Skip to content

Commit 2955e08

Browse files
kkk777-7kkk777-7
committed
feat: section name to route rule in security policy
Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
1 parent a107a03 commit 2955e08

File tree

8 files changed

+213
-134
lines changed

8 files changed

+213
-134
lines changed

api/v1alpha1/securitypolicy_types.go

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,10 +37,8 @@ type SecurityPolicy struct {
3737
//
3838
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.group == 'gateway.networking.k8s.io' : true", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
3939
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute'] : true", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute"
40-
// +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.kind == 'Gateway' || !has(self.targetRef.sectionName) : true",message="this policy supports the sectionName field only for kind Gateway"
4140
// +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == 'gateway.networking.k8s.io') : true ", message="this policy can only have a targetRefs[*].group of gateway.networking.k8s.io"
4241
// +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute']) : true ", message="this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute"
43-
// +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind == 'Gateway' || !has(ref.sectionName)) : true",message="this policy supports the sectionName field only for kind Gateway"
4442
// +kubebuilder:validation:XValidation:rule="(has(self.authorization) && has(self.authorization.rules) && self.authorization.rules.exists(r, has(r.principal.jwt))) ? has(self.jwt) : true", message="if authorization.rules.principal.jwt is used, jwt must be defined"
4543
//
4644
// SecurityPolicySpec defines the desired state of SecurityPolicy.

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4870,18 +4870,12 @@ spec:
48704870
- message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute
48714871
rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
48724872
''GRPCRoute''] : true'
4873-
- message: this policy supports the sectionName field only for kind Gateway
4874-
rule: 'has(self.targetRef) ? self.targetRef.kind == ''Gateway'' || !has(self.targetRef.sectionName)
4875-
: true'
48764873
- message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
48774874
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
48784875
''gateway.networking.k8s.io'') : true '
48794876
- message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute
48804877
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
48814878
''HTTPRoute'', ''GRPCRoute'']) : true '
4882-
- message: this policy supports the sectionName field only for kind Gateway
4883-
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind == ''Gateway''
4884-
|| !has(ref.sectionName)) : true'
48854879
- message: if authorization.rules.principal.jwt is used, jwt must be defined
48864880
rule: '(has(self.authorization) && has(self.authorization.rules) &&
48874881
self.authorization.rules.exists(r, has(r.principal.jwt))) ? has(self.jwt)

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4869,18 +4869,12 @@ spec:
48694869
- message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute
48704870
rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
48714871
''GRPCRoute''] : true'
4872-
- message: this policy supports the sectionName field only for kind Gateway
4873-
rule: 'has(self.targetRef) ? self.targetRef.kind == ''Gateway'' || !has(self.targetRef.sectionName)
4874-
: true'
48754872
- message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
48764873
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
48774874
''gateway.networking.k8s.io'') : true '
48784875
- message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute
48794876
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
48804877
''HTTPRoute'', ''GRPCRoute'']) : true '
4881-
- message: this policy supports the sectionName field only for kind Gateway
4882-
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind == ''Gateway''
4883-
|| !has(ref.sectionName)) : true'
48844878
- message: if authorization.rules.principal.jwt is used, jwt must be defined
48854879
rule: '(has(self.authorization) && has(self.authorization.rules) &&
48864880
self.authorization.rules.exists(r, has(r.principal.jwt))) ? has(self.jwt)

internal/gatewayapi/helpers.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -485,7 +485,8 @@ type policyTargetRouteKey struct {
485485

486486
type policyRouteTargetContext struct {
487487
RouteContext
488-
attached bool
488+
attached bool
489+
attachedToRouteRules sets.Set[string]
489490
}
490491

491492
type policyGatewayTargetContext struct {

0 commit comments

Comments
 (0)