From f11a606049d6eab4fb6fd2c1042096b2ba408d7a Mon Sep 17 00:00:00 2001 From: Nick Young Date: Mon, 12 Dec 2022 02:09:10 +0000 Subject: [PATCH] Update wording on ParentRef field to require AllowedRoutes or ReferenceGrant Signed-off-by: Nick Young --- apis/v1alpha2/shared_types.go | 6 +++ apis/v1beta1/shared_types.go | 12 +++++ .../gateway.networking.k8s.io_grpcroutes.yaml | 22 ++++++++-- .../gateway.networking.k8s.io_httproutes.yaml | 44 ++++++++++++++++--- .../gateway.networking.k8s.io_tcproutes.yaml | 22 ++++++++-- .../gateway.networking.k8s.io_tlsroutes.yaml | 22 ++++++++-- .../gateway.networking.k8s.io_udproutes.yaml | 22 ++++++++-- .../gateway.networking.k8s.io_httproutes.yaml | 44 ++++++++++++++++--- 8 files changed, 170 insertions(+), 24 deletions(-) diff --git a/apis/v1alpha2/shared_types.go b/apis/v1alpha2/shared_types.go index ccb11f8a14..a8c836d203 100644 --- a/apis/v1alpha2/shared_types.go +++ b/apis/v1alpha2/shared_types.go @@ -25,6 +25,12 @@ import ( // with "Core" support is Gateway. This API may be extended in the future to // support additional kinds of parent resources, such as HTTPRoute. // +// Note that there are specific rules for ParentRefs that cross namespace +// boundaries. Cross-namespace references are only valid if they are explicitly +// allowed by something in the namespace they are referring to. For example: +// Gateway has the AllowedRoutes field, and ReferenceGrant provides a +// generic way to enable any other kind of cross-namespace reference. +// // The API object must be valid in the cluster; the Group and Kind must // be registered in the cluster for this reference to be valid. // +k8s:deepcopy-gen=false diff --git a/apis/v1beta1/shared_types.go b/apis/v1beta1/shared_types.go index daf0edd057..4beead82b4 100644 --- a/apis/v1beta1/shared_types.go +++ b/apis/v1beta1/shared_types.go @@ -52,6 +52,12 @@ type ParentReference struct { // Namespace is the namespace of the referent. When unspecified, this refers // to the local namespace of the Route. // + // Note for ParentRefs that cross namespace boundaries there are specific + // rules. Cross-namespace references are only valid if they are explicitly + // allowed by something in the namespace they are referring to. For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant provides a + // generic way to enable any other kind of cross-namespace reference. + // // Support: Core // // +optional @@ -140,6 +146,12 @@ type CommonRouteSpec struct { // case, the list of routes attached to those resources should also be // merged. // + // Note that for ParentRefs that cross namespace boundaries, there are specific + // rules. Cross-namespace references are only valid if they are explicitly + // allowed by something in the namespace they are referring to. For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant provides a + // generic way to enable any other kind of cross-namespace reference. + // // +optional // +kubebuilder:validation:MaxItems=32 ParentRefs []ParentReference `json:"parentRefs,omitempty"` diff --git a/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml index 8eb593a5ad..d1a695ac45 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml @@ -137,7 +137,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -174,7 +179,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note for ParentRefs that cross namespace boundaries there + are specific rules. Cross-namespace references are only valid + if they are explicitly allowed by something in the namespace + they are referring to. For example: Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1388,7 +1398,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note for ParentRefs that cross namespace + boundaries there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml index 0a0df0c807..01b86ff619 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml @@ -120,7 +120,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -157,7 +162,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note for ParentRefs that cross namespace boundaries there + are specific rules. Cross-namespace references are only valid + if they are explicitly allowed by something in the namespace + they are referring to. For example: Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1790,7 +1800,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note for ParentRefs that cross namespace + boundaries there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1965,7 +1981,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -2002,7 +2023,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note for ParentRefs that cross namespace boundaries there + are specific rules. Cross-namespace references are only valid + if they are explicitly allowed by something in the namespace + they are referring to. For example: Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -3635,7 +3661,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note for ParentRefs that cross namespace + boundaries there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml index f6a4b93f7a..d2198cab4f 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml @@ -59,7 +59,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -96,7 +101,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note for ParentRefs that cross namespace boundaries there + are specific rules. Cross-namespace references are only valid + if they are explicitly allowed by something in the namespace + they are referring to. For example: Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -417,7 +427,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note for ParentRefs that cross namespace + boundaries there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml index 84c2cdf174..f4631f1a35 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml @@ -105,7 +105,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -142,7 +147,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note for ParentRefs that cross namespace boundaries there + are specific rules. Cross-namespace references are only valid + if they are explicitly allowed by something in the namespace + they are referring to. For example: Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -466,7 +476,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note for ParentRefs that cross namespace + boundaries there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml index 41efba3dea..1c5d2bf1bc 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml @@ -59,7 +59,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -96,7 +101,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note for ParentRefs that cross namespace boundaries there + are specific rules. Cross-namespace references are only valid + if they are explicitly allowed by something in the namespace + they are referring to. For example: Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -417,7 +427,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note for ParentRefs that cross namespace + boundaries there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml b/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml index 7e0f17e96a..e7720ad1b9 100644 --- a/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml @@ -120,7 +120,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -157,7 +162,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note for ParentRefs that cross namespace boundaries there + are specific rules. Cross-namespace references are only valid + if they are explicitly allowed by something in the namespace + they are referring to. For example: Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1335,7 +1345,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note for ParentRefs that cross namespace + boundaries there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1482,7 +1498,12 @@ spec: that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should - also be merged." + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually @@ -1519,7 +1540,12 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - \n Support: Core" + \n Note for ParentRefs that cross namespace boundaries there + are specific rules. Cross-namespace references are only valid + if they are explicitly allowed by something in the namespace + they are referring to. For example: Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable + any other kind of cross-namespace reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -2697,7 +2723,13 @@ spec: namespace: description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of - the Route. \n Support: Core" + the Route. \n Note for ParentRefs that cross namespace + boundaries there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$