nginx-gateway-fabric icon indicating copy to clipboard operation
nginx-gateway-fabric copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

Disallow route to attach to listener if not present in allowed routes.

Open salonichf5 opened this issue 1 year ago • 4 comments
trafficstars

Proposed changes

Write a clear and concise description that helps reviewers understand the purpose and impact of your changes. Use the following format:

Problem: NGF allows all route kinds to attach to a listener regardless of the kinds specified in the listener AllowedRoutes.Kinds field

Solution: Add check to reject a route trying to attach to a listener which doesn't allow its kind.

Testing: Manual testing

  1. Case 1: Gateway has a listener of type GRPCRoute, HTTPRoute Created with that listener
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
spec:
  gatewayClassName: nginx
  listeners:
  - name: grpc
    port: 80
    protocol: HTTP
    hostname: "*.example.com"
    allowedRoutes:
      kinds:
        - kind: "GRPCRoute"
 ---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: coffee
spec:
  parentRefs:
  - name: gateway
    sectionName: grpc
  hostnames:
  - "cafe.example.com"
  rules:
  - backendRefs:
    - name: coffee
      port: 80

kubectl describe httproute coffee

Status:
  Parents:
    Conditions:
      Last Transition Time:  2024-07-30T23:36:19Z
      Message:               All references are resolved
      Observed Generation:   3
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
      Last Transition Time:  2024-07-30T23:36:19Z
      Message:               Route is not allowed by any listener
      Observed Generation:   3
      Reason:                NotAllowedByListeners
      Status:                False
      Type:                  Accepted
    Controller Name:
  1. Case 2: Gateway has a listener of type GRPCRoute, GRPC Created with that listener
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: same-namespace
spec:
  gatewayClassName: nginx
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same
      kinds:
        - kind: "GRPCRoute"
---
apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
  name: exact-matching
spec:
  parentRefs:
  - name: same-namespace
    sectionName: http
  rules:
  - matches:
    - method:
        service: helloworld.Greeter
        method: SayHello
    backendRefs:
    - name: grpc-infra-backend-v1
      port: 8080

grpcurl -plaintext -proto grpc.proto -authority bar.com -d '{"name": "exact"}' ${GW_IP}:${GW_PORT} helloworld.Greeter/SayHello
Handling connection for 8080
{
  "message": "Hello exact"
}

kubectl describe grpcroute exact-matching
Name:         exact-matching
Namespace:    default
Labels:       <none>
Annotations:  <none>
.
.
.
      Last Transition Time:  2024-07-31T19:40:25Z
      Message:               The route is accepted
      Observed Generation:   2
      Reason:                Accepted
      Status:                True
      Type:                  Accepted
      Last Transition Time:  2024-07-31T19:40:25Z
      Message:               All references are resolved
      Observed Generation:   2
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
    Controller Name:         gateway.nginx.org/nginx-gateway-controller
  1. Gateway has a listener of type HTTPRoute, GRPCRoute not allowed to attach to that listener
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: same-namespace
spec:
  gatewayClassName: nginx
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same
      kinds:
        - kind: "HTTPRoute"
---
apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
  name: exact-matching
spec:
  parentRefs:
  - name: same-namespace
    sectionName: http
  rules:
  - matches:
    - method:
        service: helloworld.Greeter
        method: SayHello
    backendRefs:
    - name: grpc-infra-backend-v1
      port: 8080

kubectl describe grpcroute exact-matching
Name:         exact-matching
.
.
.
      Last Transition Time:  2024-08-01T01:25:35Z
      Message:               All references are resolved
      Observed Generation:   2
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
      Last Transition Time:  2024-08-01T01:25:35Z
      Message:               Route is not allowed by any listener
      Observed Generation:   2
      Reason:                NotAllowedByListeners
      Status:                False
      Type:                  Accepted
    Controller Name:         gateway.nginx.org/nginx-gateway-controller

Please focus on (optional): If you any specific areas where you would like reviewers to focus their attention or provide specific feedback, add them here.

Closes #2299

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • [x] I have read the CONTRIBUTING doc
  • [x] I have added tests that prove my fix is effective or that my feature works
  • [x] I have checked that all unit tests pass after adding my changes
  • [x] I have updated necessary documentation
  • [x] I have rebased my branch onto main
  • [x] I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes, please add a brief note that summarizes the change.

salonichf5 avatar Jul 30 '24 23:07 salonichf5