From 255539ca66a3ba3d5de29e9b22575536af8dcd8b Mon Sep 17 00:00:00 2001 From: Raj Singh Date: Sun, 16 Nov 2025 13:12:23 -0600 Subject: [PATCH 1/2] fix: prevent skeleton route status entries for unmanaged GatewayClasses When processing policies (EnvoyExtensionPolicy, SecurityPolicy), the translator was calling GetRouteParentContext for ALL parentRefs in a route, even those referencing gateways with different GatewayClasses not managed by this translator. GetRouteParentContext creates a skeleton RouteParentStatus entry with just the controllerName when called on a parentRef that hasn't been processed yet. Since all GatewayClass instances share the same controller name, these skeleton entries persisted in status without conditions. The fix checks if a parentRef context already exists before attempting to apply policy configuration to it. If the context doesn't exist, it means this parentRef wasn't processed by this translator and should be skipped. Signed-off-by: Raj Singh --- internal/gatewayapi/envoyextensionpolicy.go | 7 ++++++- internal/gatewayapi/securitypolicy.go | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index c0322b943e5..2284e5d3c5b 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -475,7 +475,12 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute( parentRefs := GetParentReferences(route) routesWithDirectResponse := sets.New[string]() for _, p := range parentRefs { - parentRefCtx := GetRouteParentContext(route, p, t.GatewayControllerName) + // Skip if this parentRef was not processed by this translator + // (e.g., references a Gateway with a different GatewayClass) + parentRefCtx := route.GetRouteParentContext(p) + if parentRefCtx == nil { + continue + } gtwCtx := parentRefCtx.GetGateway() if gtwCtx == nil { continue diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 4dca669f882..f39b408ddf6 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -647,7 +647,12 @@ func (t *Translator) translateSecurityPolicyForRoute( parentRefs := GetParentReferences(route) routesWithDirectResponse := sets.New[string]() for _, p := range parentRefs { - parentRefCtx := GetRouteParentContext(route, p, t.GatewayControllerName) + // Skip if this parentRef was not processed by this translator + // (e.g., references a Gateway with a different GatewayClass) + parentRefCtx := route.GetRouteParentContext(p) + if parentRefCtx == nil { + continue + } gtwCtx := parentRefCtx.GetGateway() if gtwCtx == nil { continue From 9b97c0864898a888fdb8f7a2a27bcd829887a08e Mon Sep 17 00:00:00 2001 From: Raj Singh Date: Tue, 18 Nov 2025 20:41:10 -0600 Subject: [PATCH 2/2] fix: also prevent skeleton entries in BackendTrafficPolicy processing The same issue exists in BackendTrafficPolicy route processing - calling GetRouteParentContext for all parentRefs creates skeleton status entries. Apply the same fix: check if parentRef context exists before adding to list. Signed-off-by: Raj Singh --- internal/gatewayapi/backendtrafficpolicy.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index a339d3b8c8d..b42b4f7d283 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -281,7 +281,11 @@ func (t *Translator) processBackendTrafficPolicyForRoute( ancestorRef := getAncestorRefForPolicy(mapKey.NamespacedName, p.SectionName) ancestorRefs = append(ancestorRefs, &ancestorRef) - parentRefCtxs = append(parentRefCtxs, GetRouteParentContext(targetedRoute, p, t.GatewayControllerName)) + // Only process parentRefs that were handled by this translator + // (skip those referencing Gateways with different GatewayClasses) + if parentRefCtx := targetedRoute.GetRouteParentContext(p); parentRefCtx != nil { + parentRefCtxs = append(parentRefCtxs, parentRefCtx) + } } }