fix: only process security/backend/envoyextension policies of our controller

Signed-off-by: y-rabie <[email protected]>

Author: y-rabie

internal/gatewayapi/backendtrafficpolicy.go

@@ -105,7 +105,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(resources *resource.Resources
 				}
 
 				t.processBackendTrafficPolicyForRoute(resources, xdsIR,
-					routeMap, gatewayRouteMap, gatewayPolicyMerged, gatewayPolicyMap, policy, currTarget)
+					gatewayMap, routeMap, gatewayRouteMap, gatewayPolicyMerged, gatewayPolicyMap, policy, currTarget)
 			}
 		}
 	}
@@ -125,7 +125,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(resources *resource.Resources
 				}
 
 				t.processBackendTrafficPolicyForRoute(resources, xdsIR,
-					routeMap, gatewayRouteMap, gatewayPolicyMerged, gatewayPolicyMap, policy, currTarget)
+					gatewayMap, routeMap, gatewayRouteMap, gatewayPolicyMerged, gatewayPolicyMap, policy, currTarget)
 			}
 		}
 	}
@@ -224,6 +224,7 @@ func (t *Translator) buildGatewayPolicyMap(
 func (t *Translator) processBackendTrafficPolicyForRoute(
 	resources *resource.Resources,
 	xdsIR resource.XdsIRMap,
+	gatewayMap map[types.NamespacedName]*policyGatewayTargetContext,
 	routeMap map[policyTargetRouteKey]*policyRouteTargetContext,
 	gatewayRouteMap *GatewayPolicyRouteMap,
 	gatewayPolicyMergedMap *GatewayPolicyRouteMap,
@@ -253,12 +254,17 @@ func (t *Translator) processBackendTrafficPolicyForRoute(
 	// parentRefCtxs holds parent gateway/listener contexts for using in policy merge logic.
 	parentRefCtxs := make([]*RouteParentContext, 0, len(parentRefs))
 	for _, p := range parentRefs {
-		if p.Kind == nil || *p.Kind == resource.KindGateway {
-			namespace := targetedRoute.GetNamespace()
-			if p.Namespace != nil {
-				namespace = string(*p.Namespace)
-			}
-
+		namespace := targetedRoute.GetNamespace()
+		if p.Namespace != nil {
+			namespace = string(*p.Namespace)
+		}
+		gwNN := types.NamespacedName{
+			Namespace: namespace,
+			Name:      string(p.Name),
+		}
+		// Check if it's a gateway, and that it's a gateway that belongs to the gatewayclass we're processing.
+		// Otherwise it may belong to another gatewayclass or another controller.
+		if _, ok := gatewayMap[gwNN]; ok && (p.Kind == nil || *p.Kind == resource.KindGateway) {
 			mapKey := NamespacedNameWithSection{
 				NamespacedName: types.NamespacedName{
 					Name:      string(p.Name),

internal/gatewayapi/envoyextensionpolicy.go

@@ -86,7 +86,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
 				}
 
 				t.processEnvoyExtensionPolicyForRoute(resources, xdsIR,
-					routeMap, gatewayRouteMap, policy, currTarget)
+					routeMap, gatewayMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
 	}
@@ -106,7 +106,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
 				}
 
 				t.processEnvoyExtensionPolicyForRoute(resources, xdsIR,
-					routeMap, gatewayRouteMap, policy, currTarget)
+					routeMap, gatewayMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
 	}
@@ -164,6 +164,7 @@ func (t *Translator) processEnvoyExtensionPolicyForRoute(
 	resources *resource.Resources,
 	xdsIR resource.XdsIRMap,
 	routeMap map[policyTargetRouteKey]*policyRouteTargetContext,
+	gatewayMap map[types.NamespacedName]*policyGatewayTargetContext,
 	gatewayRouteMap map[string]map[string]sets.Set[string],
 	policy *egv1a1.EnvoyExtensionPolicy,
 	currTarget gwapiv1.LocalPolicyTargetReferenceWithSectionName,
@@ -188,15 +189,16 @@ func (t *Translator) processEnvoyExtensionPolicyForRoute(
 	// policy overrides and populate its ancestor status.
 	parentRefs := GetParentReferences(targetedRoute)
 	for _, p := range parentRefs {
-		if p.Kind == nil || *p.Kind == resource.KindGateway {
-			namespace := targetedRoute.GetNamespace()
-			if p.Namespace != nil {
-				namespace = string(*p.Namespace)
-			}
-			gwNN := types.NamespacedName{
-				Namespace: namespace,
-				Name:      string(p.Name),
-			}
+		namespace := targetedRoute.GetNamespace()
+		if p.Namespace != nil {
+			namespace = string(*p.Namespace)
+		}
+		gwNN := types.NamespacedName{
+			Namespace: namespace,
+			Name:      string(p.Name),
+		}
+
+		if _, ok := gatewayMap[gwNN]; ok && (p.Kind == nil || *p.Kind == resource.KindGateway) {
 
 			key := gwNN.String()
 			if _, ok := gatewayRouteMap[key]; !ok {
@@ -230,7 +232,7 @@ func (t *Translator) processEnvoyExtensionPolicyForRoute(
 	}
 
 	// Set conditions for translation error if it got any
-	if err := t.translateEnvoyExtensionPolicyForRoute(policy, targetedRoute, currTarget, xdsIR, resources); err != nil {
+	if err := t.translateEnvoyExtensionPolicyForRoute(policy, targetedRoute, currTarget, gatewayMap, xdsIR, resources); err != nil {
 		status.SetTranslationErrorForPolicyAncestors(&policy.Status,
 			ancestorRefs,
 			t.GatewayControllerName,
@@ -454,6 +456,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(
 	policy *egv1a1.EnvoyExtensionPolicy,
 	route RouteContext,
 	target gwapiv1.LocalPolicyTargetReferenceWithSectionName,
+	gatewayMap map[types.NamespacedName]*policyGatewayTargetContext,
 	xdsIR resource.XdsIRMap,
 	resources *resource.Resources,
 ) error {
@@ -475,6 +478,17 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(
 	parentRefs := GetParentReferences(route)
 	routesWithDirectResponse := sets.New[string]()
 	for _, p := range parentRefs {
+		namespace := route.GetNamespace()
+		if p.Namespace != nil {
+			namespace = string(*p.Namespace)
+		}
+		gwNN := types.NamespacedName{
+			Namespace: namespace,
+			Name:      string(p.Name),
+		}
+		if _, ok := gatewayMap[gwNN]; !ok {
+			continue
+		}
 		parentRefCtx := GetRouteParentContext(route, p, t.GatewayControllerName)
 		gtwCtx := parentRefCtx.GetGateway()
 		if gtwCtx == nil {

internal/gatewayapi/securitypolicy.go

@@ -113,7 +113,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
 				}
 
 				t.processSecurityPolicyForRoute(resources, xdsIR,
-					routeMap, gatewayRouteMap, policy, currTarget)
+					routeMap, gatewayMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
 	}
@@ -132,7 +132,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
 				}
 
 				t.processSecurityPolicyForRoute(resources, xdsIR,
-					routeMap, gatewayRouteMap, policy, currTarget)
+					routeMap, gatewayMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
 	}
@@ -188,6 +188,7 @@ func (t *Translator) processSecurityPolicyForRoute(
 	resources *resource.Resources,
 	xdsIR resource.XdsIRMap,
 	routeMap map[policyTargetRouteKey]*policyRouteTargetContext,
+	gatewayMap map[types.NamespacedName]*policyGatewayTargetContext,
 	gatewayRouteMap map[string]map[string]sets.Set[string],
 	policy *egv1a1.SecurityPolicy,
 	currTarget gwapiv1.LocalPolicyTargetReferenceWithSectionName,
@@ -212,16 +213,15 @@ func (t *Translator) processSecurityPolicyForRoute(
 	// The parent gateways are also used to set the status of the policy.
 	parentRefs := GetParentReferences(targetedRoute)
 	for _, p := range parentRefs {
-		if p.Kind == nil || *p.Kind == resource.KindGateway {
-			namespace := targetedRoute.GetNamespace()
-			if p.Namespace != nil {
-				namespace = string(*p.Namespace)
-			}
-			gwNN := types.NamespacedName{
-				Namespace: namespace,
-				Name:      string(p.Name),
-			}
-
+		namespace := targetedRoute.GetNamespace()
+		if p.Namespace != nil {
+			namespace = string(*p.Namespace)
+		}
+		gwNN := types.NamespacedName{
+			Namespace: namespace,
+			Name:      string(p.Name),
+		}
+		if _, ok := gatewayMap[gwNN]; ok && (p.Kind == nil || *p.Kind == resource.KindGateway) {
 			key := gwNN.String()
 			if _, ok := gatewayRouteMap[key]; !ok {
 				gatewayRouteMap[key] = make(map[string]sets.Set[string])
@@ -271,7 +271,7 @@ func (t *Translator) processSecurityPolicyForRoute(
 		return
 	}
 
-	if err := t.translateSecurityPolicyForRoute(policy, targetedRoute, currTarget, resources, xdsIR); err != nil {
+	if err := t.translateSecurityPolicyForRoute(policy, targetedRoute, currTarget, gatewayMap, resources, xdsIR); err != nil {
 		status.SetTranslationErrorForPolicyAncestors(&policy.Status,
 			parentGateways,
 			t.GatewayControllerName,
@@ -598,6 +598,7 @@ func (t *Translator) translateSecurityPolicyForRoute(
 	policy *egv1a1.SecurityPolicy,
 	route RouteContext,
 	target gwapiv1.LocalPolicyTargetReferenceWithSectionName,
+	gatewayMap map[types.NamespacedName]*policyGatewayTargetContext,
 	resources *resource.Resources,
 	xdsIR resource.XdsIRMap,
 ) error {
@@ -647,6 +648,18 @@ func (t *Translator) translateSecurityPolicyForRoute(
 	parentRefs := GetParentReferences(route)
 	routesWithDirectResponse := sets.New[string]()
 	for _, p := range parentRefs {
+		namespace := route.GetNamespace()
+		if p.Namespace != nil {
+			namespace = string(*p.Namespace)
+		}
+		gwNN := types.NamespacedName{
+			Namespace: namespace,
+			Name:      string(p.Name),
+		}
+		if _, ok := gatewayMap[gwNN]; !ok {
+			continue
+		}
+
 		parentRefCtx := GetRouteParentContext(route, p, t.GatewayControllerName)
 		gtwCtx := parentRefCtx.GetGateway()
 		if gtwCtx == nil {

internal/gatewayapi/securitypolicy_test.go

@@ -16,13 +16,15 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/utils/ptr"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/gatewayapi/resource"
+	"github.com/envoyproxy/gateway/internal/utils"
 )
 
 func Test_wildcard2regex(t *testing.T) {
@@ -933,12 +935,22 @@ func Test_SecurityPolicy_TCP_Invalid_setsStatus_and_returns(t *testing.T) {
 	}
 	routeMap[key] = &policyRouteTargetContext{RouteContext: tcpRoute}
 
+	// Create the gateway map with gateways that belong to our controller
+	gw := &gwapiv1.Gateway{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-gateway",
+			Namespace: "default",
+		},
+	}
+	gatewayMap := make(map[types.NamespacedName]*policyGatewayTargetContext, 1)
+	gatewayMap[utils.NamespacedName(gw)] = &policyGatewayTargetContext{GatewayContext: &GatewayContext{Gateway: gw}}
+
 	gatewayRouteMap := make(map[string]map[string]sets.Set[string])
 	resources := resource.NewResources()
 	xdsIR := make(resource.XdsIRMap)
 
 	// Process the policy - this should set error status
-	tr.processSecurityPolicyForRoute(resources, xdsIR, routeMap, gatewayRouteMap, policy, target)
+	tr.processSecurityPolicyForRoute(resources, xdsIR, routeMap, gatewayMap, gatewayRouteMap, policy, target)
 
 	// Assert that the policy has a False condition (error was set)
 	require.True(t, hasParentFalseCondition(policy))
@@ -1007,12 +1019,22 @@ func Test_SecurityPolicy_HTTP_Invalid_setsStatus_and_returns(t *testing.T) {
 	}
 	routeMap[key] = &policyRouteTargetContext{RouteContext: httpRoute}
 
+	// Create the gateway map with gateways that belong to our controller
+	gw := &gwapiv1.Gateway{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-gateway",
+			Namespace: "default",
+		},
+	}
+	gatewayMap := make(map[types.NamespacedName]*policyGatewayTargetContext, 1)
+	gatewayMap[utils.NamespacedName(gw)] = &policyGatewayTargetContext{GatewayContext: &GatewayContext{Gateway: gw}}
+
 	gatewayRouteMap := make(map[string]map[string]sets.Set[string])
 	resources := resource.NewResources()
 	xdsIR := make(resource.XdsIRMap)
 
 	// Process the policy - this should set error status
-	tr.processSecurityPolicyForRoute(resources, xdsIR, routeMap, gatewayRouteMap, policy, target)
+	tr.processSecurityPolicyForRoute(resources, xdsIR, routeMap, gatewayMap, gatewayRouteMap, policy, target)
 
 	// Assert that the policy has a False condition (error was set)
 	require.True(t, hasParentFalseCondition(policy))