gateway-api icon indicating copy to clipboard operation
gateway-api copied to clipboard
verified publisher icon kubernetes-sigs

fix: add MinItems=1 validation to HTTPRoute rules

Open snorwin opened this issue 3 weeks ago • 3 comments

What type of PR is this?

/kind bug

What this PR does / why we need it: This PR adds a minItems=1 validation to HTTPRoute.spec.rules to prevent ambiguous defaulting behavior.

Currently, defaulting is only applied when .spec.rules is either null or absent. However, when .spec.rules is set to an empty list, defaulting does not occur. This leads to inconsistent interpretation and allows creation of HTTPRoute resources that contain no rules. IMO, an HTTPRoute without any rules provides no meaningful functionality and is likely a misconfiguration.

Example

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: example-1
spec:
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: example
  rules: []
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: example-2
spec:
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: example
  rules: null

Resulting objects (showing current defaulting behavior):

apiVersion: v1
kind: List
items:
- apiVersion: gateway.networking.k8s.io/v1
  kind: HTTPRoute
  metadata:
    name: example-1
  spec:
    parentRefs:
      - group: gateway.networking.k8s.io
        kind: Gateway
        name: example
    rules: [] # No default applied
- apiVersion: gateway.networking.k8s.io/v1
  kind: HTTPRoute
  metadata:
    name: example-2
  spec:
    parentRefs:
      - group: gateway.networking.k8s.io
        kind: Gateway
        name: example
    rules: # Default applied
      - matches:
          - path:
              type: PathPrefix
              value: /

Which issue(s) this PR fixes:

N/A

Does this PR introduce a user-facing change?:

 Added `minItems=1` validation to `HTTPRoute.spec.rules` to prevent creation of HTTPRoute resources without any rules.

snorwin avatar Dec 02 '25 07:12 snorwin

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: snorwin Once this PR has been reviewed and has the lgtm label, please assign aojea for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Dec 02 '25 07:12 k8s-ci-robot

After making these changes, does the defaulting handle an empty list correctly? Could you post a similar example, with this change? (It seems like it should be fine, but I would feel better).

youngnick avatar Dec 05 '25 04:12 youngnick

@youngnick after merging this PR example-1 (with rules: []) would be rejected by the API server because defaulting is not apply to an empty array.

As a result, users must either set rules: null, use rules: [{}], or omit the rules field entirely.

snorwin avatar Dec 05 '25 07:12 snorwin