Safeguard and against empty and invalid GW class names (#13081)

Signed-off-by: Yossi Mesika <[email protected]>

Author: ymesika

pkg/kgateway/controller/gatewayclass.go

@@ -12,6 +12,7 @@ import (
 	"istio.io/istio/pkg/kube/controllers"
 	"istio.io/istio/pkg/kube/kclient"
 	"k8s.io/apimachinery/pkg/api/meta"
+	apivalidation "k8s.io/apimachinery/pkg/api/validation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -150,6 +151,11 @@ func (r *gatewayClassReconciler) reconcile(req types.NamespacedName) (rErr error
 func (r *gatewayClassReconciler) reconcileGatewayClasses() error {
 	var errs []error
 	for name, info := range r.classInfo {
+		// Validate the GatewayClass name using Kubernetes object name validation
+		if validationErrs := apivalidation.NameIsDNSSubdomain(name, false); len(validationErrs) > 0 {
+			errs = append(errs, fmt.Errorf("invalid GatewayClass name %q: %v", name, validationErrs))
+			continue
+		}
 		if err := r.reconcileGatewayClass(name, info); err != nil {
 			errs = append(errs, err)
 		}

pkg/kgateway/controller/start.go

@@ -402,8 +402,8 @@ func GetDefaultClassInfo(
 		}
 		applyGatewayClassParametersRef(classInfos[gatewayClassName], gatewayClassName, refOverrides, false)
 	}
-	// Only enable waypoint gateway class if it's enabled in the settings
-	if globalSettings.EnableWaypoint {
+	// Only enable waypoint gateway class if it's enabled in the settings and the name isn't empty
+	if globalSettings.EnableWaypoint && waypointGatewayClassName != "" {
 		classInfos[waypointGatewayClassName] = &deployer.GatewayClassInfo{
 			Description: "Specialized class for Istio ambient mesh waypoint proxies.",
 			Labels:      map[string]string{},