diff --git a/apis/v1alpha2/shared_types.go b/apis/v1alpha2/shared_types.go index ccb11f8a14..e90cf8e109 100644 --- a/apis/v1alpha2/shared_types.go +++ b/apis/v1alpha2/shared_types.go @@ -25,6 +25,12 @@ import ( // with "Core" support is Gateway. This API may be extended in the future to // support additional kinds of parent resources, such as HTTPRoute. // +// Note that for ParentRefs that cross namespace boundaries, there are specific +// rules. Cross-namespace references are only valid if they are explicitly +// allowed by something in the namespace they are referring to. For example, +// Gateway has the AllowedRoutes field, and ReferenceGrant provides a +// generic way to enable any other kind of cross-namespace reference. +// // The API object must be valid in the cluster; the Group and Kind must // be registered in the cluster for this reference to be valid. // +k8s:deepcopy-gen=false diff --git a/apis/v1beta1/shared_types.go b/apis/v1beta1/shared_types.go index daf0edd057..fefa381b48 100644 --- a/apis/v1beta1/shared_types.go +++ b/apis/v1beta1/shared_types.go @@ -52,6 +52,12 @@ type ParentReference struct { // Namespace is the namespace of the referent. When unspecified, this refers // to the local namespace of the Route. // + // Note that for ParentRefs that cross namespace boundaries, there are specific + // rules. Cross-namespace references are only valid if they are explicitly + // allowed by something in the namespace they are referring to. For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant provides a + // generic way to enable any other kind of cross-namespace reference. + // // Support: Core // // +optional @@ -140,6 +146,12 @@ type CommonRouteSpec struct { // case, the list of routes attached to those resources should also be // merged. // + // Note that for ParentRefs that cross namespace boundaries, there are specific + // rules. Cross-namespace references are only valid if they are explicitly + // allowed by something in the namespace they are referring to. For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant provides a + // generic way to enable any other kind of cross-namespace reference. + // // +optional // +kubebuilder:validation:MaxItems=32 ParentRefs []ParentReference `json:"parentRefs,omitempty"` diff --git a/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml index 8eb593a5ad..ee287cea10 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml @@ -137,7 +137,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -174,7 +179,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note that for ParentRefs that cross namespace boundaries, + there are specific rules. Cross-namespace references are only + valid if they are explicitly allowed by something in the namespace + they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1388,7 +1398,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace + references are only valid if they are explicitly allowed + by something in the namespace they are referring to. For + example, Gateway has the AllowedRoutes field, and ReferenceGrant + provides a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml index 0a0df0c807..c6f8a3adde 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml @@ -120,7 +120,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -157,7 +162,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note that for ParentRefs that cross namespace boundaries, + there are specific rules. Cross-namespace references are only + valid if they are explicitly allowed by something in the namespace + they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1790,7 +1800,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace + references are only valid if they are explicitly allowed + by something in the namespace they are referring to. For + example, Gateway has the AllowedRoutes field, and ReferenceGrant + provides a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1965,7 +1981,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -2002,7 +2023,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note that for ParentRefs that cross namespace boundaries, + there are specific rules. Cross-namespace references are only + valid if they are explicitly allowed by something in the namespace + they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -3635,7 +3661,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace + references are only valid if they are explicitly allowed + by something in the namespace they are referring to. For + example, Gateway has the AllowedRoutes field, and ReferenceGrant + provides a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml index f6a4b93f7a..0b6753d60b 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml @@ -59,7 +59,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -96,7 +101,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note that for ParentRefs that cross namespace boundaries, + there are specific rules. Cross-namespace references are only + valid if they are explicitly allowed by something in the namespace + they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -417,7 +427,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace + references are only valid if they are explicitly allowed + by something in the namespace they are referring to. For + example, Gateway has the AllowedRoutes field, and ReferenceGrant + provides a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml index 84c2cdf174..33299d23af 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml @@ -105,7 +105,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -142,7 +147,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note that for ParentRefs that cross namespace boundaries, + there are specific rules. Cross-namespace references are only + valid if they are explicitly allowed by something in the namespace + they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -466,7 +476,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace + references are only valid if they are explicitly allowed + by something in the namespace they are referring to. For + example, Gateway has the AllowedRoutes field, and ReferenceGrant + provides a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml index 41efba3dea..4272a32a24 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml @@ -59,7 +59,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -96,7 +101,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note that for ParentRefs that cross namespace boundaries, + there are specific rules. Cross-namespace references are only + valid if they are explicitly allowed by something in the namespace + they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -417,7 +427,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace + references are only valid if they are explicitly allowed + by something in the namespace they are referring to. For + example, Gateway has the AllowedRoutes field, and ReferenceGrant + provides a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml b/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml index 7e0f17e96a..785dd02735 100644 --- a/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml @@ -120,7 +120,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -157,7 +162,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note that for ParentRefs that cross namespace boundaries, + there are specific rules. Cross-namespace references are only + valid if they are explicitly allowed by something in the namespace + they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1335,7 +1345,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace + references are only valid if they are explicitly allowed + by something in the namespace they are referring to. For + example, Gateway has the AllowedRoutes field, and ReferenceGrant + provides a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1482,7 +1498,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -1519,7 +1540,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note that for ParentRefs that cross namespace boundaries, + there are specific rules. Cross-namespace references are only + valid if they are explicitly allowed by something in the namespace + they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -2697,7 +2723,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace + references are only valid if they are explicitly allowed + by something in the namespace they are referring to. For + example, Gateway has the AllowedRoutes field, and ReferenceGrant + provides a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$