serving icon indicating copy to clipboard operation
serving copied to clipboard
verified publisher icon knative

Prevent cross-service revision traffic routing

Open linkvt opened this issue 3 weeks ago • 4 comments

Fixes #11916

Services can no longer route traffic to revisions belonging to different services. When a Service-owned Route references a revision with a different serving.knative.dev/service label, the Route will show Ready=False with reason RevisionNotOwned.

Standalone Routes (not owned by a Service) are unaffected and can still reference any revision.

Changes

  • Validate revision ownership when building traffic configuration
  • New RevisionNotOwned condition reason when validation fails
  • Standalone Routes (not owned by a Service) are unaffected

Open Question

Should we also add validation at the webhook level for faster user feedback?

This would require using the revision informer in the webhook which would probably increase the memory footprint a bit (didn't test it). The current implementation validates at reconciliation time only, which is consistent with how other traffic errors (e.g., RevisionMissing) are handled so I'm fine keeping the implementation like this.

Release Note

Services can no longer route traffic to revisions belonging to different services; attempting to do so will result in Ready=False with reason RevisionNotOwned.

linkvt avatar Dec 05 '25 15:12 linkvt

Codecov Report

:x: Patch coverage is 92.85714% with 2 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 80.12%. Comparing base (5fbd94e) to head (3ab7621). :warning: Report is 8 commits behind head on main.

Files with missing lines Patch % Lines
pkg/reconciler/route/traffic/errors.go 84.61% 2 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #16294      +/-   ##
==========================================
+ Coverage   80.10%   80.12%   +0.02%     
==========================================
  Files         215      215              
  Lines       13332    13360      +28     
==========================================
+ Hits        10679    10705      +26     
- Misses       2294     2296       +2     
  Partials      359      359

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Dec 05 '25 15:12 codecov[bot]

/retest

linkvt avatar Dec 05 '25 15:12 linkvt

/retest

linkvt avatar Dec 05 '25 16:12 linkvt

/lgtm /approve

dprotaso avatar Dec 17 '25 22:12 dprotaso

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, linkvt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

knative-prow[bot] avatar Dec 17 '25 22:12 knative-prow[bot]