diff --git a/api/v1alpha1/policy_helpers.go b/api/v1alpha1/policy_helpers.go
index 10b8e099f7..7a0e2679c7 100644
--- a/api/v1alpha1/policy_helpers.go
+++ b/api/v1alpha1/policy_helpers.go
@@ -58,6 +58,10 @@ type TargetSelector struct {
// When specified, the effective set of namespaces is always constrained to the
// namespaces watched by Envoy Gateway.
//
+ // Selecting targets across namespaces requires a ReferenceGrant in the target
+ // namespace that allows this policy kind to reference the selected target kind.
+ // Cross-namespace targets without a matching ReferenceGrant are ignored.
+ //
// +optional
Namespaces *TargetSelectorNamespaces `json:"namespaces,omitempty"`
diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go
index 7530826341..27c8f3d2d1 100644
--- a/api/v1alpha1/shared_types.go
+++ b/api/v1alpha1/shared_types.go
@@ -70,10 +70,6 @@ const (
// PolicyReasonDeprecatedField is used with the "Warning" condition when the policy
// uses deprecated fields that should be migrated to newer alternatives.
PolicyReasonDeprecatedField gwapiv1.PolicyConditionReason = "DeprecatedField"
-
- // PolicyReasonRefNotPermitted is used when the policy targets a cross-namespace
- // object without a matching ReferenceGrant.
- PolicyReasonRefNotPermitted gwapiv1.PolicyConditionReason = "RefNotPermitted"
)
// GroupVersionKind unambiguously identifies a Kind.
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
index e9a2c99e6f..aaf115127e 100644
--- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
+++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
@@ -2924,6 +2924,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
index 5aba61ba83..78e80bb4e5 100644
--- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -1181,6 +1181,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
index e0bd5d49bc..27ee6dd7f8 100644
--- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
+++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -1824,6 +1824,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 34ba4c7907..d90b11c3ad 100644
--- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -7142,6 +7142,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
diff --git a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
index 3fc645eaf2..3f3e1a9493 100644
--- a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
+++ b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
@@ -2923,6 +2923,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
diff --git a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
index 62bd176d62..413730fae0 100644
--- a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+++ b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -1180,6 +1180,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
diff --git a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
index 85c9878352..a09c724a31 100644
--- a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
+++ b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -1823,6 +1823,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
diff --git a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 8de423fd20..791f1ac16b 100644
--- a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -7141,6 +7141,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go
index cb7c6787cc..599ee047ab 100644
--- a/internal/gatewayapi/backendtrafficpolicy.go
+++ b/internal/gatewayapi/backendtrafficpolicy.go
@@ -295,16 +295,14 @@ func (t *Translator) ProcessBackendTrafficPolicies(
// Process the policies targeting Routes
for i, currPolicy := range backendTrafficPolicies {
policyName := utils.NamespacedName(currPolicy)
- allowed, denied := resolvePolicyTargetsFromSelectors(
- currPolicy.Spec.TargetSelectors,
+ targetRefs := resolvePolicyTargets(
+ currPolicy.Spec.PolicyTargetReferences,
routes,
resources.ReferenceGrants,
egv1a1.GroupName,
egv1a1.KindBackendTrafficPolicy,
currPolicy.Namespace,
t.GetNamespace)
- plainTargetRefs := resolvePolicyTargetsFromReferences(currPolicy.Spec.PolicyTargetReferences, currPolicy.Namespace)
- targetRefs := composePolicyTargetRefs(allowed, plainTargetRefs)
for _, currTarget := range targetRefs {
if isRoute(currTarget) {
policy, found := handledPolicies[policyName]
@@ -318,15 +316,6 @@ func (t *Translator) ProcessBackendTrafficPolicies(
routeMap, gatewayRouteMap, gatewayPolicyMerged, gatewayPolicyMap, policy, currTarget)
}
}
- if len(denied) > 0 {
- policy, found := handledPolicies[policyName]
- if !found {
- policy = policyCopies[i]
- handledPolicies[policyName] = policy
- res = append(res, policy)
- }
- setPolicyTargetRefNotPermittedStatus(&policy.Status, denied, t.GatewayControllerName, policy.Generation)
- }
}
// Process the policies targeting Listeners
@@ -351,16 +340,14 @@ func (t *Translator) ProcessBackendTrafficPolicies(
// Process the policies targeting Gateways
for i, currPolicy := range backendTrafficPolicies {
policyName := utils.NamespacedName(currPolicy)
- allowed, denied := resolvePolicyTargetsFromSelectors(
- currPolicy.Spec.TargetSelectors,
+ targetRefs := resolvePolicyTargets(
+ currPolicy.Spec.PolicyTargetReferences,
gateways,
resources.ReferenceGrants,
egv1a1.GroupName,
egv1a1.KindBackendTrafficPolicy,
currPolicy.Namespace,
t.GetNamespace)
- plainTargetRefs := resolvePolicyTargetsFromReferences(currPolicy.Spec.PolicyTargetReferences, currPolicy.Namespace)
- targetRefs := composePolicyTargetRefs(allowed, plainTargetRefs)
for _, currTarget := range targetRefs {
if isGateway(currTarget) {
policy, found := handledPolicies[policyName]
@@ -373,15 +360,6 @@ func (t *Translator) ProcessBackendTrafficPolicies(
gatewayMap, gatewayRouteMap, gatewayPolicyMerged, policy, currTarget)
}
}
- if len(denied) > 0 {
- policy, found := handledPolicies[policyName]
- if !found {
- policy = policyCopies[i]
- handledPolicies[policyName] = policy
- res = append(res, policy)
- }
- setPolicyTargetRefNotPermittedStatus(&policy.Status, denied, t.GatewayControllerName, policy.Generation)
- }
}
for _, policy := range res {
diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go
index e06e84380b..10e830e4a0 100644
--- a/internal/gatewayapi/clienttrafficpolicy.go
+++ b/internal/gatewayapi/clienttrafficpolicy.go
@@ -195,8 +195,8 @@ func (t *Translator) ProcessClientTrafficPolicies(
// Policy with no section set (targeting all sections)
for i, currPolicy := range clientTrafficPolicies {
policyName := utils.NamespacedName(currPolicy)
- allowed, denied := resolvePolicyTargetsFromSelectors(
- currPolicy.Spec.TargetSelectors,
+ targetRefs := resolvePolicyTargets(
+ currPolicy.Spec.PolicyTargetReferences,
gateways,
resources.ReferenceGrants,
egv1a1.GroupName,
@@ -204,8 +204,6 @@ func (t *Translator) ProcessClientTrafficPolicies(
currPolicy.Namespace,
t.GetNamespace,
)
- plainTargetRefs := resolvePolicyTargetsFromReferences(currPolicy.Spec.PolicyTargetReferences, currPolicy.Namespace)
- targetRefs := composePolicyTargetRefs(allowed, plainTargetRefs)
for _, currTarget := range targetRefs {
if !hasSectionName(&currTarget) {
@@ -335,15 +333,6 @@ func (t *Translator) ProcessClientTrafficPolicies(
}
}
}
- if len(denied) > 0 {
- policy, found := handledPolicies[policyName]
- if !found {
- policy = policyCopies[i]
- res = append(res, policy)
- handledPolicies[policyName] = policy
- }
- setPolicyTargetRefNotPermittedStatus(&policy.Status, denied, t.GatewayControllerName, policy.Generation)
- }
}
for _, policy := range res {
diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go
index 030138cdb6..83ed3b96ed 100644
--- a/internal/gatewayapi/envoyextensionpolicy.go
+++ b/internal/gatewayapi/envoyextensionpolicy.go
@@ -136,16 +136,14 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(
// Process the policies targeting xRoutes
for i, currPolicy := range envoyExtensionPolicies {
policyName := utils.NamespacedName(currPolicy)
- allowed, denied := resolvePolicyTargetsFromSelectors(
- currPolicy.Spec.TargetSelectors,
+ targetRefs := resolvePolicyTargets(
+ currPolicy.Spec.PolicyTargetReferences,
routes,
resources.ReferenceGrants,
egv1a1.GroupName,
egv1a1.KindEnvoyExtensionPolicy,
currPolicy.Namespace,
t.GetNamespace)
- plainTargetRefs := resolvePolicyTargetsFromReferences(currPolicy.Spec.PolicyTargetReferences, currPolicy.Namespace)
- targetRefs := composePolicyTargetRefs(allowed, plainTargetRefs)
for _, currTarget := range targetRefs {
if isRoute(currTarget) {
policy, found := handledPolicies[policyName]
@@ -159,15 +157,6 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(
routeMap, gatewayRouteMap, policy, currTarget)
}
}
- if len(denied) > 0 {
- policy, found := handledPolicies[policyName]
- if !found {
- policy = policyCopies[i]
- res = append(res, policy)
- handledPolicies[policyName] = policy
- }
- setPolicyTargetRefNotPermittedStatus(&policy.Status, denied, t.GatewayControllerName, policy.Generation)
- }
}
// Process the policies targeting Listeners
@@ -193,16 +182,14 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(
// Process the policies targeting Gateways
for i, currPolicy := range envoyExtensionPolicies {
policyName := utils.NamespacedName(currPolicy)
- allowed, denied := resolvePolicyTargetsFromSelectors(
- currPolicy.Spec.TargetSelectors,
+ targetRefs := resolvePolicyTargets(
+ currPolicy.Spec.PolicyTargetReferences,
gateways,
resources.ReferenceGrants,
egv1a1.GroupName,
egv1a1.KindEnvoyExtensionPolicy,
currPolicy.Namespace,
t.GetNamespace)
- plainTargetRefs := resolvePolicyTargetsFromReferences(currPolicy.Spec.PolicyTargetReferences, currPolicy.Namespace)
- targetRefs := composePolicyTargetRefs(allowed, plainTargetRefs)
for _, currTarget := range targetRefs {
if isGateway(currTarget) {
policy, found := handledPolicies[policyName]
@@ -216,15 +203,6 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(
gatewayMap, gatewayRouteMap, policy, currTarget)
}
}
- if len(denied) > 0 {
- policy, found := handledPolicies[policyName]
- if !found {
- policy = policyCopies[i]
- res = append(res, policy)
- handledPolicies[policyName] = policy
- }
- setPolicyTargetRefNotPermittedStatus(&policy.Status, denied, t.GatewayControllerName, policy.Generation)
- }
}
for _, policy := range res {
diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go
index a4aa6eab9b..ade73750e4 100644
--- a/internal/gatewayapi/helpers.go
+++ b/internal/gatewayapi/helpers.go
@@ -27,7 +27,6 @@ import (
egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
"github.com/envoyproxy/gateway/internal/gatewayapi/resource"
- "github.com/envoyproxy/gateway/internal/gatewayapi/status"
"github.com/envoyproxy/gateway/internal/ir"
"github.com/envoyproxy/gateway/internal/utils"
)
@@ -767,11 +766,6 @@ type policyTargetReferenceWithSectionName struct {
SectionName *gwapiv1.SectionName `json:"sectionName,omitempty"`
}
-type policySelectedTarget[T client.Object] struct {
- Target T
- Ref policyTargetReferenceWithSectionName
-}
-
func isRouteRule(target policyTargetReferenceWithSectionName) bool {
// If the target is not a gateway and the section name is not nil, then it's a route rule.
return target.Kind != resource.KindGateway && target.SectionName != nil
@@ -899,7 +893,7 @@ func isCrossNamespaceReferencePermitted(
return false
}
-// resolvePolicyTargetsFromSelectors returns a list of policy target refs that are allowed and denied by the policy's TargetSelectors.
+// resolvePolicyTargetsFromSelectors returns policy target refs allowed by the policy's TargetSelectors.
func resolvePolicyTargetsFromSelectors[T client.Object](
targetSelectors []egv1a1.TargetSelector,
potentialTargets []T,
@@ -908,9 +902,9 @@ func resolvePolicyTargetsFromSelectors[T client.Object](
policyKind string,
policyNamespace string,
namespaceLookup func(string) *corev1.Namespace,
-) (allowed, denied []policySelectedTarget[T]) {
+) []targetRefWithTimestamp {
allowedDedup := sets.New[targetRefWithTimestamp]()
- deniedDedup := sets.New[policyTargetReferenceWithSectionName]()
+ targetRefs := make([]targetRefWithTimestamp, 0)
for _, currSelector := range targetSelectors {
labelSelector := selectorFromTargetSelector(currSelector)
for _, obj := range potentialTargets {
@@ -952,14 +946,6 @@ func resolvePolicyTargetsFromSelectors[T client.Object](
},
referenceGrants,
) {
- if deniedDedup.Has(ref) {
- continue
- }
- deniedDedup.Insert(ref)
- denied = append(denied, policySelectedTarget[T]{
- Target: obj,
- Ref: ref,
- })
continue
}
@@ -971,14 +957,11 @@ func resolvePolicyTargetsFromSelectors[T client.Object](
continue
}
allowedDedup.Insert(targetRef)
- allowed = append(allowed, policySelectedTarget[T]{
- Target: obj,
- Ref: ref,
- })
+ targetRefs = append(targetRefs, targetRef)
}
}
- return allowed, denied
+ return targetRefs
}
// resolvePolicyTargetsFromReferences returns a list of policy target refs specified in the policy's TargetRefs, with the namespace field populated.
@@ -1007,23 +990,16 @@ func resolvePolicyTargetsFromReferences(
}
// composePolicyTargetRefs combines the allowed target refs derived from the selectors and the plain target refs specified in the policy.
-func composePolicyTargetRefs[T client.Object](
- matches []policySelectedTarget[T],
+func composePolicyTargetRefs(
+ selectorTargetRefs []targetRefWithTimestamp,
plainTargetRefs []policyTargetReferenceWithSectionName,
) []policyTargetReferenceWithSectionName {
// First add the target refs derived from the selectors, sorted by the creation timestamp of the matched objects.
- selectorsList := make([]targetRefWithTimestamp, 0, len(matches))
- for _, match := range matches {
- selectorsList = append(selectorsList, targetRefWithTimestamp{
- CreationTimestamp: match.Target.GetCreationTimestamp(),
- policyTargetReferenceWithSectionName: match.Ref,
- })
- }
- slices.SortFunc(selectorsList, func(i, j targetRefWithTimestamp) int {
+ slices.SortFunc(selectorTargetRefs, func(i, j targetRefWithTimestamp) int {
return i.CreationTimestamp.Compare(j.CreationTimestamp.Time)
})
- ret := make([]policyTargetReferenceWithSectionName, len(selectorsList))
- for i, v := range selectorsList {
+ ret := make([]policyTargetReferenceWithSectionName, len(selectorTargetRefs))
+ for i, v := range selectorTargetRefs {
ret[i] = v.policyTargetReferenceWithSectionName
}
@@ -1051,7 +1027,7 @@ func resolvePolicyTargets[T client.Object](
policyNamespace string,
namespaceLookup func(string) *corev1.Namespace,
) []policyTargetReferenceWithSectionName {
- allowed, _ := resolvePolicyTargetsFromSelectors(
+ selectorTargetRefs := resolvePolicyTargetsFromSelectors(
targetRefs.TargetSelectors,
potentialTargets,
referenceGrants,
@@ -1060,77 +1036,7 @@ func resolvePolicyTargets[T client.Object](
policyNamespace,
namespaceLookup)
plainTargetRefs := resolvePolicyTargetsFromReferences(targetRefs, policyNamespace)
- return composePolicyTargetRefs(allowed, plainTargetRefs)
-}
-
-func setPolicyTargetRefNotPermittedStatus[T client.Object](
- policyStatus *gwapiv1.PolicyStatus,
- denied []policySelectedTarget[T],
- controllerName string,
- generation int64,
-) {
- for _, deniedMatch := range denied {
- msg := fmt.Sprintf(
- "Target %s %s/%s is not permitted by any ReferenceGrant.",
- deniedMatch.Target.GetObjectKind().GroupVersionKind().Kind,
- deniedMatch.Target.GetNamespace(),
- deniedMatch.Target.GetName(),
- )
-
- switch obj := any(deniedMatch.Target).(type) {
- case *GatewayContext:
- ancestorRef := getAncestorRefForPolicy(utils.NamespacedName(obj), nil)
- setPolicyTargetRefNotPermittedStatusForAncestor(policyStatus, &ancestorRef, controllerName, generation, msg)
- case RouteContext:
- parentRefs := GetManagedParentReferences(obj)
- ancestorRefs := make([]*gwapiv1.ParentReference, 0, len(parentRefs))
- for _, p := range parentRefs {
- if p.Kind != nil && *p.Kind != resource.KindGateway {
- continue
- }
- namespace := obj.GetNamespace()
- if p.Namespace != nil {
- namespace = string(*p.Namespace)
- }
- ancestorRef := getAncestorRefForPolicy(types.NamespacedName{
- Name: string(p.Name),
- Namespace: namespace,
- }, p.SectionName)
- ancestorRefs = append(ancestorRefs, &ancestorRef)
- }
- for _, ancestorRef := range ancestorRefs {
- setPolicyTargetRefNotPermittedStatusForAncestor(policyStatus, ancestorRef, controllerName, generation, msg)
- }
- }
- }
-}
-
-func setPolicyTargetRefNotPermittedStatusForAncestor(
- policyStatus *gwapiv1.PolicyStatus,
- ancestorRef *gwapiv1.ParentReference,
- controllerName string,
- generation int64,
- message string,
-) {
- // If an ancestor has at least one effective target: Accepted=True,
- // If some targets under that same ancestor were skipped due to missing ReferenceGrant: add Warning=True, reason RefNotPermitted.
- if status.IsPolicyAncestorAccepted(policyStatus, ancestorRef, controllerName) {
- status.SetWarningForPolicyAncestor(
- policyStatus,
- ancestorRef,
- controllerName,
- egv1a1.PolicyReasonRefNotPermitted,
- message,
- generation,
- )
- return
- }
-
- // If an ancestor has no effective target due to all targets being skipped by missing ReferenceGrant, the policy should be Rejected with reason RefNotPermitted.
- status.SetResolveErrorForPolicyAncestor(policyStatus, ancestorRef, controllerName, generation, &status.PolicyResolveError{
- Reason: egv1a1.PolicyReasonRefNotPermitted,
- Message: message,
- })
+ return composePolicyTargetRefs(selectorTargetRefs, plainTargetRefs)
}
// legacy function to get policy target refs without considering cross-namespace policy attachment.
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
index 9ccea6da60..374bda5700 100644
--- a/internal/gatewayapi/securitypolicy.go
+++ b/internal/gatewayapi/securitypolicy.go
@@ -161,16 +161,14 @@ func (t *Translator) ProcessSecurityPolicies(
// Process the policies targeting xRoutes (HTTP + TCP)
for i, currPolicy := range securityPolicies {
policyName := utils.NamespacedName(currPolicy)
- allowed, denied := resolvePolicyTargetsFromSelectors(
- currPolicy.Spec.TargetSelectors,
+ targetRefs := resolvePolicyTargets(
+ currPolicy.Spec.PolicyTargetReferences,
routes,
resources.ReferenceGrants,
egv1a1.GroupName,
egv1a1.KindSecurityPolicy,
currPolicy.Namespace,
t.GetNamespace)
- plainTargetRefs := resolvePolicyTargetsFromReferences(currPolicy.Spec.PolicyTargetReferences, currPolicy.Namespace)
- targetRefs := composePolicyTargetRefs(allowed, plainTargetRefs)
for _, currTarget := range targetRefs {
if isRoute(currTarget) {
policy, found := handledPolicies[policyName]
@@ -183,15 +181,6 @@ func (t *Translator) ProcessSecurityPolicies(
t.processSecurityPolicyForRoute(resources, xdsIR, routeMap, gatewayRouteMap, gatewayPolicyMerged, gatewayPolicyMap, policy, currTarget)
}
}
- if len(denied) > 0 {
- policy, found := handledPolicies[policyName]
- if !found {
- policy = policyCopies[i]
- handledPolicies[policyName] = policy
- res = append(res, policy)
- }
- setPolicyTargetRefNotPermittedStatus(&policy.Status, denied, t.GatewayControllerName, policy.Generation)
- }
}
// Process the policies targeting Listeners
for i, currPolicy := range securityPolicies {
@@ -214,16 +203,14 @@ func (t *Translator) ProcessSecurityPolicies(
// Process the policies targeting Gateways
for i, currPolicy := range securityPolicies {
policyName := utils.NamespacedName(currPolicy)
- allowed, denied := resolvePolicyTargetsFromSelectors(
- currPolicy.Spec.TargetSelectors,
+ targetRefs := resolvePolicyTargets(
+ currPolicy.Spec.PolicyTargetReferences,
gateways,
resources.ReferenceGrants,
egv1a1.GroupName,
egv1a1.KindSecurityPolicy,
currPolicy.Namespace,
t.GetNamespace)
- plainTargetRefs := resolvePolicyTargetsFromReferences(currPolicy.Spec.PolicyTargetReferences, currPolicy.Namespace)
- targetRefs := composePolicyTargetRefs(allowed, plainTargetRefs)
for _, currTarget := range targetRefs {
if isGateway(currTarget) {
@@ -237,15 +224,6 @@ func (t *Translator) ProcessSecurityPolicies(
t.processSecurityPolicyForGateway(resources, xdsIR, gatewayMap, gatewayRouteMap, gatewayPolicyMerged, policy, currTarget)
}
}
- if len(denied) > 0 {
- policy, found := handledPolicies[policyName]
- if !found {
- policy = policyCopies[i]
- handledPolicies[policyName] = policy
- res = append(res, policy)
- }
- setPolicyTargetRefNotPermittedStatus(&policy.Status, denied, t.GatewayControllerName, policy.Generation)
- }
}
for _, policy := range res {
diff --git a/internal/gatewayapi/status/policy.go b/internal/gatewayapi/status/policy.go
index 715ad7b5d0..6322e42928 100644
--- a/internal/gatewayapi/status/policy.go
+++ b/internal/gatewayapi/status/policy.go
@@ -82,13 +82,6 @@ func SetAcceptedForPolicyAncestor(policyStatus *gwapiv1.PolicyStatus, ancestorRe
gwapiv1.PolicyConditionAccepted, metav1.ConditionTrue, gwapiv1.PolicyReasonAccepted, message, generation)
}
-func IsPolicyAncestorAccepted(policyStatus *gwapiv1.PolicyStatus, ancestorRef *gwapiv1.ParentReference, controllerName string) bool {
- return meta.IsStatusConditionTrue(
- policyAncestorConditions(policyStatus, ancestorRef, controllerName),
- string(gwapiv1.PolicyConditionAccepted),
- )
-}
-
// SetDeprecatedFieldsWarningForPolicyAncestors sets deprecated fields warning conditions for each ancestor reference.
func SetDeprecatedFieldsWarningForPolicyAncestors(policyStatus *gwapiv1.PolicyStatus, ancestorRefs []*gwapiv1.ParentReference, controllerName string, generation int64, deprecatedFields map[string]string) {
for _, ancestorRef := range ancestorRefs {
@@ -327,16 +320,6 @@ func getPolicyAncestorCondition(policyStatus *gwapiv1.PolicyStatus, ancestorRef
return nil
}
-func policyAncestorConditions(policyStatus *gwapiv1.PolicyStatus, ancestorRef *gwapiv1.ParentReference, controllerName string) []metav1.Condition {
- for _, ancestor := range policyStatus.Ancestors {
- if string(ancestor.ControllerName) == controllerName && ancestorRefsEqual(&ancestor.AncestorRef, ancestorRef) {
- return ancestor.Conditions
- }
- }
-
- return nil
-}
-
func mergePolicyWarningMessages(existing, next string) string {
switch {
case existing == "":
diff --git a/internal/gatewayapi/status/policy_test.go b/internal/gatewayapi/status/policy_test.go
index cdff974e5a..7f58333d47 100644
--- a/internal/gatewayapi/status/policy_test.go
+++ b/internal/gatewayapi/status/policy_test.go
@@ -84,19 +84,3 @@ func TestSetWarningForPolicyAncestorMergesWarnings(t *testing.T) {
}
}
}
-
-func TestIsPolicyAncestorAccepted(t *testing.T) {
- policyStatus := &gwapiv1.PolicyStatus{}
- ancestorRef := &gwapiv1.ParentReference{Name: gwapiv1.ObjectName("example")}
- controllerName := "example.com/controller"
-
- assert.False(t, IsPolicyAncestorAccepted(policyStatus, ancestorRef, controllerName))
-
- SetConditionForPolicyAncestor(policyStatus, ancestorRef, controllerName,
- gwapiv1.PolicyConditionAccepted, metav1.ConditionFalse, egv1a1.PolicyReasonRefNotPermitted, "not permitted", 1)
- assert.False(t, IsPolicyAncestorAccepted(policyStatus, ancestorRef, controllerName))
-
- SetConditionForPolicyAncestor(policyStatus, ancestorRef, controllerName,
- gwapiv1.PolicyConditionAccepted, metav1.ConditionTrue, gwapiv1.PolicyReasonAccepted, "accepted", 1)
- assert.True(t, IsPolicyAncestorAccepted(policyStatus, ancestorRef, controllerName))
-}
diff --git a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-partial-referencegrant-gateway-target.in.yaml b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-partial-referencegrant-gateway-target.in.yaml
similarity index 100%
rename from internal/gatewayapi/testdata/policy-cross-namespace-targetselector-partial-referencegrant-gateway-target.in.yaml
rename to internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-partial-referencegrant-gateway-target.in.yaml
diff --git a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-partial-referencegrant-gateway-target.out.yaml b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-partial-referencegrant-gateway-target.out.yaml
similarity index 95%
rename from internal/gatewayapi/testdata/policy-cross-namespace-targetselector-partial-referencegrant-gateway-target.out.yaml
rename to internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-partial-referencegrant-gateway-target.out.yaml
index 7be18da1de..2467854087 100644
--- a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-partial-referencegrant-gateway-target.out.yaml
+++ b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-partial-referencegrant-gateway-target.out.yaml
@@ -27,19 +27,6 @@ backendTrafficPolicies:
status: "True"
type: Accepted
controllerName: gateway.envoyproxy.io/gatewayclass-controller
- - ancestorRef:
- group: gateway.networking.k8s.io
- kind: Gateway
- name: denied-gateway
- namespace: policy-target-b
- conditions:
- - lastTransitionTime: null
- message: Target Gateway policy-target-b/denied-gateway is not permitted by
- any ReferenceGrant.
- reason: RefNotPermitted
- status: "False"
- type: Accepted
- controllerName: gateway.envoyproxy.io/gatewayclass-controller
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
diff --git a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-partial-referencegrant-route-target.in.yaml b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-partial-referencegrant-route-target.in.yaml
similarity index 100%
rename from internal/gatewayapi/testdata/policy-cross-namespace-targetselector-partial-referencegrant-route-target.in.yaml
rename to internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-partial-referencegrant-route-target.in.yaml
diff --git a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-partial-referencegrant-route-target.out.yaml b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-partial-referencegrant-route-target.out.yaml
similarity index 96%
rename from internal/gatewayapi/testdata/policy-cross-namespace-targetselector-partial-referencegrant-route-target.out.yaml
rename to internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-partial-referencegrant-route-target.out.yaml
index 6face1741d..0b5a59838d 100644
--- a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-partial-referencegrant-route-target.out.yaml
+++ b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-partial-referencegrant-route-target.out.yaml
@@ -27,13 +27,6 @@ backendTrafficPolicies:
reason: Accepted
status: "True"
type: Accepted
- - lastTransitionTime: null
- message: Target HTTPRoute policy-target-b/denied-route is not permitted by
- any ReferenceGrant.; Target HTTPRoute policy-target-c/denied-route is not
- permitted by any ReferenceGrant.
- reason: RefNotPermitted
- status: "True"
- type: Warning
controllerName: gateway.envoyproxy.io/gatewayclass-controller
gateways:
- apiVersion: gateway.networking.k8s.io/v1
diff --git a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-invalid-referencegrant-gateway.in.yaml b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-referencegrant-gateway.in.yaml
similarity index 100%
rename from internal/gatewayapi/testdata/policy-cross-namespace-targetselector-invalid-referencegrant-gateway.in.yaml
rename to internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-referencegrant-gateway.in.yaml
diff --git a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-invalid-referencegrant-gateway.out.yaml b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-referencegrant-gateway.out.yaml
similarity index 84%
rename from internal/gatewayapi/testdata/policy-cross-namespace-targetselector-invalid-referencegrant-gateway.out.yaml
rename to internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-referencegrant-gateway.out.yaml
index 4a883cbcf0..3a1c15c021 100644
--- a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-invalid-referencegrant-gateway.out.yaml
+++ b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-referencegrant-gateway.out.yaml
@@ -1,33 +1,3 @@
-backendTrafficPolicies:
-- apiVersion: gateway.envoyproxy.io/v1alpha1
- kind: BackendTrafficPolicy
- metadata:
- name: cross-ns-policy
- namespace: policy-ns
- spec:
- targetSelectors:
- - group: gateway.networking.k8s.io
- kind: Gateway
- matchLabels:
- policy: selected
- namespaces:
- from: All
- useClientProtocol: true
- status:
- ancestors:
- - ancestorRef:
- group: gateway.networking.k8s.io
- kind: Gateway
- name: target-gateway
- namespace: policy-target-ns
- conditions:
- - lastTransitionTime: null
- message: Target Gateway policy-target-ns/target-gateway is not permitted by
- any ReferenceGrant.
- reason: RefNotPermitted
- status: "False"
- type: Accepted
- controllerName: gateway.envoyproxy.io/gatewayclass-controller
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
diff --git a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-invalid-referencegrant-route.in.yaml b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-referencegrant-route.in.yaml
similarity index 100%
rename from internal/gatewayapi/testdata/policy-cross-namespace-targetselector-invalid-referencegrant-route.in.yaml
rename to internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-referencegrant-route.in.yaml
diff --git a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-invalid-referencegrant-route.out.yaml b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-referencegrant-route.out.yaml
similarity index 84%
rename from internal/gatewayapi/testdata/policy-cross-namespace-targetselector-invalid-referencegrant-route.out.yaml
rename to internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-referencegrant-route.out.yaml
index 7f0dd84ffa..129c29c879 100644
--- a/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-invalid-referencegrant-route.out.yaml
+++ b/internal/gatewayapi/testdata/policy-cross-namespace-targetselector-missing-referencegrant-route.out.yaml
@@ -1,34 +1,3 @@
-backendTrafficPolicies:
-- apiVersion: gateway.envoyproxy.io/v1alpha1
- kind: BackendTrafficPolicy
- metadata:
- name: cross-ns-policy
- namespace: policy-ns
- spec:
- targetSelectors:
- - group: gateway.networking.k8s.io
- kind: HTTPRoute
- matchLabels:
- policy: selected
- namespaces:
- from: All
- useClientProtocol: true
- status:
- ancestors:
- - ancestorRef:
- group: gateway.networking.k8s.io
- kind: Gateway
- name: target-gateway
- namespace: policy-target-ns
- sectionName: http
- conditions:
- - lastTransitionTime: null
- message: Target HTTPRoute policy-target-ns/target-route is not permitted by
- any ReferenceGrant.
- reason: RefNotPermitted
- status: "False"
- type: Accepted
- controllerName: gateway.envoyproxy.io/gatewayclass-controller
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 130bddae4d..ad782c4270 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -6197,7 +6197,7 @@ _Appears in:_
| --- | --- | --- | --- | --- |
| `group` | _[Group](#group)_ | true | gateway.networking.k8s.io | Group is the group that this selector targets. Defaults to gateway.networking.k8s.io |
| `kind` | _[Kind](#kind)_ | true | | Kind is the resource kind that this selector targets. |
-| `namespaces` | _[TargetSelectorNamespaces](#targetselectornamespaces)_ | false | | Namespaces determines which namespaces are considered for target selection.
If unspecified, only targets in the same namespace as this policy are considered.
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway. |
+| `namespaces` | _[TargetSelectorNamespaces](#targetselectornamespaces)_ | false | | Namespaces determines which namespaces are considered for target selection.
If unspecified, only targets in the same namespace as this policy are considered.
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
Selecting targets across namespaces requires a ReferenceGrant in the target
namespace that allows this policy kind to reference the selected target kind.
Cross-namespace targets without a matching ReferenceGrant are ignored. |
| `matchLabels` | _object (keys:string, values:string)_ | false | | MatchLabels are the set of label selectors for identifying the targeted resource. |
| `matchExpressions` | _[LabelSelectorRequirement](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#labelselectorrequirement-v1-meta) array_ | false | | MatchExpressions is a list of label selector requirements. The requirements are ANDed. |
diff --git a/test/e2e/tests/backendtrafficpolicy_cross_namespace.go b/test/e2e/tests/backendtrafficpolicy_cross_namespace.go
index 15214415af..2a01fe9ea6 100644
--- a/test/e2e/tests/backendtrafficpolicy_cross_namespace.go
+++ b/test/e2e/tests/backendtrafficpolicy_cross_namespace.go
@@ -57,12 +57,6 @@ var BackendTrafficPolicyCrossNamespaceTest = suite.ConformanceTest{
Namespace: gatewayapi.NamespacePtr(grantedGatewayNN.Namespace),
Name: gwapiv1.ObjectName(grantedGatewayNN.Name),
}
- deniedAncestorRef := gwapiv1.ParentReference{
- Group: gatewayapi.GroupPtr(gwapiv1.GroupName),
- Kind: gatewayapi.KindPtr(resource.KindGateway),
- Namespace: gatewayapi.NamespacePtr(deniedGatewayNN.Namespace),
- Name: gwapiv1.ObjectName(deniedGatewayNN.Name),
- }
BackendTrafficPolicyMustBeAccepted(
t,
@@ -72,15 +66,6 @@ var BackendTrafficPolicyCrossNamespaceTest = suite.ConformanceTest{
grantedAncestorRef,
)
- BackendTrafficPolicyMustFail(
- t,
- suite.Client,
- types.NamespacedName{Name: "cross-namespace-btp-denied", Namespace: policyNS},
- suite.ControllerName,
- deniedAncestorRef,
- "is not permitted by any ReferenceGrant",
- )
-
grantedResponse := http.ExpectedResponse{
Namespace: grantedNS,
Request: http.Request{
diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml
index 00fbbaec7a..9ce635a9a8 100644
--- a/test/helm/gateway-crds-helm/all.out.yaml
+++ b/test/helm/gateway-crds-helm/all.out.yaml
@@ -25451,6 +25451,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
@@ -27308,6 +27312,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
@@ -30088,6 +30096,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
@@ -57041,6 +57053,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
diff --git a/test/helm/gateway-crds-helm/e2e.out.yaml b/test/helm/gateway-crds-helm/e2e.out.yaml
index 9886bff5e0..46debec6de 100644
--- a/test/helm/gateway-crds-helm/e2e.out.yaml
+++ b/test/helm/gateway-crds-helm/e2e.out.yaml
@@ -3424,6 +3424,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
@@ -5281,6 +5285,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
@@ -8061,6 +8069,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
@@ -35014,6 +35026,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
index 4781857643..7affe1bb29 100644
--- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
+++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
@@ -3424,6 +3424,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
@@ -5281,6 +5285,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
@@ -8061,6 +8069,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same
@@ -35014,6 +35026,10 @@ spec:
When specified, the effective set of namespaces is always constrained to the
namespaces watched by Envoy Gateway.
+
+ Selecting targets across namespaces requires a ReferenceGrant in the target
+ namespace that allows this policy kind to reference the selected target kind.
+ Cross-namespace targets without a matching ReferenceGrant are ignored.
properties:
from:
default: Same