Skip to content

BackendTLSPolicy can target xRoute resources and still is considered accepted #14327

Description

@marvin-roesch

kgateway version

v2.3.5

Kubernetes Version

v1.36.2

Describe the bug

Using an xRoute resource, e.g. an HTTPRoute, as targetRef in a BackendTLSPolicy renders the policy status with the corresponding Gateway and an Accepted condition set to status True. However, the ResolvedRefs condition is absent. The resulting Envoy configuration does not have any reference to the options specified in the policy (e.g. on any cluster referenced by the route resource, as one could reasonably expect).

Expected Behavior

The BackendTLSPolicy should not get accepted on the Gateway owning the target route. Some error state should indicate that a route is an invalid target.

Steps to reproduce the bug

Apply the following resources:

---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
spec:
  ports:
    - name: http
      port: 8080
      targetPort: 8080
  selector:
    app: httpbin
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: httpbin
spec:
  hostnames:
    - httpbin.example.com
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: example-gateway
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: httpbin
          port: 8080
---
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
  name: httpbin
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: httpbin
  validation:
    hostname: hostname.com
    wellKnownCACertificates: System

Then run kubectl get backendtlspolicy httpbin -oyaml and observe the following output:

---
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
  name: httpbin
  namespace: default
spec:
  targetRefs:
  - group: ""
    kind: Service
    name: httpbin
  - group: gateway.kgateway.dev
    kind: Backend
    name: httpbin
  validation:
    hostname: hostname.com
    wellKnownCACertificates: System
status:
  ancestors:
  - ancestorRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: example-gateway
      namespace: default
    conditions:
    - lastTransitionTime: "..."
      message: Policy accepted
      observedGeneration: 1
      reason: Accepted
      status: "True"
      type: Accepted
    controllerName: kgateway.dev/kgatewayyaml

Helm Values

No response

Kgateway pod logs

No response

Proxy pod logs

No response

Additional Environment Detail

No response

Additional Context

kgateway's own BackendConfigPolicy limits itself to Backend, Service, and Istio Hostname targets on an API level. The standard Gateway API BackendTLSPolicy has to be more lax in its validation, however.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Fields

    No fields configured for Bug.

    Projects

    Status
    Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions