SecurityPolicy route-target status includes unmanaged Gateway parents when HTTPRoute has mixed parentRefs #8320
Description
Description:
When a SecurityPolicy targets an HTTPRoute that has mixed parentRefs (some managed by Envoy Gateway and some unmanaged), SecurityPolicy.status.ancestors includes unmanaged Gateway parents.
Expected behavior: for route-target SecurityPolicy, status.ancestors should include only ancestors for Gateway parents managed by the current Envoy Gateway controller (gateway.envoyproxy.io/gatewayclass-controller).
Example
Assume:
Gateway/managed-gatewayusesgatewayClassName: envoy-gateway-classGateway/unmanaged-gatewayusesgatewayClassName: other-gateway-classHTTPRoute/mixed-parents-routehas both parentRefsSecurityPolicy/route-policytargets that HTTPRoute
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: mixed-parents-route
namespace: default
spec:
parentRefs:
- name: managed-gateway
sectionName: http
- name: unmanaged-gateway
sectionName: http
rules:
- matches:
- path:
value: /
backendRefs:
- name: service-1
port: 8080
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: route-policy
namespace: default
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: mixed-parents-route
authorization:
defaultAction: Deny
rules:
- action: Allow
principal:
clientCIDRs:
- 10.0.0.0/24
Current behavior (status.ancestors) includes both gateways:
status:
ancestors:
- ancestorRef:
name: managed-gateway
kind: Gateway
group: gateway.networking.k8s.io
namespace: default
sectionName: http
- ancestorRef:
name: unmanaged-gateway
kind: Gateway
group: gateway.networking.k8s.io
namespace: default
sectionName: httpRepro steps:
Include sample requests, environment, etc. All data and inputs
required to reproduce the bug.
Note: If there are privacy concerns, sanitize the data prior to
sharing.
Environment:
Include the environment like gateway version, envoy version and so on.
Logs:
Include the access logs and the Envoy logs.