Listener AllowedRoutes.Kinds field isn't enforced

Question

Listener AllowedRoutes.Kinds field isn't enforced

Closed this issue a month ago · 0 comments

Describe the bug
NGF allows all route kinds to attach to a listener regardless of the kinds specified in the listener AllowedRoutes.Kinds field.

To Reproduce
Steps to reproduce the behavior:

Deploy NGF
Create the following Gateway whose listener only allows GRPCRoutes to attach:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
spec:
  gatewayClassName: nginx
  listeners:
  - name: grpc
    port: 80
    protocol: HTTP
    hostname: "*.example.com"
    allowedRoutes:
      kinds:
        - kind: "GRPCRoute"

Then create an HTTPRoute that references the grpc-only listener:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: coffee
spec:
  parentRefs:
  - name: gateway
    sectionName: grpc
  hostnames:
  - "cafe.example.com"
  rules:
  - matches:
    - path:
        type: Exact
        value: /coffee
    backendRefs:
    - name: coffee
      port: 80

Check status of listener and route:

kubectl describe gateway gateway

  Listeners:
    Attached Routes:  1 # SHOULD BE 0
    Conditions:
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               Listener is accepted
      Observed Generation:   4
      Reason:                Accepted
      Status:                True
      Type:                  Accepted
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               Listener is programmed
      Observed Generation:   4
      Reason:                Programmed
      Status:                True
      Type:                  Programmed
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               All references are resolved
      Observed Generation:   4
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               No conflicts
      Observed Generation:   4
      Reason:                NoConflicts
      Status:                False
      Type:                  Conflicted
    Name:                    http
    Supported Kinds:
      Group:  gateway.networking.k8s.io
      Kind:   GRPCRoute

kubectl describe httproute coffee

Status:
  Parents:
    Conditions:
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               The route is accepted
      Observed Generation:   1
      Reason:                Accepted
      Status:                True
      Type:                  Accepted
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               All references are resolved
      Observed Generation:   1
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
    Controller Name:         gateway.nginx.org/nginx-gateway-controller
    Parent Ref:
      Group:         gateway.networking.k8s.io
      Kind:          Gateway
      Name:          gateway
      Namespace:     default
      Section Name:  http

Expected behavior
The HTTPRoute should not be able to attach to the Gateway listener that only allows kinds GRPCRoute.

The HTTPRoute should not be accepted and should have the following condition set on its status:

    Message:               Route is not allowed by any listener
    Observed Generation:   1
    Reason:                NotAllowedByListeners
    Status:                False
    Type:                  Accepted

Note: GRPCRoutes can also be attached to Gateway listeners that only allow kinds HTTPRoute.

Your environment

Version of the NGINX Gateway Fabric - edge 1dac4584266c6ae3b0f0c9564c0643e5cafce640