' into cross-ns-attachment
47b449e
@zhaohuabing
add e2e tests for cross ns policy attachment
1ac43e2 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
update test
3066e54 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
fix lint
f4c2f7a 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
Merge remote-tracking branch 'origin/main' into cross-ns-attachment
dc3d896
@zhaohuabing
update test
e507c22 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing marked this pull request as ready for review April 21, 2026 04:13
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e507c223d1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread internal/gatewayapi/extensionserverpolicy.go
Comment on lines +135 to 138
func resolveExtServerPolicyGatewayTargetRef(policy *unstructured.Unstructured, target policyTargetReferenceWithSectionName, gateways map[types.NamespacedName]*policyGatewayTargetContext) *GatewayContext {
// Check if the gateway exists
key := types.NamespacedName{
Name: string(target.Name),
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Resolve gateway targets using the target namespace

extractTargetRefs now returns cross-namespace matches when a ReferenceGrant allows them, but this resolver still keys lookups by policy.GetNamespace(). In that scenario, valid cross-namespace targets are treated as missing, and if a same-named Gateway exists in the policy namespace the policy can bind to the wrong Gateway. The lookup should use target.Namespace from the resolved target reference.

Useful? React with 👍 / 👎.

@zhaohuabing zhaohuabing marked this pull request as draft April 21, 2026 04:33
@zhaohuabing
add referencegrants to the provider
044fc0c 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing force-pushed the cross-ns-attachment branch from 82c7813 to 044fc0c Compare April 21, 2026 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arkodg arkodg arkodg left review comments

@rudrakhp rudrakhp rudrakhp left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@kkk777-7 kkk777-7 Awaiting requested review from kkk777-7

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.8.0-rc.1 Release

Development

Successfully merging this pull request may close these issues.

5 participants

@zhaohuabing @arkodg @rudrakhp @kkk777-7 @guydc