Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Listener AllowedRoutes.Kinds field isn't enforced #2299

Closed
kate-osborn opened this issue Jul 26, 2024 · 0 comments · Fixed by #2314
Closed

Listener AllowedRoutes.Kinds field isn't enforced #2299

kate-osborn opened this issue Jul 26, 2024 · 0 comments · Fixed by #2314
Assignees
@salonichf5
Labels
bug Something isn't working refined Requirements are refined and the issue is ready to be implemented. size/small Estimated to be completed within ~2 days
Milestone
v1.4.0

Comments

@kate-osborn
Copy link
Contributor

Describe the bug
NGF allows all route kinds to attach to a listener regardless of the kinds specified in the listener AllowedRoutes.Kinds field.

To Reproduce
Steps to reproduce the behavior:

  1. Deploy NGF
  2. Create the following Gateway whose listener only allows GRPCRoutes to attach:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
spec:
  gatewayClassName: nginx
  listeners:
  - name: grpc
    port: 80
    protocol: HTTP
    hostname: "*.example.com"
    allowedRoutes:
      kinds:
        - kind: "GRPCRoute"
  1. Then create an HTTPRoute that references the grpc-only listener:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: coffee
spec:
  parentRefs:
  - name: gateway
    sectionName: grpc
  hostnames:
  - "cafe.example.com"
  rules:
  - matches:
    - path:
        type: Exact
        value: /coffee
    backendRefs:
    - name: coffee
      port: 80
  1. Check status of listener and route:
kubectl describe gateway gateway

  Listeners:
    Attached Routes:  1 # SHOULD BE 0
    Conditions:
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               Listener is accepted
      Observed Generation:   4
      Reason:                Accepted
      Status:                True
      Type:                  Accepted
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               Listener is programmed
      Observed Generation:   4
      Reason:                Programmed
      Status:                True
      Type:                  Programmed
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               All references are resolved
      Observed Generation:   4
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               No conflicts
      Observed Generation:   4
      Reason:                NoConflicts
      Status:                False
      Type:                  Conflicted
    Name:                    http
    Supported Kinds:
      Group:  gateway.networking.k8s.io
      Kind:   GRPCRoute

kubectl describe httproute coffee

Status:
  Parents:
    Conditions:
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               The route is accepted
      Observed Generation:   1
      Reason:                Accepted
      Status:                True
      Type:                  Accepted
      Last Transition Time:  2024-07-26T22:07:07Z
      Message:               All references are resolved
      Observed Generation:   1
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
    Controller Name:         gateway.nginx.org/nginx-gateway-controller
    Parent Ref:
      Group:         gateway.networking.k8s.io
      Kind:          Gateway
      Name:          gateway
      Namespace:     default
      Section Name:  http

Expected behavior
The HTTPRoute should not be able to attach to the Gateway listener that only allows kinds GRPCRoute.

The HTTPRoute should not be accepted and should have the following condition set on its status:

    Message:               Route is not allowed by any listener
    Observed Generation:   1
    Reason:                NotAllowedByListeners
    Status:                False
    Type:                  Accepted

Note: GRPCRoutes can also be attached to Gateway listeners that only allow kinds HTTPRoute.

Your environment

  • Version of the NGINX Gateway Fabric - edge 1dac4584266c6ae3b0f0c9564c0643e5cafce640
@kate-osborn kate-osborn added the bug Something isn't working label Jul 26, 2024
@mpstefan mpstefan added refined Requirements are refined and the issue is ready to be implemented. size/small Estimated to be completed within ~2 days labels Jul 29, 2024
@mpstefan mpstefan added this to the v1.4.0 milestone Jul 29, 2024
@salonichf5 salonichf5 self-assigned this Jul 29, 2024
@salonichf5 salonichf5 mentioned this issue Jul 30, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@salonichf5 salonichf5

Labels
bug Something isn't working refined Requirements are refined and the issue is ready to be implemented. size/small Estimated to be completed within ~2 days
Projects
None yet
Milestone
v1.4.0
3 participants
@mpstefan @kate-osborn @salonichf5