Skip to content

Plugin deletion behaviour on self managed ControlPlane #3187

New issue
New issue
Open
Open
Plugin deletion behaviour on self managed ControlPlane#3187
Labels
bugSomething isn't working
@justindavies

Description

@justindavies
justindavies
opened on Jan 30, 2026

Ok, here's the result of testing with self managed for annotations and ExtensioRef:

Create a dedicated namespace for plugins

kubectl create namespace plugins

Deploy the plugin

kubectl apply -f - <<EOF
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rate-limit-cross-repro
namespace: plugins
plugin: rate-limiting
config:
minute: 5
policy: local
EOF

Authorize the team1 namespace to use this plugin

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-plugins-repro
namespace: plugins
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: team1
to:
- group: configuration.konghq.com
kind: KongPlugin
EOF

kubectl annotate httproute echo -n team1
konghq.com/plugins=plugins:rate-limit-cross-repro --overwrite

Iterate a curl to test the rate limit...

kubectl delete kongplugin rate-limit-cross-repro -n plugins

Check kubectl get httproute echo -n team1 -o yaml

Status does not change on the route - I do see this in the events:

Warning KongConfigurationTranslationFailed httproute/echo-cross-deletion referenced KongPlugin or KongClusterPlugin "plugins:rate-limit-cross-deletion" does not exist

  • conditions:
    • lastTransitionTime: "2026-01-30T22:43:36Z"
      reason: Accepted
      status: "True"
      type: Accepted
    • lastTransitionTime: "2026-01-30T22:43:36Z"
      reason: ResolvedRefs
      status: "True" # <--- Should be False if a filter ref is missing?

ExtensionRef Scenario

kubectl apply -f - <<EOF
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rate-limit-extref-repro
namespace: team1
plugin: rate-limiting
config:
minute: 5
policy: local
EOF

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: echo-extref-repro
namespace: team1
spec:
parentRefs: [{name: kong, namespace: kong}]
rules:

  • matches: [{path: {type: PathPrefix, value: /extref-repro}}]
    filters:
    • type: ExtensionRef
      extensionRef:
      group: configuration.konghq.com
      kind: KongPlugin
      name: rate-limit-extref-repro
      backendRefs: [{name: echo, port: 80}]
      EOF

kubectl delete kongplugin rate-limit-extref-repro -n team1

And the status is:

status:
parents:

  • conditions:
    • lastTransitionTime: "2026-01-30T22:45:38Z"
      reason: Accepted
      status: "True"
      type: Accepted
    • lastTransitionTime: "2026-01-30T22:45:38Z"
      reason: ResolvedRefs
      status: "True" # <--- Still True (The Gap)

Warning is:

kubectl get events -n team1 --sort-by='.lastTimestamp'

TYPE REASON OBJECT MESSAGE
Warning KongConfigurationTranslationFailed httproute/echo-extensionref-deletion referenced KongPlugin or KongClusterPlugin "rate-limit-extensionref-deletion" does not exist

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions