Skip to content

Cross ns attachment #8676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
zhaohuabing wants to merge 16 commits into
base: main
Choose a base branch
from
Draft

Cross ns attachment #8676

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
97753a8
api: cross-namespace policy target selectors
guydc Jan 24, 2025
d28eb68
use gw-api style for namespace selector
guydc Jan 29, 2025
e672802
fix json tag
guydc Jan 29, 2025
ba7b099
Merge branch 'main' into cross-ns-attachment
guydc Feb 5, 2025
289852c
Merge remote-tracking branch 'origin/main' into cross-ns-attachment
zhaohuabing Apr 5, 2026
b7422f9
Merge remote-tracking branch 'origin/main' into cross-ns-attachment
zhaohuabing Apr 7, 2026
9044f4e
update API
zhaohuabing Apr 7, 2026
7dbee3d
update API
zhaohuabing Apr 7, 2026
7d277a7
implmentation
zhaohuabing Apr 15, 2026
47b449e
Merge remote-tracking branch 'origin/main' into cross-ns-attachment
zhaohuabing Apr 21, 2026
1ac43e2
add e2e tests for cross ns policy attachment
zhaohuabing Apr 21, 2026
3066e54
update test
zhaohuabing Apr 21, 2026
f4c2f7a
fix lint
zhaohuabing Apr 21, 2026
dc3d896
Merge remote-tracking branch 'origin/main' into cross-ns-attachment
zhaohuabing Apr 21, 2026
e507c22
update test
zhaohuabing Apr 21, 2026
044fc0c
add referencegrants to the provider
zhaohuabing Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 42 additions & 1 deletion api/v1alpha1/policy_helpers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ type PolicyTargetReferences struct {
}

// +kubebuilder:validation:XValidation:rule="has(self.group) ? self.group == 'gateway.networking.k8s.io' : true ", message="group must be gateway.networking.k8s.io"
// +kubebuilder:validation:XValidation:rule="has(self.namespaces) || has(self.matchLabels) || has(self.matchExpressions)", message="at least one of namespaces, matchLabels, or matchExpressions must be specified"
type TargetSelector struct {
// Group is the group that this selector targets. Defaults to gateway.networking.k8s.io
//
Expand All @@ -51,7 +52,18 @@ type TargetSelector struct {
// Kind is the resource kind that this selector targets.
Kind gwapiv1.Kind `json:"kind"`

// MatchLabels are the set of label selectors for identifying the targeted resource
// Namespaces determines which namespaces are considered for target selection.
//
// If unspecified, only targets in the same namespace as this policy are considered.
//
// When specified, the effective set of namespaces is always constrained to the
// namespaces watched by Envoy Gateway.
//
// +optional
Namespaces *TargetSelectorNamespaces `json:"namespaces,omitempty"`
Comment thread
zhaohuabing marked this conversation as resolved.

// MatchLabels are the set of label selectors for identifying the targeted resource.
//
// +optional
MatchLabels map[string]string `json:"matchLabels,omitempty"`

Expand All @@ -62,6 +74,35 @@ type TargetSelector struct {
MatchExpressions []metav1.LabelSelectorRequirement `json:"matchExpressions,omitempty"`
}

type TargetNamespaceFrom string

const (
// TargetNamespaceFromSame limits target selection to the policy's namespace.
TargetNamespaceFromSame TargetNamespaceFrom = "Same"
// TargetNamespaceFromAll allows target selection from all watched namespaces.
TargetNamespaceFromAll TargetNamespaceFrom = "All"
// TargetNamespaceFromSelector allows target selection from watched namespaces matching the selector.
TargetNamespaceFromSelector TargetNamespaceFrom = "Selector"
)

// TargetSelectorNamespaces determines which namespaces are considered for target selection.
// +kubebuilder:validation:XValidation:rule="self.from != 'Selector' || has(self.selector)", message="selector must be specified when from is Selector"
type TargetSelectorNamespaces struct {
// From indicates how namespaces are selected for this target selector.
//
// All means all namespaces watched by Envoy Gateway.
// Selector means namespaces watched by Envoy Gateway that match Selector.
//
// +kubebuilder:validation:Enum=Same;All;Selector
// +kubebuilder:default:=Same
From TargetNamespaceFrom `json:"from"`

// Selector selects namespaces when From is set to Selector.
//
// +optional
Selector *metav1.LabelSelector `json:"selector,omitempty"`
Comment thread
zhaohuabing marked this conversation as resolved.
}

func (p PolicyTargetReferences) GetTargetRefs() []gwapiv1.LocalPolicyTargetReferenceWithSectionName {
if p.TargetRef != nil {
return []gwapiv1.LocalPolicyTargetReferenceWithSectionName{*p.TargetRef}
Expand Down
4 changes: 4 additions & 0 deletions api/v1alpha1/shared_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ const (
// PolicyReasonDeprecatedField is used with the "Warning" condition when the policy
// uses deprecated fields that should be migrated to newer alternatives.
PolicyReasonDeprecatedField gwapiv1.PolicyConditionReason = "DeprecatedField"

// PolicyReasonRefNotPermitted is used with the "Accepted" condition when the policy
// targets a cross-namespace object without a matching ReferenceGrant.
PolicyReasonRefNotPermitted gwapiv1.PolicyConditionReason = "RefNotPermitted"
)

// GroupVersionKind unambiguously identifies a Kind.
Expand Down
25 changes: 25 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

79 changes: 78 additions & 1 deletion ...s/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2691,15 +2691,92 @@ spec:
additionalProperties:
type: string
description: MatchLabels are the set of label selectors for
identifying the targeted resource
identifying the targeted resource.
type: object
namespaces:
description: |-
Namespaces determines which namespaces are considered for target selection.

If unspecified, only targets in the same namespace as this policy are considered.

When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
properties:
from:
default: Same
description: |-
From indicates how namespaces are selected for this target selector.

All means all namespaces watched by Envoy Gateway.
Selector means namespaces watched by Envoy Gateway that match Selector.
enum:
- Same
- All
- Selector
type: string
selector:
description: Selector selects namespaces when From is set
to Selector.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- from
type: object
x-kubernetes-validations:
- message: selector must be specified when from is Selector
rule: self.from != 'Selector' || has(self.selector)
required:
- kind
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
: true '
- message: at least one of namespaces, matchLabels, or matchExpressions
must be specified
rule: has(self.namespaces) || has(self.matchLabels) || has(self.matchExpressions)
type: array
tcpKeepalive:
description: |-
Expand Down
79 changes: 78 additions & 1 deletion ...ts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1171,15 +1171,92 @@ spec:
additionalProperties:
type: string
description: MatchLabels are the set of label selectors for
identifying the targeted resource
identifying the targeted resource.
type: object
namespaces:
description: |-
Namespaces determines which namespaces are considered for target selection.

If unspecified, only targets in the same namespace as this policy are considered.

When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
properties:
from:
default: Same
description: |-
From indicates how namespaces are selected for this target selector.

All means all namespaces watched by Envoy Gateway.
Selector means namespaces watched by Envoy Gateway that match Selector.
enum:
- Same
- All
- Selector
type: string
selector:
description: Selector selects namespaces when From is set
to Selector.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- from
type: object
x-kubernetes-validations:
- message: selector must be specified when from is Selector
rule: self.from != 'Selector' || has(self.selector)
required:
- kind
type: object
x-kubernetes-validations:
- message: group must be gateway.networking.k8s.io
rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
: true '
- message: at least one of namespaces, matchLabels, or matchExpressions
must be specified
rule: has(self.namespaces) || has(self.matchLabels) || has(self.matchExpressions)
type: array
tcpKeepalive:
description: |-
Expand Down
Loading
Loading