Skip to content

HTTPRoute not accepted if namespace selector is used #28186

New issue
New issue
Closed
#29115
Closed
HTTPRoute not accepted if namespace selector is used#28186
#29115
Assignees
sayboras
Labels
area/agentCilium agent related.area/servicemeshGH issues or PRs regarding servicemeshkind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.needs/triageThis issue requires triaging to establish severity and next steps.
@tobiaskohlbau

Description

@tobiaskohlbau
tobiaskohlbau
opened on Sep 16, 2023

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

Having the following scenario within a Gateway API enabled cluster:

A Gateway with multiple listeners for different hostnames. One of the listeners needs to allow a HTTPRoute from another namespace. Enabling a namespace selector for one listener breaks every HTTPRoute attached to the gateway.

Gateway definition:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: reproducer
spec:
  gatewayClassName: cilium
  listeners:
  - name: one
    protocol: HTTPS
    port: 443
    hostname: "one.example.org"
    tls:
      certificateRefs:
      - kind: Secret
        name: one-tls
  - name: two
    protocol: HTTPS
    port: 443
    hostname: "two.example.org"
    tls:
      certificateRefs:
      - kind: Secret
        name: two-tls
    allowedRoutes:
      namespaces:
        from: Selector
        selector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system

HTTPRoute:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: one
spec:
  parentRefs:
  - name: reproducer
    sectionName: one
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    backendRefs:
    - name: one
      port: 80

The HTTP route gets rejected as soon as the second listener is added. The Gateway API specification states the following about sectionName:

SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following:

Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values.

I read this as such setup of multiple restrictions within a gateway should be explicitly supported. Makes sense as otherwise bringing allowedRoutes into each listener is meaningless.

I would interpret this as an oversight during implementation. Especially cause the CheckGatewayMatchingSection already checks against sectionName. I would suggest CheckGatewayAllowedForNamespace should get the same check. I've changed a local copy of cilium with the required check to exclude listeners not matching the sectionName and everything is working as expected.

If the current behaviour gets confirmed as not intended I would like to submit a PR for this. The code is already done, but I want to confirm that this changes is welcomed.

Cilium Version

1.14.2

Kernel Version

Linux node 5.15.0-1037-raspi #40-Ubuntu SMP PREEMPT Fri Aug 25 16:42:00 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

Kubernetes Version

Client Version: v1.28.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.5+k3s1

Sysdump

No response

Relevant log output

HTTPRoute is not allowed to attach to this Gateway due to namespace selector restrictions

Anything else?

The current changes can be found here.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

Labels

area/agentCilium agent related.area/servicemeshGH issues or PRs regarding servicemeshkind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.needs/triageThis issue requires triaging to establish severity and next steps.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions