diff --git a/apis/v1alpha2/gateway_types.go b/apis/v1alpha2/gateway_types.go index 6cb91ae534..8f224e8e90 100644 --- a/apis/v1alpha2/gateway_types.go +++ b/apis/v1alpha2/gateway_types.go @@ -812,6 +812,7 @@ const ( // * "DegradedRoutes" // * "InvalidCertificateRef" // * "InvalidRoutesRef" + // * "RefNotPermitted" // // Controllers may raise this condition with other reasons, // but should prefer to use the reasons listed above to improve @@ -839,6 +840,12 @@ const ( // not resolve any Routes, and the "ResolvedRefs" status condition // should not be raised in that case. ListenerReasonInvalidRoutesRef ListenerConditionReason = "InvalidRoutesRef" + + // This reason is used with the "ResolvedRefs" condition when + // one of the Listener's Routes has a BackendRef to an object in + // another namespace, where the object in the other namespace does + // not have a ReferencePolicy explicitly allowing the reference. + ListenerReasonRefNotPermitted ListenerConditionReason = "RefNotPermitted" ) const ( diff --git a/apis/v1alpha2/httproute_types.go b/apis/v1alpha2/httproute_types.go index b8ec846480..c533f16441 100644 --- a/apis/v1alpha2/httproute_types.go +++ b/apis/v1alpha2/httproute_types.go @@ -723,10 +723,20 @@ type HTTPRequestRedirect struct { type HTTPRequestMirrorFilter struct { // BackendRef references a resource where mirrored requests are sent. // - // If the referent cannot be found, the rule is not included in the route. - // The controller should raise the "ResolvedRefs" condition on the Gateway - // with the "DegradedRoutes" reason. The gateway status for this route should - // be updated with a condition that describes the error more specifically. + // If the referent cannot be found, this HTTPBackendRef is invalid + // and must be dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" condition on the Gateway is set to `status: true` + // with the "DegradedRoutes" reason, and not configure this backend in the + // underlying implemenation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferencePolicy, the controller must ensure the + // "ResolvedRefs" condition on the Gateway is set to `status: true`, + // with the "RefNotPermitted" reason and not configure this backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` Condition + // should be used to provide more detail about the problem. // // Support: Extended for Kubernetes Service // Support: Custom for any other resource @@ -737,13 +747,26 @@ type HTTPRequestMirrorFilter struct { // HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. type HTTPBackendRef struct { - // BackendRef defines how a Route should forward a request to a Kubernetes - // resource. + // BackendRef is a reference to a backend to forward matched requests to. + // + // If the referent cannot be found, this HTTPBackendRef is invalid + // and must be dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" condition on the Gateway is set to `status: true` + // with the "DegradedRoutes" reason, and not configure this backend in the + // underlying implemenation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not covered by a ReferencePolicy, the controller must ensure the + // "ResolvedRefs" condition on the Gateway is set to `status: true`, + // with the "RefNotPermitted" reason and not configure this backend in the + // underlying implementation. // - // If the referent cannot be found, the rule is not included in the route. - // The controller should raise the "ResolvedRefs" condition on the Gateway - // with the "DegradedRoutes" reason. The gateway status for this route should - // be updated with a condition that describes the error more specifically. + // In either error case, the Message of the `ResolvedRefs` Condition + // should be used to provide more detail about the problem. + // + // Support: Custom + // + // +optional BackendRef `json:",inline"` // Filters defined at this-level should be executed if and only if the diff --git a/apis/v1alpha2/local_object_reference_types.go b/apis/v1alpha2/local_object_reference_types.go deleted file mode 100644 index 078a82d6c1..0000000000 --- a/apis/v1alpha2/local_object_reference_types.go +++ /dev/null @@ -1,38 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha2 - -// LocalObjectReference identifies an API object within the namespace of the -// referrer. -type LocalObjectReference struct { - // Group is the group of the referent. - // - // +kubebuilder:validation:MaxLength=253 - Group string `json:"group"` - - // Kind is kind of the referent. - // - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=253 - Kind string `json:"kind"` - - // Name is the name of the referent. - // - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=253 - Name string `json:"name"` -} diff --git a/apis/v1alpha2/object_reference_types.go b/apis/v1alpha2/object_reference_types.go new file mode 100644 index 0000000000..9ef8b9b122 --- /dev/null +++ b/apis/v1alpha2/object_reference_types.go @@ -0,0 +1,133 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha2 + +// LocalObjectReference identifies an API object within the namespace of the +// referrer. +type LocalObjectReference struct { + // Group is the group of the referent. + // + // +kubebuilder:validation:MaxLength=253 + Group string `json:"group"` + + // Kind is kind of the referent. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Kind string `json:"kind"` + + // Name is the name of the referent. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Name string `json:"name"` +} + +// ObjectReference identifies an API object including its namespace. +type ObjectReference struct { + // Group is the group of the referent. + // When unspecified (empty string), core API group is inferred. + // + // +optional + // +kubebuilder:default="" + // +kubebuilder:validation:MaxLength=253 + Group *string `json:"group"` + + // Kind is kind of the referent. + // + // +optional + // +kubebuilder:default=Service + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Kind *string `json:"kind"` + + // Name is the name of the referent. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Name string `json:"name"` + + // Namespace is the namespace of the backend. When unspecified, the local + // namespace is inferred. + // + // Note that when a namespace is specified, a ReferencePolicy object + // is required in the referent namespace to allow that namespace's + // owner to accept the reference. See the ReferencePolicy documentation + // for details. + // + // Support: Core + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +optional + Namespace *string `json:"namespace,omitempty"` +} + +// BackendObjectReference defines how an ObjectReference that is +// specific to BackendRef. It includes a few additional fields and features +// than a regular ObjectReference. +// +// Note that when a namespace is specified, a ReferencePolicy object +// is required in the referent namespace to allow that namespace's +// owner to accept the reference. See the ReferencePolicy documentation +// for details. +type BackendObjectReference struct { + // Group is the group of the referent. + // When unspecified (empty string), core API group is inferred. + // + // +optional + // +kubebuilder:default="" + // +kubebuilder:validation:MaxLength=253 + Group *string `json:"group,omitempty"` + + // Kind is kind of the referent. + // + // +optional + // +kubebuilder:default=Service + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Kind *string `json:"kind,omitempty"` + + // Name is the name of the referent. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Name string `json:"name"` + + // Namespace is the namespace of the backend. When unspecified, the local + // namespace is inferred. + // + // Note that when a namespace is specified, a ReferencePolicy object + // is required in the referent namespace to allow that namespace's + // owner to accept the reference. See the ReferencePolicy documentation + // for details. + // + // Support: Core + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +optional + Namespace *string `json:"namespace,omitempty"` + + // Port specifies the destination port number to use for this resource. + // Port is required when the referent is a Kubernetes Service. + // For other resources, destination port can be derived from the referent + // resource or this field. + // + // +optional + Port *PortNumber `json:"port,omitempty"` +} diff --git a/apis/v1alpha2/referencepolicy_types.go b/apis/v1alpha2/referencepolicy_types.go new file mode 100644 index 0000000000..4d93c0cdd8 --- /dev/null +++ b/apis/v1alpha2/referencepolicy_types.go @@ -0,0 +1,138 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha2 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +kubebuilder:object:root=true +// +kubebuilder:resource:categories=gateway-api,shortName=refpol +// +kubebuilder:storageversion +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` + +// ReferencePolicy identifies kinds of resources in other namespaces that are +// trusted to reference the specified kinds of resources in the same namespace +// as the policy. +// +// Each ReferencePolicy can be used to represent a unique trust relationship. +// Additional Reference Policies can be used to add to the set of trusted +// sources of inbound references for the namespace they are defined within. +// +// All cross-namespace references in Gateway API (with the exception of cross-namespace +// Gateway-route attachment) require a ReferencePolicy. +// +// Support: Core +// +type ReferencePolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec defines the desired state of ReferencePolicy. + Spec ReferencePolicySpec `json:"spec,omitempty"` + + // Note that `Status` sub-resource has been excluded at the + // moment as it was difficult to work out the design. + // `Status` sub-resource may be added in future. +} + +// +kubebuilder:object:root=true +// ReferencePolicyList contains a list of ReferencePolicy. +type ReferencePolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ReferencePolicy `json:"items"` +} + +// ReferencePolicySpec identifies a cross namespace relationship that is trusted +// for Gateway API. +type ReferencePolicySpec struct { + // From describes the trusted namespaces and kinds that can reference the + // resources described in "To". Each entry in this list must be considered + // to be an additional place that references can be valid from, or to put + // this another way, entries must be combined using OR. + // + // Support: Core + // + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + From []ReferencePolicyFrom `json:"from"` + + // To describes the resources that may be referenced by the resources + // described in "From". Each entry in this list must be considered to be an + // additional place that references can be valid to, or to put this another + // way, entries must be combined using OR. + // + // Support: Core + // + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + To []ReferencePolicyTo `json:"to"` +} + +// ReferencePolicyFrom describes trusted namespaces and kinds. +type ReferencePolicyFrom struct { + // Group is the group of the referent. + // When empty, the "core" API group is inferred. + // + // Support: Core + // + // +kubebuilder:validation:MaxLength=253 + Group string `json:"group"` + + // Kind is the kind of the referent. Although implementations may support + // additional resources, the following Route types are part of the "Core" + // support level for this field: + // + // * HTTPRoute + // * TCPRoute + // * TLSRoute + // * UDPRoute + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Kind string `json:"kind"` + + // Namespace is the namespace of the referent. + // + // Support: Core + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Namespace string `json:"namespace,omitempty"` +} + +// ReferencePolicyTo describes what Kinds are allowed as targets of the +// references. +type ReferencePolicyTo struct { + // Group is the group of the referent. + // When empty, the "core" API group is inferred. + // + // Support: Core + // + // +kubebuilder:validation:MaxLength=253 + Group string `json:"group"` + + // Kind is the kind of the referent. Although implementations may support + // additional resources, the following types are part of the "Core" + // support level for this field: + // + // * Service + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Kind string `json:"kind"` +} diff --git a/apis/v1alpha2/shared_types.go b/apis/v1alpha2/shared_types.go index bdbc7abc1c..610298bc97 100644 --- a/apis/v1alpha2/shared_types.go +++ b/apis/v1alpha2/shared_types.go @@ -77,43 +77,13 @@ type GatewayReference struct { Namespace string `json:"namespace"` } -// BackendObjectReference defines how an ObjectReference that is -// specific to BackendRef. It includes a few additional fields and features -// than a regular ObjectReference. -type BackendObjectReference struct { - // Group is the group of the referent. - // When unspecified (empty string), core API group is inferred. - // - // +optional - // +kubebuilder:default="" - // +kubebuilder:validation:MaxLength=253 - Group *string `json:"group"` - - // Kind is kind of the referent. - // - // +optional - // +kubebuilder:default=Service - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=253 - Kind *string `json:"kind"` - - // Name is the name of the referent. - // - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=253 - Name string `json:"name"` - - // Port specifies the destination port number to use for this resource. - // Port is required when the referent is a Kubernetes Service. - // For other resources, destination port can be derived from the referent - // resource or this field. - // - // +optional - Port *PortNumber `json:"port,omitempty"` -} - // BackendRef defines how a Route should forward a request to a Kubernetes // resource. +// +// Note that when a namespace is specified, a ReferencePolicy object +// is required in the referent namespace to allow that namespace's +// owner to accept the reference. See the ReferencePolicy documentation +// for details. type BackendRef struct { // BackendObjectReference references a Kubernetes object. BackendObjectReference `json:",inline"` diff --git a/apis/v1alpha2/zz_generated.deepcopy.go b/apis/v1alpha2/zz_generated.deepcopy.go index e097759f38..ce785297e1 100644 --- a/apis/v1alpha2/zz_generated.deepcopy.go +++ b/apis/v1alpha2/zz_generated.deepcopy.go @@ -38,6 +38,11 @@ func (in *BackendObjectReference) DeepCopyInto(out *BackendObjectReference) { *out = new(string) **out = **in } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } if in.Port != nil { in, out := &in.Port, &out.Port *out = new(PortNumber) @@ -861,6 +866,36 @@ func (in *LocalObjectReference) DeepCopy() *LocalObjectReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ObjectReference) DeepCopyInto(out *ObjectReference) { + *out = *in + if in.Group != nil { + in, out := &in.Group, &out.Group + *out = new(string) + **out = **in + } + if in.Kind != nil { + in, out := &in.Kind, &out.Kind + *out = new(string) + **out = **in + } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectReference. +func (in *ObjectReference) DeepCopy() *ObjectReference { + if in == nil { + return nil + } + out := new(ObjectReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ParametersReference) DeepCopyInto(out *ParametersReference) { *out = *in @@ -886,6 +921,119 @@ func (in *ParametersReference) DeepCopy() *ParametersReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReferencePolicy) DeepCopyInto(out *ReferencePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferencePolicy. +func (in *ReferencePolicy) DeepCopy() *ReferencePolicy { + if in == nil { + return nil + } + out := new(ReferencePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ReferencePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReferencePolicyFrom) DeepCopyInto(out *ReferencePolicyFrom) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferencePolicyFrom. +func (in *ReferencePolicyFrom) DeepCopy() *ReferencePolicyFrom { + if in == nil { + return nil + } + out := new(ReferencePolicyFrom) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReferencePolicyList) DeepCopyInto(out *ReferencePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ReferencePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferencePolicyList. +func (in *ReferencePolicyList) DeepCopy() *ReferencePolicyList { + if in == nil { + return nil + } + out := new(ReferencePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ReferencePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReferencePolicySpec) DeepCopyInto(out *ReferencePolicySpec) { + *out = *in + if in.From != nil { + in, out := &in.From, &out.From + *out = make([]ReferencePolicyFrom, len(*in)) + copy(*out, *in) + } + if in.To != nil { + in, out := &in.To, &out.To + *out = make([]ReferencePolicyTo, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferencePolicySpec. +func (in *ReferencePolicySpec) DeepCopy() *ReferencePolicySpec { + if in == nil { + return nil + } + out := new(ReferencePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReferencePolicyTo) DeepCopyInto(out *ReferencePolicyTo) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferencePolicyTo. +func (in *ReferencePolicyTo) DeepCopy() *ReferencePolicyTo { + if in == nil { + return nil + } + out := new(ReferencePolicyTo) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RouteBindingSelector) DeepCopyInto(out *RouteBindingSelector) { *out = *in diff --git a/apis/v1alpha2/zz_generated.register.go b/apis/v1alpha2/zz_generated.register.go index 0cd582861d..94dc2ff41b 100644 --- a/apis/v1alpha2/zz_generated.register.go +++ b/apis/v1alpha2/zz_generated.register.go @@ -64,6 +64,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &GatewayList{}, &HTTPRoute{}, &HTTPRouteList{}, + &ReferencePolicy{}, + &ReferencePolicyList{}, &TCPRoute{}, &TCPRouteList{}, &TLSRoute{}, diff --git a/config/crd/bases/gateway.networking.k8s.io_httproutes.yaml b/config/crd/bases/gateway.networking.k8s.io_httproutes.yaml index 05a4882730..73415a4c3d 100644 --- a/config/crd/bases/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/bases/gateway.networking.k8s.io_httproutes.yaml @@ -318,15 +318,24 @@ spec: backendRef: description: "BackendRef references a resource where mirrored requests are sent. \n If the - referent cannot be found, the rule is not - included in the route. The controller should - raise the \"ResolvedRefs\" condition on the - Gateway with the \"DegradedRoutes\" reason. - The gateway status for this route should be - updated with a condition that describes the - error more specifically. \n Support: Extended - for Kubernetes Service Support: Custom for - any other resource" + referent cannot be found, this HTTPBackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Gateway is set to `status: + true` with the \"DegradedRoutes\" reason, + and not configure this backend in the underlying + implemenation. \n If there is a cross-namespace + reference to an *existing* object that is + not allowed by a ReferencePolicy, the controller + must ensure the \"ResolvedRefs\" condition + on the Gateway is set to `status: true`, with + the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. + \n In either error case, the Message of the + `ResolvedRefs` Condition should be used to + provide more detail about the problem. \n + Support: Extended for Kubernetes Service Support: + Custom for any other resource" properties: group: default: "" @@ -346,6 +355,19 @@ spec: maxLength: 253 minLength: 1 type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace is specified, a ReferencePolicy + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferencePolicy + documentation for details. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string port: description: Port specifies the destination port number to use for this resource. @@ -442,6 +464,17 @@ spec: maxLength: 253 minLength: 1 type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferencePolicy + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferencePolicy documentation for details. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string port: description: Port specifies the destination port number to use for this resource. Port is required when the @@ -624,13 +657,22 @@ spec: backendRef: description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot - be found, the rule is not included in the route. - The controller should raise the \"ResolvedRefs\" - condition on the Gateway with the \"DegradedRoutes\" - reason. The gateway status for this route should - be updated with a condition that describes the error - more specifically. \n Support: Extended for Kubernetes - Service Support: Custom for any other resource" + be found, this HTTPBackendRef is invalid and must + be dropped from the Gateway. The controller must + ensure the \"ResolvedRefs\" condition on the Gateway + is set to `status: true` with the \"DegradedRoutes\" + reason, and not configure this backend in the underlying + implemenation. \n If there is a cross-namespace + reference to an *existing* object that is not allowed + by a ReferencePolicy, the controller must ensure + the \"ResolvedRefs\" condition on the Gateway is + set to `status: true`, with the \"RefNotPermitted\" + reason and not configure this backend in the underlying + implementation. \n In either error case, the Message + of the `ResolvedRefs` Condition should be used to + provide more detail about the problem. \n Support: + Extended for Kubernetes Service Support: Custom + for any other resource" properties: group: default: "" @@ -650,6 +692,17 @@ spec: maxLength: 253 minLength: 1 type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace is + specified, a ReferencePolicy object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferencePolicy + documentation for details. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string port: description: Port specifies the destination port number to use for this resource. Port is required diff --git a/config/crd/bases/gateway.networking.k8s.io_referencepolicies.yaml b/config/crd/bases/gateway.networking.k8s.io_referencepolicies.yaml new file mode 100644 index 0000000000..d873c3cd94 --- /dev/null +++ b/config/crd/bases/gateway.networking.k8s.io_referencepolicies.yaml @@ -0,0 +1,132 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: unapproved + creationTimestamp: null + name: referencepolicies.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferencePolicy + listKind: ReferencePolicyList + plural: referencepolicies + shortNames: + - refpol + singular: referencepolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferencePolicy identifies kinds of resources in other namespaces + that are trusted to reference the specified kinds of resources in the same + namespace as the policy. \n Each ReferencePolicy can be used to represent + a unique trust relationship. Additional Reference Policies can be used to + add to the set of trusted sources of inbound references for the namespace + they are defined within. \n All cross-namespace references in Gateway API + (with the exception of cross-namespace Gateway-route attachment) require + a ReferencePolicy. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferencePolicy. + properties: + from: + description: "From describes the trusted namespaces and kinds that + can reference the resources described in \"To\". Each entry in this + list must be considered to be an additional place that references + can be valid from, or to put this another way, entries must be combined + using OR. \n Support: Core" + items: + description: ReferencePolicyFrom describes trusted namespaces and + kinds. + properties: + group: + description: "Group is the group of the referent. When empty, + the \"core\" API group is inferred. \n Support: Core" + maxLength: 253 + type: string + kind: + description: "Kind is the kind of the referent. Although implementations + may support additional resources, the following Route types + are part of the \"Core\" support level for this field: \n + * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. \n + Support: Core" + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by + the resources described in \"From\". Each entry in this list must + be considered to be an additional place that references can be valid + to, or to put this another way, entries must be combined using OR. + \n Support: Core" + items: + description: ReferencePolicyTo describes what Kinds are allowed + as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, + the \"core\" API group is inferred. \n Support: Core" + maxLength: 253 + type: string + kind: + description: "Kind is the kind of the referent. Although implementations + may support additional resources, the following types are + part of the \"Core\" support level for this field: \n * Service" + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/gateway.networking.k8s.io_tcproutes.yaml b/config/crd/bases/gateway.networking.k8s.io_tcproutes.yaml index 97002843a1..d4e48ce808 100644 --- a/config/crd/bases/gateway.networking.k8s.io_tcproutes.yaml +++ b/config/crd/bases/gateway.networking.k8s.io_tcproutes.yaml @@ -95,8 +95,12 @@ spec: Support: Custom for any other resource \n Support for weight: Extended" items: - description: BackendRef defines how a Route should forward - a request to a Kubernetes resource. + description: "BackendRef defines how a Route should forward + a request to a Kubernetes resource. \n Note that when a + namespace is specified, a ReferencePolicy object is required + in the referent namespace to allow that namespace's owner + to accept the reference. See the ReferencePolicy documentation + for details." properties: group: default: "" @@ -115,6 +119,17 @@ spec: maxLength: 253 minLength: 1 type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferencePolicy + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferencePolicy documentation for details. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string port: description: Port specifies the destination port number to use for this resource. Port is required when the diff --git a/config/crd/bases/gateway.networking.k8s.io_tlsroutes.yaml b/config/crd/bases/gateway.networking.k8s.io_tlsroutes.yaml index 0f90b2c914..7bf06164b2 100644 --- a/config/crd/bases/gateway.networking.k8s.io_tlsroutes.yaml +++ b/config/crd/bases/gateway.networking.k8s.io_tlsroutes.yaml @@ -135,8 +135,12 @@ spec: Support: Custom for any other resource \n Support for weight: Extended" items: - description: BackendRef defines how a Route should forward - a request to a Kubernetes resource. + description: "BackendRef defines how a Route should forward + a request to a Kubernetes resource. \n Note that when a + namespace is specified, a ReferencePolicy object is required + in the referent namespace to allow that namespace's owner + to accept the reference. See the ReferencePolicy documentation + for details." properties: group: default: "" @@ -155,6 +159,17 @@ spec: maxLength: 253 minLength: 1 type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferencePolicy + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferencePolicy documentation for details. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string port: description: Port specifies the destination port number to use for this resource. Port is required when the diff --git a/config/crd/bases/gateway.networking.k8s.io_udproutes.yaml b/config/crd/bases/gateway.networking.k8s.io_udproutes.yaml index 9284ee6de5..f20a1b161f 100644 --- a/config/crd/bases/gateway.networking.k8s.io_udproutes.yaml +++ b/config/crd/bases/gateway.networking.k8s.io_udproutes.yaml @@ -96,8 +96,12 @@ spec: Support: Custom for any other resource \n Support for weight: Extended" items: - description: BackendRef defines how a Route should forward - a request to a Kubernetes resource. + description: "BackendRef defines how a Route should forward + a request to a Kubernetes resource. \n Note that when a + namespace is specified, a ReferencePolicy object is required + in the referent namespace to allow that namespace's owner + to accept the reference. See the ReferencePolicy documentation + for details." properties: group: default: "" @@ -116,6 +120,17 @@ spec: maxLength: 253 minLength: 1 type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferencePolicy + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferencePolicy documentation for details. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string port: description: Port specifies the destination port number to use for this resource. Port is required when the diff --git a/mkdocs.yml b/mkdocs.yml index 37f4d00b0a..e26c0ff90f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -12,6 +12,8 @@ plugins: - awesome-pages - macros: include_dir: examples +markdown_extensions: + - admonition nav: - Introduction: index.md - Concepts: diff --git a/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/apis_client.go b/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/apis_client.go index d124f85192..e036c11ee4 100644 --- a/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/apis_client.go +++ b/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/apis_client.go @@ -29,6 +29,7 @@ type GatewayV1alpha2Interface interface { GatewaysGetter GatewayClassesGetter HTTPRoutesGetter + ReferencePoliciesGetter TCPRoutesGetter TLSRoutesGetter UDPRoutesGetter @@ -51,6 +52,10 @@ func (c *GatewayV1alpha2Client) HTTPRoutes(namespace string) HTTPRouteInterface return newHTTPRoutes(c, namespace) } +func (c *GatewayV1alpha2Client) ReferencePolicies(namespace string) ReferencePolicyInterface { + return newReferencePolicies(c, namespace) +} + func (c *GatewayV1alpha2Client) TCPRoutes(namespace string) TCPRouteInterface { return newTCPRoutes(c, namespace) } diff --git a/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go b/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go index c308ec56eb..4b07afaf0e 100644 --- a/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go +++ b/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go @@ -40,6 +40,10 @@ func (c *FakeGatewayV1alpha2) HTTPRoutes(namespace string) v1alpha2.HTTPRouteInt return &FakeHTTPRoutes{c, namespace} } +func (c *FakeGatewayV1alpha2) ReferencePolicies(namespace string) v1alpha2.ReferencePolicyInterface { + return &FakeReferencePolicies{c, namespace} +} + func (c *FakeGatewayV1alpha2) TCPRoutes(namespace string) v1alpha2.TCPRouteInterface { return &FakeTCPRoutes{c, namespace} } diff --git a/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/fake/fake_referencepolicy.go b/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/fake/fake_referencepolicy.go new file mode 100644 index 0000000000..414a985f2c --- /dev/null +++ b/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/fake/fake_referencepolicy.go @@ -0,0 +1,130 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" + v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" +) + +// FakeReferencePolicies implements ReferencePolicyInterface +type FakeReferencePolicies struct { + Fake *FakeGatewayV1alpha2 + ns string +} + +var referencepoliciesResource = schema.GroupVersionResource{Group: "gateway.networking.k8s.io", Version: "v1alpha2", Resource: "referencepolicies"} + +var referencepoliciesKind = schema.GroupVersionKind{Group: "gateway.networking.k8s.io", Version: "v1alpha2", Kind: "ReferencePolicy"} + +// Get takes name of the referencePolicy, and returns the corresponding referencePolicy object, and an error if there is any. +func (c *FakeReferencePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha2.ReferencePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(referencepoliciesResource, c.ns, name), &v1alpha2.ReferencePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ReferencePolicy), err +} + +// List takes label and field selectors, and returns the list of ReferencePolicies that match those selectors. +func (c *FakeReferencePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha2.ReferencePolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(referencepoliciesResource, referencepoliciesKind, c.ns, opts), &v1alpha2.ReferencePolicyList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha2.ReferencePolicyList{ListMeta: obj.(*v1alpha2.ReferencePolicyList).ListMeta} + for _, item := range obj.(*v1alpha2.ReferencePolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested referencePolicies. +func (c *FakeReferencePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(referencepoliciesResource, c.ns, opts)) + +} + +// Create takes the representation of a referencePolicy and creates it. Returns the server's representation of the referencePolicy, and an error, if there is any. +func (c *FakeReferencePolicies) Create(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.CreateOptions) (result *v1alpha2.ReferencePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(referencepoliciesResource, c.ns, referencePolicy), &v1alpha2.ReferencePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ReferencePolicy), err +} + +// Update takes the representation of a referencePolicy and updates it. Returns the server's representation of the referencePolicy, and an error, if there is any. +func (c *FakeReferencePolicies) Update(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.UpdateOptions) (result *v1alpha2.ReferencePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(referencepoliciesResource, c.ns, referencePolicy), &v1alpha2.ReferencePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ReferencePolicy), err +} + +// Delete takes name of the referencePolicy and deletes it. Returns an error if one occurs. +func (c *FakeReferencePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(referencepoliciesResource, c.ns, name), &v1alpha2.ReferencePolicy{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeReferencePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(referencepoliciesResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha2.ReferencePolicyList{}) + return err +} + +// Patch applies the patch and returns the patched referencePolicy. +func (c *FakeReferencePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ReferencePolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(referencepoliciesResource, c.ns, name, pt, data, subresources...), &v1alpha2.ReferencePolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ReferencePolicy), err +} diff --git a/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/generated_expansion.go b/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/generated_expansion.go index 1952cc3bc6..bf9c1d9718 100644 --- a/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/generated_expansion.go +++ b/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/generated_expansion.go @@ -24,6 +24,8 @@ type GatewayClassExpansion interface{} type HTTPRouteExpansion interface{} +type ReferencePolicyExpansion interface{} + type TCPRouteExpansion interface{} type TLSRouteExpansion interface{} diff --git a/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/referencepolicy.go b/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/referencepolicy.go new file mode 100644 index 0000000000..5f29f3a641 --- /dev/null +++ b/pkg/client/clientset/gateway/versioned/typed/apis/v1alpha2/referencepolicy.go @@ -0,0 +1,178 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + "context" + "time" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" + v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + scheme "sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned/scheme" +) + +// ReferencePoliciesGetter has a method to return a ReferencePolicyInterface. +// A group's client should implement this interface. +type ReferencePoliciesGetter interface { + ReferencePolicies(namespace string) ReferencePolicyInterface +} + +// ReferencePolicyInterface has methods to work with ReferencePolicy resources. +type ReferencePolicyInterface interface { + Create(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.CreateOptions) (*v1alpha2.ReferencePolicy, error) + Update(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.UpdateOptions) (*v1alpha2.ReferencePolicy, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha2.ReferencePolicy, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha2.ReferencePolicyList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ReferencePolicy, err error) + ReferencePolicyExpansion +} + +// referencePolicies implements ReferencePolicyInterface +type referencePolicies struct { + client rest.Interface + ns string +} + +// newReferencePolicies returns a ReferencePolicies +func newReferencePolicies(c *GatewayV1alpha2Client, namespace string) *referencePolicies { + return &referencePolicies{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the referencePolicy, and returns the corresponding referencePolicy object, and an error if there is any. +func (c *referencePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha2.ReferencePolicy, err error) { + result = &v1alpha2.ReferencePolicy{} + err = c.client.Get(). + Namespace(c.ns). + Resource("referencepolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of ReferencePolicies that match those selectors. +func (c *referencePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha2.ReferencePolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha2.ReferencePolicyList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("referencepolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested referencePolicies. +func (c *referencePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("referencepolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a referencePolicy and creates it. Returns the server's representation of the referencePolicy, and an error, if there is any. +func (c *referencePolicies) Create(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.CreateOptions) (result *v1alpha2.ReferencePolicy, err error) { + result = &v1alpha2.ReferencePolicy{} + err = c.client.Post(). + Namespace(c.ns). + Resource("referencepolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(referencePolicy). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a referencePolicy and updates it. Returns the server's representation of the referencePolicy, and an error, if there is any. +func (c *referencePolicies) Update(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.UpdateOptions) (result *v1alpha2.ReferencePolicy, err error) { + result = &v1alpha2.ReferencePolicy{} + err = c.client.Put(). + Namespace(c.ns). + Resource("referencepolicies"). + Name(referencePolicy.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(referencePolicy). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the referencePolicy and deletes it. Returns an error if one occurs. +func (c *referencePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("referencepolicies"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *referencePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("referencepolicies"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched referencePolicy. +func (c *referencePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ReferencePolicy, err error) { + result = &v1alpha2.ReferencePolicy{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("referencepolicies"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/pkg/client/informers/gateway/externalversions/apis/v1alpha2/interface.go b/pkg/client/informers/gateway/externalversions/apis/v1alpha2/interface.go index c43fec8654..6d75f2128c 100644 --- a/pkg/client/informers/gateway/externalversions/apis/v1alpha2/interface.go +++ b/pkg/client/informers/gateway/externalversions/apis/v1alpha2/interface.go @@ -30,6 +30,8 @@ type Interface interface { GatewayClasses() GatewayClassInformer // HTTPRoutes returns a HTTPRouteInformer. HTTPRoutes() HTTPRouteInformer + // ReferencePolicies returns a ReferencePolicyInformer. + ReferencePolicies() ReferencePolicyInformer // TCPRoutes returns a TCPRouteInformer. TCPRoutes() TCPRouteInformer // TLSRoutes returns a TLSRouteInformer. @@ -64,6 +66,11 @@ func (v *version) HTTPRoutes() HTTPRouteInformer { return &hTTPRouteInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// ReferencePolicies returns a ReferencePolicyInformer. +func (v *version) ReferencePolicies() ReferencePolicyInformer { + return &referencePolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // TCPRoutes returns a TCPRouteInformer. func (v *version) TCPRoutes() TCPRouteInformer { return &tCPRouteInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/pkg/client/informers/gateway/externalversions/apis/v1alpha2/referencepolicy.go b/pkg/client/informers/gateway/externalversions/apis/v1alpha2/referencepolicy.go new file mode 100644 index 0000000000..070b7c55d6 --- /dev/null +++ b/pkg/client/informers/gateway/externalversions/apis/v1alpha2/referencepolicy.go @@ -0,0 +1,90 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + "context" + time "time" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" + apisv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + versioned "sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned" + internalinterfaces "sigs.k8s.io/gateway-api/pkg/client/informers/gateway/externalversions/internalinterfaces" + v1alpha2 "sigs.k8s.io/gateway-api/pkg/client/listers/gateway/apis/v1alpha2" +) + +// ReferencePolicyInformer provides access to a shared informer and lister for +// ReferencePolicies. +type ReferencePolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha2.ReferencePolicyLister +} + +type referencePolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewReferencePolicyInformer constructs a new informer for ReferencePolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewReferencePolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredReferencePolicyInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredReferencePolicyInformer constructs a new informer for ReferencePolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredReferencePolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.GatewayV1alpha2().ReferencePolicies(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.GatewayV1alpha2().ReferencePolicies(namespace).Watch(context.TODO(), options) + }, + }, + &apisv1alpha2.ReferencePolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *referencePolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredReferencePolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *referencePolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&apisv1alpha2.ReferencePolicy{}, f.defaultInformer) +} + +func (f *referencePolicyInformer) Lister() v1alpha2.ReferencePolicyLister { + return v1alpha2.NewReferencePolicyLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/gateway/externalversions/generic.go b/pkg/client/informers/gateway/externalversions/generic.go index 0925ef97eb..9caba89b7a 100644 --- a/pkg/client/informers/gateway/externalversions/generic.go +++ b/pkg/client/informers/gateway/externalversions/generic.go @@ -59,6 +59,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().GatewayClasses().Informer()}, nil case v1alpha2.SchemeGroupVersion.WithResource("httproutes"): return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().HTTPRoutes().Informer()}, nil + case v1alpha2.SchemeGroupVersion.WithResource("referencepolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().ReferencePolicies().Informer()}, nil case v1alpha2.SchemeGroupVersion.WithResource("tcproutes"): return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().TCPRoutes().Informer()}, nil case v1alpha2.SchemeGroupVersion.WithResource("tlsroutes"): diff --git a/pkg/client/listers/gateway/apis/v1alpha2/expansion_generated.go b/pkg/client/listers/gateway/apis/v1alpha2/expansion_generated.go index 4c9bab0f5b..1e8f44a0af 100644 --- a/pkg/client/listers/gateway/apis/v1alpha2/expansion_generated.go +++ b/pkg/client/listers/gateway/apis/v1alpha2/expansion_generated.go @@ -38,6 +38,14 @@ type HTTPRouteListerExpansion interface{} // HTTPRouteNamespaceLister. type HTTPRouteNamespaceListerExpansion interface{} +// ReferencePolicyListerExpansion allows custom methods to be added to +// ReferencePolicyLister. +type ReferencePolicyListerExpansion interface{} + +// ReferencePolicyNamespaceListerExpansion allows custom methods to be added to +// ReferencePolicyNamespaceLister. +type ReferencePolicyNamespaceListerExpansion interface{} + // TCPRouteListerExpansion allows custom methods to be added to // TCPRouteLister. type TCPRouteListerExpansion interface{} diff --git a/pkg/client/listers/gateway/apis/v1alpha2/referencepolicy.go b/pkg/client/listers/gateway/apis/v1alpha2/referencepolicy.go new file mode 100644 index 0000000000..5a1f994b9d --- /dev/null +++ b/pkg/client/listers/gateway/apis/v1alpha2/referencepolicy.go @@ -0,0 +1,99 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" + v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" +) + +// ReferencePolicyLister helps list ReferencePolicies. +// All objects returned here must be treated as read-only. +type ReferencePolicyLister interface { + // List lists all ReferencePolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha2.ReferencePolicy, err error) + // ReferencePolicies returns an object that can list and get ReferencePolicies. + ReferencePolicies(namespace string) ReferencePolicyNamespaceLister + ReferencePolicyListerExpansion +} + +// referencePolicyLister implements the ReferencePolicyLister interface. +type referencePolicyLister struct { + indexer cache.Indexer +} + +// NewReferencePolicyLister returns a new ReferencePolicyLister. +func NewReferencePolicyLister(indexer cache.Indexer) ReferencePolicyLister { + return &referencePolicyLister{indexer: indexer} +} + +// List lists all ReferencePolicies in the indexer. +func (s *referencePolicyLister) List(selector labels.Selector) (ret []*v1alpha2.ReferencePolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha2.ReferencePolicy)) + }) + return ret, err +} + +// ReferencePolicies returns an object that can list and get ReferencePolicies. +func (s *referencePolicyLister) ReferencePolicies(namespace string) ReferencePolicyNamespaceLister { + return referencePolicyNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// ReferencePolicyNamespaceLister helps list and get ReferencePolicies. +// All objects returned here must be treated as read-only. +type ReferencePolicyNamespaceLister interface { + // List lists all ReferencePolicies in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha2.ReferencePolicy, err error) + // Get retrieves the ReferencePolicy from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha2.ReferencePolicy, error) + ReferencePolicyNamespaceListerExpansion +} + +// referencePolicyNamespaceLister implements the ReferencePolicyNamespaceLister +// interface. +type referencePolicyNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all ReferencePolicies in the indexer for a given namespace. +func (s referencePolicyNamespaceLister) List(selector labels.Selector) (ret []*v1alpha2.ReferencePolicy, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha2.ReferencePolicy)) + }) + return ret, err +} + +// Get retrieves the ReferencePolicy from the indexer for a given namespace and name. +func (s referencePolicyNamespaceLister) Get(name string) (*v1alpha2.ReferencePolicy, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha2.Resource("referencepolicy"), name) + } + return obj.(*v1alpha2.ReferencePolicy), nil +} diff --git a/site-src/geps/gep-709.md b/site-src/geps/gep-709.md index 86d8892e68..10f1094749 100644 --- a/site-src/geps/gep-709.md +++ b/site-src/geps/gep-709.md @@ -1,7 +1,7 @@ # GEP-709: Cross Namespace References from Routes * Issue: [#709](https://github.com/kubernetes-sigs/gateway-api/issues/709) -* Status: Implementable +* Status: Implemented ## TLDR diff --git a/site-src/v1alpha2/references/cross-namespace-references.md b/site-src/v1alpha2/references/cross-namespace-references.md new file mode 100644 index 0000000000..7fd3246efa --- /dev/null +++ b/site-src/v1alpha2/references/cross-namespace-references.md @@ -0,0 +1,127 @@ +# Cross namespace references and ReferencePolicy + +## Introduction +In the Gateway API, it is possible to have references between objects cross +namespace boundaries. In particular, Services may be referred to by Routes +in a another namespace, or possibly Secrets may be referred to by Gateways or +Routes in another namespace. + +In the past, we've seen that forwarding traffic across namespace boundaries is a +desired feature, but a safeguard like ReferencePolicy, +[vulnerabilities](https://github.com/kubernetes/kubernetes/issues/103675) can emerge. + +!!! note + When discussing the process of creating cross-namespace object references, this + document and the documentation on the API itself talk about the object being + referred to using the name "the referent object", using the + [meaning](https://dictionary.cambridge.org/dictionary/english/referent) + of "referent" to be "the person, thing, or idea that a word, phrase, or object + refers to". + +In order to bring cross-namespace references under the control +of the owner of the referent object's namespace, the Gateway API has a +ReferencePolicy object that must be created in the referent namespace for the +reference to be successful. + +To put this another way, if an object is referred to from outside its namespace, +the object's owner must create a ReferencePolicy object that describes how that +reference is allowed. This page explains how this process works. + +## ReferencePolicy + +To ensure that Gateway API is able to safely provide this functionality, +we need to enforce a handshake mechanism that requires resources in both +namespaces to agree to this reference. To accomplish that, a ReferencePolicy +resource has been introduced. + +![Reference Policy](images/referencepolicy.png) + +With this model, Routes are able to directly reference Services in other namespaces. +These references are only considered valid if a ReferencePolicy in the target +namespace explicitly allows it. + +The following example shows how a HTTPRoute in namespace `foo` can reference a +Service in namespace `bar`. In this example a ReferencePolicy in the `bar` namespace +explicitly allows references to Services from HTTPRoutes in the `foo` namespace. + +```yaml +kind: HTTPRoute +metadata: + name: foo + namespace: foo +spec: + rules: + - matches: + - path: /bar + forwardTo: + backend: + - name: bar + namespace: bar +--- +kind: ReferencePolicy +metadata: + name: bar + namespace: bar +spec: + from: + - group: networking.gateway.k8s.io + kind: HTTPRoute + namespace: foo + to: + - group: "" + kind: Service +``` + +### API design decisions +While the API is simplistic in nature, it comes with a few notable decisions: + +1. Each ReferencePolicy only supports a single From and To section. + Additional trust relationships must be modeled with additional ReferencePolicy + resources. +1. Resource names are intentionally excluded from this policy for simplicity + and because they rarely provide any meaningful protection. A user that is + able to write to resources of a certain kind within a namespace can always + rename resources or change the structure of the resources to match a given + policy. +1. A single Namespace is allowed per "From" struct. + Although a selector would be more powerful, it encourages unnecessarily + insecure configuration. + +Please see the [API Specification](https://gateway-api.sigs.k8s.io/references/spec/) +for the details of the object's behavior. + +### Exceptions +There are some situations where it MAY be acceptable to ignore ReferencePolicy +in favor of some other security mechanism. This MAY only be done if other +mechanisms like NetworkPolicy can effectively limit cross-namespace references +by the implementation. + +An implementation choosing to make this exception MUST clearly document that +ReferencePolicy is not honored by their implementations and detail which +alternative safeguards are available. Note that this is unlikely to apply to +ingress implementations of the API and will not apply to all mesh +implementations. + +For an example of the risks involved in cross-namespace references, refer to +[CVE-2021-25740](https://github.com/kubernetes/kubernetes/issues/103675). +Implementations of this API need to be very careful to avoid confused deputy +attacks. ReferencePolicy provides a safeguard for that. Exceptions MUST only +be made by implementations that are absolutely certain that other equally +effective safeguards are in place. + +### Conformance Level + +ReferencePolicy support is a "CORE" conformance level requirement for +cross-namespace references that originate from the following objects: +- HTTPRoute +- TLSRoute +- TCPRoute +- UDPRoute + +That is, all implemenations MUST use this flow for any cross namespaces +in any of the core xRoute types, except as noted in the Exceptions section +above. + +Other "ImplementationSpecific" objects and references MUST also use this flow +for cross-namespace references, except as noted in the Exceptions section +above. \ No newline at end of file diff --git a/site-src/v1alpha2/references/images/referencepolicy.png b/site-src/v1alpha2/references/images/referencepolicy.png new file mode 100644 index 0000000000..e211764a8b Binary files /dev/null and b/site-src/v1alpha2/references/images/referencepolicy.png differ