@@ -98,10 +98,13 @@ confusion for Kubernetes users.
9898
9999Move the existing ReferenceGrant resource into a new
100100` grants.authorization.k8s.io ` API group, defined within the Kubernetes code base
101- as part of the 1.27 release. We may take this opportunity to clarify
102- underspecified parts of the API, but will not add, change, or remove any fields
103- as part of this transition. This resource will start with v1beta1 as the API
104- version, matching the API version it already has within Gateway API.
101+ as part of the 1.27 release.
102+
103+ We will take this opportunity to clarify underspecified parts of the API, but
104+ will not add, change, or remove any fields as part of this transition.
105+ This resource will start with v1beta1 as the API version, matching the API version
106+ it already has within Gateway API.
107+
105108
106109### Risks and Mitigations
107110
@@ -130,6 +133,39 @@ authorization.
130133
131134## Design Details
132135
136+ ### General Notes
137+
138+ #### ` ReferenceGrant ` is half of a handshake
139+
140+ When thinking about ReferenceGrant, it is important to remember that it does not
141+ do anything by itself. It * Grants* the * possibility* of making a * Reference*
142+ across namespaces. It's intended that _ another object_ (that is, the From object)
143+ complete the handshake by creating a reference to the referent object (the To
144+ object).
145+
146+ #### ` Kind ` vs ` Resource `
147+
148+ When creating a metaresource (that is, a resource that targets other resources)
149+ like ReferenceGrant, it's important to consider if the metaresource uses the more
150+ common ` Kind ` or the more correct ` Resource ` .
151+
152+ When designing the Gateway API in general, we considered this quite a bit (and
153+ @robscott even ended up making https://github.com/kubernetes/community/pull/5973
154+ to clarify the API conventions), but in the end decided to use Kind, to improve
155+ the user experience. That is, it's easier users to take the value from the ` kind `
156+ field at the top of the YAML they are already using, and put it straight into
157+ these fields, rather than needing to do a kind-resource lookup for every user's
158+ interaction with the API.
159+
160+ Secondly, as in the Ingress API, the target types must be clearly defined by
161+ each implementation, so there should be no opportunity for ambiguity.
162+
163+ Lastly, this is only half of a handshake, so the From referent must also both
164+ support referencing the To referent, and must reference the one in the To field.
165+
166+ With all of that in mind, we felt that the benefits in terms of specificity
167+ outweighed the costs in terms of user pain to use the more correct ` Resource ` .
168+
133169### API Spec
134170
135171``` golang
@@ -222,6 +258,28 @@ type ReferenceGrantTo struct {
222258}
223259```
224260
261+ ### Outstanding questions and clarifications
262+
263+ This section lists some of the outstanding questions people have had about
264+ ReferenceGrant, and other items that we'll be clarifying in the godoc and other
265+ documentation as part of the transition to the new API group, keeping in mind
266+ that we will not be adding any new features, fields, or behavior, just clarifying
267+ what's done already.
268+
269+ Also note that we don't consider any of these blockers for the general _ idea_ of
270+ moving ReferenceGrant to the new API group, just notes to save discussion time.
271+
272+ * Clarify that an implementation is required to reconcile ReferenceGrant for
273+ specific ` To ` Kinds.
274+ * Corollary for future work, define how controllers interact. Is it a problem if
275+ multiple controllers consume the same ReferenceGrant?
276+ * Status design is still pending, but it's currently expected that controllers
277+ will indicate status on the _ referring_ resources, not on ReferenceGrant itself.
278+ * Clarify that the expected operating model for implementations expects them to
279+ have broad, read access to both ReferenceGrant and the specific ` To ` Kinds they
280+ support, and then self-limit to only _ use_ the relevant ones.
281+ * Decide whether to formally add ` * ` as a special value for Namespace, to mean
282+ "all namespaces".
225283
226284### Test Plan
227285
0 commit comments