fix(mcp): use sectionName to scope SecurityPolicy to MCP proxy rule only

toby-archer-tr · claude · toby-archer-tr · commit b18fc68379fc · 2026-03-27T16:40:43.000+01:00
SecurityPolicy and BackendTrafficPolicy were targeting the entire main HTTPRoute, causing JWT validation to run on .well-known OAuth discovery endpoints that must be publicly accessible per RFC 9728. This adds a name to the MCP proxy rule and uses sectionName on both policies to scope them to only that rule. Fixes #1992 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/internal/controller/mcp_route.go b/internal/controller/mcp_route.go
@@ -202,6 +202,7 @@ func (c *MCPRouteController) newMainHTTPRoute(dst *gwapiv1.HTTPRoute, mcpRoute *
 	// This routes incoming MCP client requests to the MCP proxy in the ext proc.
 	servingPath := ptr.Deref(mcpRoute.Spec.Path, defaultMCPPath)
 	rules := []gwapiv1.HTTPRouteRule{{
+		Name: ptr.To(gwapiv1.SectionName(internalapi.MCPProxyRuleName)),
 		Matches: []gwapiv1.HTTPRouteMatch{
 			{
 				Path: &gwapiv1.HTTPPathMatch{
diff --git a/internal/controller/mcp_route_security_policy.go b/internal/controller/mcp_route_security_policy.go
@@ -166,18 +166,16 @@ func (c *MCPRouteController) ensureSecurityPolicy(ctx context.Context, mcpRoute
 		securityPolicySpec.ExtAuth = extAuth.DeepCopy()
 	}
 
-	// The SecurityPolicy should only apply to the HTTPRoute MCP proxy rule.
-	// However, since HTTPRouteRule name is experimental in Gateway API, and some vendors (e.g. GKE Gateway) do not
-	// support it yet, we currently do not set the sectionName to avoid compatibility issues.
-	// The jwt and API key auth filter will be removed from backend routes in the extension server.
-	// TODO: use sectionName to target the MCP proxy rule only when the HTTPRouteRule name is in stable channel.
+	// Target only the MCP proxy rule via sectionName so that auth filters are not applied
+	// to the .well-known OAuth discovery endpoints which must be publicly accessible (RFC 9728).
 	securityPolicySpec.TargetRefs = []gwapiv1.LocalPolicyTargetReferenceWithSectionName{
 		{
 			LocalPolicyTargetReference: gwapiv1.LocalPolicyTargetReference{
 				Group: "gateway.networking.k8s.io",
 				Kind:  "HTTPRoute",
 				Name:  gwapiv1.ObjectName(httpRouteName),
 			},
+			SectionName: ptr.To(gwapiv1.SectionName(internalapi.MCPProxyRuleName)),
 		},
 	}
 
@@ -254,16 +252,15 @@ func (c *MCPRouteController) ensureOAuthProtectedResourceMetadataBTP(ctx context
 
 	ensureCORSHeaders(backendTrafficPolicy.Spec.ResponseOverride[0].Response.Header)
 
-	// Target the HTTPRoute MCP proxy rule only.
+	// Target only the MCP proxy rule so the WWW-Authenticate response override applies to /mcp, not .well-known endpoints.
 	backendTrafficPolicy.Spec.TargetRefs = []gwapiv1.LocalPolicyTargetReferenceWithSectionName{
 		{
 			LocalPolicyTargetReference: gwapiv1.LocalPolicyTargetReference{
 				Group: "gateway.networking.k8s.io",
 				Kind:  "HTTPRoute",
 				Name:  gwapiv1.ObjectName(httpRouteName),
 			},
-			// TODO: this filter should be applied to the MCP proxy rule only, enable sectionName when supported in Envoy Gateway.
-			// SectionName: ptr.To(gwapiv1a2.SectionName(mcpProxyRuleName)).
+			SectionName: ptr.To(gwapiv1.SectionName(internalapi.MCPProxyRuleName)),
 		},
 	}
 
diff --git a/internal/controller/mcp_route_security_policy_test.go b/internal/controller/mcp_route_security_policy_test.go
@@ -382,12 +382,7 @@ func TestMCPRouteController_syncMCPRouteSecurityPolicy(t *testing.T) {
 					require.Nil(t, securityPolicy.Spec.ExtAuth)
 				}
 
-				// The SecurityPolicy should only apply to the HTTPRoute MCP proxy rule.
-				// However, since HTTPRouteRule name is experimental in Gateway API, and some vendors (e.g. GKE Gateway) do not
-				// support it yet, we currently do not set the sectionName to avoid compatibility issues.
-				// The authn filters will be removed from backend routes in the extension server.
-				// TODO: use sectionName to target the MCP proxy rule only when the HTTPRouteRule name is in stable channel.
-				require.Nil(t, securityPolicy.Spec.TargetRefs[0].SectionName)
+				require.Equal(t, ptr.To(gwapiv1.SectionName(internalapi.MCPProxyRuleName)), securityPolicy.Spec.TargetRefs[0].SectionName)
 
 			} else {
 				require.Error(t, secPolErr, "SecurityPolicy should not exist")
diff --git a/internal/controller/mcp_route_test.go b/internal/controller/mcp_route_test.go
@@ -102,12 +102,7 @@ func TestMCPRouteController_Reconcile(t *testing.T) {
 	require.Equal(t, route.Spec.Headers, mainHTTPRoute.Spec.Rules[0].Matches[0].Headers)
 	require.Len(t, mainHTTPRoute.Spec.Rules[0].BackendRefs, 1)
 	require.Equal(t, gwapiv1.ObjectName("default-myroute-mcp-proxy"), mainHTTPRoute.Spec.Rules[0].BackendRefs[0].Name)
-	// Since HTTPRouteRule name is experimental in Gateway API, and some vendors (e.g. GKE Gateway) do not
-	// support it yet, we currently do not set the sectionName to avoid compatibility issues.
-	// The jwt filter will be removed from backend routes in the extension server.
-	// TODO: set the rule name and target the SecurityPolicy with jwt authn to the mcp-proxy rule only when the
-	// HTTPRouteRule name is in stable channel.
-	require.Nil(t, mainHTTPRoute.Spec.Rules[0].Name)
+	require.Equal(t, ptr.To(gwapiv1.SectionName(internalapi.MCPProxyRuleName)), mainHTTPRoute.Spec.Rules[0].Name)
 
 	// Labels/annotations propagated.
 	require.Equal(t, "v1", mainHTTPRoute.Labels["l1"])
diff --git a/internal/extensionserver/mcproute.go b/internal/extensionserver/mcproute.go
@@ -173,7 +173,8 @@ func (s *Server) maybeUpdateMCPRoutes(routes []*routev3.RouteConfiguration) {
 						continue
 					}
 					// Remove the authn filters from the well-known and backend routes.
-					// TODO: remove this step once the SecurityPolicy can target the MCP proxy route rule only.
+					// NOTE: with sectionName set on SecurityPolicy/BackendTrafficPolicy, EG should no longer
+					// add auth filters to well-known routes. This remains as a safety net for edge cases.
 					for _, filterName := range []string{filterNameJWTAuthn, filterNameAPIKeyAuth, filterNameExtAuth} {
 						if _, ok := route.TypedPerFilterConfig[filterName]; ok {
 							s.log.Info("removing authn filter from well-known and backend routes", "route", route.Name, "filter", filterName)
diff --git a/internal/internalapi/internalapi.go b/internal/internalapi/internalapi.go
@@ -43,6 +43,9 @@ const (
 	MCPPerBackendRefHTTPRoutePrefix = MCPGeneratedResourceCommonPrefix + "br-"
 	// MCPPerBackendHTTPRouteFilterPrefix is the prefix for the HTTP route filter names for per-backend resources.
 	MCPPerBackendHTTPRouteFilterPrefix = MCPGeneratedResourceCommonPrefix + "brf-"
+	// MCPProxyRuleName is the name of the MCP proxy HTTPRouteRule (rule/0).
+	// Used as sectionName to scope SecurityPolicy and BackendTrafficPolicy to only the /mcp endpoint.
+	MCPProxyRuleName = "mcp-proxy"
 
 	// MCPMetadataHeaderPrefix is the prefix for special headers used to pass metadata in the filter metadata.
 	// These headers are added internally to the requests to the upstream servers so they can be populated in the filter

Original file line number	Diff line number	Diff line change
`@@ -202,6 +202,7 @@ func (c MCPRouteController) newMainHTTPRoute(dst gwapiv1.HTTPRoute, mcpRoute *`
`202`	`202`	`// This routes incoming MCP client requests to the MCP proxy in the ext proc.`
`203`	`203`	`servingPath := ptr.Deref(mcpRoute.Spec.Path, defaultMCPPath)`
`204`	`204`	`rules := []gwapiv1.HTTPRouteRule{{`
	`205`	`+ Name: ptr.To(gwapiv1.SectionName(internalapi.MCPProxyRuleName)),`
`205`	`206`	`Matches: []gwapiv1.HTTPRouteMatch{`
`206`	`207`	`{`
`207`	`208`	`Path: &gwapiv1.HTTPPathMatch{`