Listener AllowedRoutes.Kinds field isn't enforced
Closed this issue · 0 comments
kate-osborn commented
Describe the bug
NGF allows all route kinds to attach to a listener regardless of the kinds specified in the listener AllowedRoutes.Kinds
field.
To Reproduce
Steps to reproduce the behavior:
- Deploy NGF
- Create the following Gateway whose listener only allows GRPCRoutes to attach:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway
spec:
gatewayClassName: nginx
listeners:
- name: grpc
port: 80
protocol: HTTP
hostname: "*.example.com"
allowedRoutes:
kinds:
- kind: "GRPCRoute"
- Then create an HTTPRoute that references the grpc-only listener:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: coffee
spec:
parentRefs:
- name: gateway
sectionName: grpc
hostnames:
- "cafe.example.com"
rules:
- matches:
- path:
type: Exact
value: /coffee
backendRefs:
- name: coffee
port: 80
- Check status of listener and route:
kubectl describe gateway gateway
Listeners:
Attached Routes: 1 # SHOULD BE 0
Conditions:
Last Transition Time: 2024-07-26T22:07:07Z
Message: Listener is accepted
Observed Generation: 4
Reason: Accepted
Status: True
Type: Accepted
Last Transition Time: 2024-07-26T22:07:07Z
Message: Listener is programmed
Observed Generation: 4
Reason: Programmed
Status: True
Type: Programmed
Last Transition Time: 2024-07-26T22:07:07Z
Message: All references are resolved
Observed Generation: 4
Reason: ResolvedRefs
Status: True
Type: ResolvedRefs
Last Transition Time: 2024-07-26T22:07:07Z
Message: No conflicts
Observed Generation: 4
Reason: NoConflicts
Status: False
Type: Conflicted
Name: http
Supported Kinds:
Group: gateway.networking.k8s.io
Kind: GRPCRoute
kubectl describe httproute coffee
Status:
Parents:
Conditions:
Last Transition Time: 2024-07-26T22:07:07Z
Message: The route is accepted
Observed Generation: 1
Reason: Accepted
Status: True
Type: Accepted
Last Transition Time: 2024-07-26T22:07:07Z
Message: All references are resolved
Observed Generation: 1
Reason: ResolvedRefs
Status: True
Type: ResolvedRefs
Controller Name: gateway.nginx.org/nginx-gateway-controller
Parent Ref:
Group: gateway.networking.k8s.io
Kind: Gateway
Name: gateway
Namespace: default
Section Name: http
Expected behavior
The HTTPRoute should not be able to attach to the Gateway listener that only allows kinds GRPCRoute.
The HTTPRoute should not be accepted and should have the following condition set on its status:
Message: Route is not allowed by any listener
Observed Generation: 1
Reason: NotAllowedByListeners
Status: False
Type: Accepted
Note: GRPCRoutes can also be attached to Gateway listeners that only allow kinds HTTPRoute.
Your environment
- Version of the NGINX Gateway Fabric - edge
1dac4584266c6ae3b0f0c9564c0643e5cafce640