fix: only process security/backend/envoyextension policies of our controller

Signed-off-by: y-rabie <[email protected]>

Author: y-rabie

internal/gatewayapi/backendtrafficpolicy.go

@@ -131,15 +131,16 @@ func (t *Translator) ProcessBackendTrafficPolicies(resources *resource.Resources
 				ancestorRefs := make([]*gwapiv1.ParentReference, 0, len(parentRefs))
 				routeParents := sets.New[types.NamespacedName]()
 				for _, p := range parentRefs {
-					if p.Kind == nil || *p.Kind == resource.KindGateway {
-						namespace := route.GetNamespace()
-						if p.Namespace != nil {
-							namespace = string(*p.Namespace)
-						}
-						gwNN := types.NamespacedName{
-							Namespace: namespace,
-							Name:      string(p.Name),
-						}
+					namespace := route.GetNamespace()
+					if p.Namespace != nil {
+						namespace = string(*p.Namespace)
+					}
+					gwNN := types.NamespacedName{
+						Namespace: namespace,
+						Name:      string(p.Name),
+					}
+
+					if _, ok := gatewayMap[gwNN]; ok && (p.Kind == nil || *p.Kind == resource.KindGateway) {
 						routeParents.Insert(gwNN)
 
 						key := gwNN.String()

internal/gatewayapi/envoyextensionpolicy.go

@@ -85,7 +85,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
 				}
 
 				t.processEEPolicyForRoute(resources, xdsIR,
-					routeMap, gatewayRouteMap, policy, currTarget)
+					routeMap, gatewayMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
 	}
@@ -104,7 +104,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
 				}
 
 				t.processEEPolicyForRoute(resources, xdsIR,
-					routeMap, gatewayRouteMap, policy, currTarget)
+					routeMap, gatewayMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
 	}
@@ -160,6 +160,7 @@ func (t *Translator) processEEPolicyForRoute(
 	resources *resource.Resources,
 	xdsIR resource.XdsIRMap,
 	routeMap map[policyTargetRouteKey]*policyRouteTargetContext,
+	gatewayMap map[types.NamespacedName]*policyGatewayTargetContext,
 	gatewayRouteMap map[string]map[string]sets.Set[string],
 	policy *egv1a1.EnvoyExtensionPolicy,
 	currTarget gwapiv1.LocalPolicyTargetReferenceWithSectionName,
@@ -184,15 +185,16 @@ func (t *Translator) processEEPolicyForRoute(
 	// policy overrides and populate its ancestor status.
 	parentRefs := GetParentReferences(targetedRoute)
 	for _, p := range parentRefs {
-		if p.Kind == nil || *p.Kind == resource.KindGateway {
-			namespace := targetedRoute.GetNamespace()
-			if p.Namespace != nil {
-				namespace = string(*p.Namespace)
-			}
-			gwNN := types.NamespacedName{
-				Namespace: namespace,
-				Name:      string(p.Name),
-			}
+		namespace := targetedRoute.GetNamespace()
+		if p.Namespace != nil {
+			namespace = string(*p.Namespace)
+		}
+		gwNN := types.NamespacedName{
+			Namespace: namespace,
+			Name:      string(p.Name),
+		}
+
+		if _, ok := gatewayMap[gwNN]; ok && (p.Kind == nil || *p.Kind == resource.KindGateway) {
 
 			key := gwNN.String()
 			if _, ok := gatewayRouteMap[key]; !ok {
@@ -226,7 +228,7 @@ func (t *Translator) processEEPolicyForRoute(
 	}
 
 	// Set conditions for translation error if it got any
-	if err := t.translateEnvoyExtensionPolicyForRoute(policy, targetedRoute, currTarget, xdsIR, resources); err != nil {
+	if err := t.translateEnvoyExtensionPolicyForRoute(policy, targetedRoute, currTarget, gatewayMap, xdsIR, resources); err != nil {
 		status.SetTranslationErrorForPolicyAncestors(&policy.Status,
 			ancestorRefs,
 			t.GatewayControllerName,
@@ -450,6 +452,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(
 	policy *egv1a1.EnvoyExtensionPolicy,
 	route RouteContext,
 	target gwapiv1.LocalPolicyTargetReferenceWithSectionName,
+	gatewayMap map[types.NamespacedName]*policyGatewayTargetContext,
 	xdsIR resource.XdsIRMap,
 	resources *resource.Resources,
 ) error {
@@ -471,6 +474,17 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(
 	parentRefs := GetParentReferences(route)
 	routesWithDirectResponse := sets.New[string]()
 	for _, p := range parentRefs {
+		namespace := route.GetNamespace()
+		if p.Namespace != nil {
+			namespace = string(*p.Namespace)
+		}
+		gwNN := types.NamespacedName{
+			Namespace: namespace,
+			Name:      string(p.Name),
+		}
+		if _, ok := gatewayMap[gwNN]; !ok {
+			continue
+		}
 		parentRefCtx := GetRouteParentContext(route, p, t.GatewayControllerName)
 		gtwCtx := parentRefCtx.GetGateway()
 		if gtwCtx == nil {

internal/gatewayapi/securitypolicy.go

@@ -107,7 +107,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
 				}
 
 				t.processSecurityPolicyForRoute(resources, xdsIR,
-					routeMap, gatewayRouteMap, policy, currTarget)
+					routeMap, gatewayMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
 	}
@@ -125,7 +125,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
 				}
 
 				t.processSecurityPolicyForRoute(resources, xdsIR,
-					routeMap, gatewayRouteMap, policy, currTarget)
+					routeMap, gatewayMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
 	}
@@ -179,6 +179,7 @@ func (t *Translator) processSecurityPolicyForRoute(
 	resources *resource.Resources,
 	xdsIR resource.XdsIRMap,
 	routeMap map[policyTargetRouteKey]*policyRouteTargetContext,
+	gatewayMap map[types.NamespacedName]*policyGatewayTargetContext,
 	gatewayRouteMap map[string]map[string]sets.Set[string],
 	policy *egv1a1.SecurityPolicy,
 	currTarget gwapiv1.LocalPolicyTargetReferenceWithSectionName,
@@ -203,16 +204,15 @@ func (t *Translator) processSecurityPolicyForRoute(
 	// The parent gateways are also used to set the status of the policy.
 	parentRefs := GetParentReferences(targetedRoute)
 	for _, p := range parentRefs {
-		if p.Kind == nil || *p.Kind == resource.KindGateway {
-			namespace := targetedRoute.GetNamespace()
-			if p.Namespace != nil {
-				namespace = string(*p.Namespace)
-			}
-			gwNN := types.NamespacedName{
-				Namespace: namespace,
-				Name:      string(p.Name),
-			}
-
+		namespace := targetedRoute.GetNamespace()
+		if p.Namespace != nil {
+			namespace = string(*p.Namespace)
+		}
+		gwNN := types.NamespacedName{
+			Namespace: namespace,
+			Name:      string(p.Name),
+		}
+		if _, ok := gatewayMap[gwNN]; ok && (p.Kind == nil || *p.Kind == resource.KindGateway) {
 			key := gwNN.String()
 			if _, ok := gatewayRouteMap[key]; !ok {
 				gatewayRouteMap[key] = make(map[string]sets.Set[string])
@@ -262,7 +262,7 @@ func (t *Translator) processSecurityPolicyForRoute(
 		return
 	}
 
-	if err := t.translateSecurityPolicyForRoute(policy, targetedRoute, currTarget, resources, xdsIR); err != nil {
+	if err := t.translateSecurityPolicyForRoute(policy, targetedRoute, currTarget, gatewayMap, resources, xdsIR); err != nil {
 		status.SetTranslationErrorForPolicyAncestors(&policy.Status,
 			parentGateways,
 			t.GatewayControllerName,
@@ -589,6 +589,7 @@ func (t *Translator) translateSecurityPolicyForRoute(
 	policy *egv1a1.SecurityPolicy,
 	route RouteContext,
 	target gwapiv1.LocalPolicyTargetReferenceWithSectionName,
+	gatewayMap map[types.NamespacedName]*policyGatewayTargetContext,
 	resources *resource.Resources,
 	xdsIR resource.XdsIRMap,
 ) error {
@@ -638,6 +639,18 @@ func (t *Translator) translateSecurityPolicyForRoute(
 	parentRefs := GetParentReferences(route)
 	routesWithDirectResponse := sets.New[string]()
 	for _, p := range parentRefs {
+		namespace := route.GetNamespace()
+		if p.Namespace != nil {
+			namespace = string(*p.Namespace)
+		}
+		gwNN := types.NamespacedName{
+			Namespace: namespace,
+			Name:      string(p.Name),
+		}
+		if _, ok := gatewayMap[gwNN]; !ok {
+			continue
+		}
+
 		parentRefCtx := GetRouteParentContext(route, p, t.GatewayControllerName)
 		gtwCtx := parentRefCtx.GetGateway()
 		if gtwCtx == nil {

internal/gatewayapi/securitypolicy_test.go

@@ -12,13 +12,15 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/utils/ptr"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/gatewayapi/resource"
+	"github.com/envoyproxy/gateway/internal/utils"
 )
 
 func Test_wildcard2regex(t *testing.T) {
@@ -856,12 +858,22 @@ func Test_SecurityPolicy_TCP_Invalid_setsStatus_and_returns(t *testing.T) {
 	}
 	routeMap[key] = &policyRouteTargetContext{RouteContext: tcpRoute}
 
+	// Create the gateway map with gateways that belong to our controller
+	gw := &gwapiv1.Gateway{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-gateway",
+			Namespace: "default",
+		},
+	}
+	gatewayMap := make(map[types.NamespacedName]*policyGatewayTargetContext, 1)
+	gatewayMap[utils.NamespacedName(gw)] = &policyGatewayTargetContext{GatewayContext: &GatewayContext{Gateway: gw}}
+
 	gatewayRouteMap := make(map[string]map[string]sets.Set[string])
 	resources := resource.NewResources()
 	xdsIR := make(resource.XdsIRMap)
 
 	// Process the policy - this should set error status
-	tr.processSecurityPolicyForRoute(resources, xdsIR, routeMap, gatewayRouteMap, policy, target)
+	tr.processSecurityPolicyForRoute(resources, xdsIR, routeMap, gatewayMap, gatewayRouteMap, policy, target)
 
 	// Assert that the policy has a False condition (error was set)
 	require.True(t, hasParentFalseCondition(policy))
@@ -930,12 +942,22 @@ func Test_SecurityPolicy_HTTP_Invalid_setsStatus_and_returns(t *testing.T) {
 	}
 	routeMap[key] = &policyRouteTargetContext{RouteContext: httpRoute}
 
+	// Create the gateway map with gateways that belong to our controller
+	gw := &gwapiv1.Gateway{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-gateway",
+			Namespace: "default",
+		},
+	}
+	gatewayMap := make(map[types.NamespacedName]*policyGatewayTargetContext, 1)
+	gatewayMap[utils.NamespacedName(gw)] = &policyGatewayTargetContext{GatewayContext: &GatewayContext{Gateway: gw}}
+
 	gatewayRouteMap := make(map[string]map[string]sets.Set[string])
 	resources := resource.NewResources()
 	xdsIR := make(resource.XdsIRMap)
 
 	// Process the policy - this should set error status
-	tr.processSecurityPolicyForRoute(resources, xdsIR, routeMap, gatewayRouteMap, policy, target)
+	tr.processSecurityPolicyForRoute(resources, xdsIR, routeMap, gatewayMap, gatewayRouteMap, policy, target)
 
 	// Assert that the policy has a False condition (error was set)
 	require.True(t, hasParentFalseCondition(policy))