From d1370a73b4f1617bcf8c9e2ad990922f56d77690 Mon Sep 17 00:00:00 2001 From: Rob Scott Date: Wed, 1 Jun 2022 16:58:22 +0000 Subject: [PATCH] Renaming ReferencePolicy to ReferenceGrant --- apis/v1alpha2/gateway_types.go | 6 +- apis/v1alpha2/httproute_types.go | 6 +- apis/v1alpha2/object_reference_types.go | 12 +- apis/v1alpha2/referencepolicy_types.go | 34 ++--- apis/v1alpha2/shared_types.go | 6 +- apis/v1alpha2/zz_generated.deepcopy.go | 50 +++---- apis/v1alpha2/zz_generated.register.go | 4 +- .../gateway.networking.k8s.io_gateways.yaml | 8 +- .../gateway.networking.k8s.io_httproutes.yaml | 18 +-- ...ay.networking.k8s.io_referencegrants.yaml} | 24 ++-- .../gateway.networking.k8s.io_tcproutes.yaml | 8 +- .../gateway.networking.k8s.io_tlsroutes.yaml | 8 +- .../gateway.networking.k8s.io_udproutes.yaml | 8 +- config/crd/kustomization.yaml | 2 +- .../gateway.networking.k8s.io_gateways.yaml | 8 +- .../gateway.networking.k8s.io_httproutes.yaml | 18 +-- ...ay.networking.k8s.io_referencegrants.yaml} | 24 ++-- .../gateway.networking.k8s.io_tcproutes.yaml | 8 +- .../gateway.networking.k8s.io_tlsroutes.yaml | 8 +- .../gateway.networking.k8s.io_udproutes.yaml | 8 +- conformance/conformance_test.go | 2 +- ...ute-invalid-cross-namespace-backend-ref.go | 4 +- .../httproute-invalid-reference-policy.go | 14 +- .../httproute-invalid-reference-policy.yaml | 6 +- .../tests/httproute-reference-policy.go | 12 +- .../tests/httproute-reference-policy.yaml | 6 +- conformance/utils/suite/suite.go | 8 +- ...rence-policy.yaml => reference-grant.yaml} | 2 +- .../v1alpha2/tls-cert-cross-namespace.yaml | 2 +- .../missing-from.yaml | 2 +- .../missing-ns.yaml | 2 +- .../missing-to.yaml | 2 +- mkdocs.yml | 2 +- .../typed/apis/v1alpha2/apis_client.go | 6 +- .../apis/v1alpha2/fake/fake_apis_client.go | 4 +- .../apis/v1alpha2/fake/fake_referencegrant.go | 130 ++++++++++++++++++ .../v1alpha2/fake/fake_referencepolicy.go | 130 ------------------ .../apis/v1alpha2/generated_expansion.go | 2 +- .../{referencepolicy.go => referencegrant.go} | 94 ++++++------- .../apis/v1alpha2/interface.go | 10 +- .../{referencepolicy.go => referencegrant.go} | 38 ++--- .../informers/externalversions/generic.go | 4 +- .../apis/v1alpha2/expansion_generated.go | 12 +- .../listers/apis/v1alpha2/referencegrant.go | 99 +++++++++++++ .../listers/apis/v1alpha2/referencepolicy.go | 99 ------------- site-src/blog/2021/introducing-v1alpha2.md | 10 +- site-src/concepts/security-model.md | 14 +- site-src/geps/gep-1016.md | 2 +- site-src/geps/gep-709.md | 60 ++++---- site-src/geps/gep-724.md | 44 +++--- site-src/geps/gep-746.md | 6 +- site-src/geps/gep-851.md | 4 +- site-src/geps/gep-917.md | 2 +- ...rencepolicy.png => 709-referencegrant.png} | Bin site-src/implementations.md | 2 +- .../{referencepolicy.md => referencegrant.md} | 46 ++++--- site-src/v1alpha2/guides/tls.md | 4 +- ...y-simple.png => referencegrant-simple.png} | Bin 58 files changed, 581 insertions(+), 573 deletions(-) rename config/crd/experimental/{gateway.networking.k8s.io_referencepolicies.yaml => gateway.networking.k8s.io_referencegrants.yaml} (90%) rename config/crd/stable/{gateway.networking.k8s.io_referencepolicies.yaml => gateway.networking.k8s.io_referencegrants.yaml} (90%) rename examples/v1alpha2/{reference-policy.yaml => reference-grant.yaml} (93%) rename hack/invalid-examples/v1alpha2/{referencepolicy => referencegrant}/missing-from.yaml (84%) rename hack/invalid-examples/v1alpha2/{referencepolicy => referencegrant}/missing-ns.yaml (89%) rename hack/invalid-examples/v1alpha2/{referencepolicy => referencegrant}/missing-to.yaml (87%) create mode 100644 pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_referencegrant.go delete mode 100644 pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_referencepolicy.go rename pkg/client/clientset/versioned/typed/apis/v1alpha2/{referencepolicy.go => referencegrant.go} (50%) rename pkg/client/informers/externalversions/apis/v1alpha2/{referencepolicy.go => referencegrant.go} (55%) create mode 100644 pkg/client/listers/apis/v1alpha2/referencegrant.go delete mode 100644 pkg/client/listers/apis/v1alpha2/referencepolicy.go rename site-src/geps/images/{709-referencepolicy.png => 709-referencegrant.png} (100%) rename site-src/v1alpha2/api-types/{referencepolicy.md => referencegrant.md} (74%) rename site-src/v1alpha2/images/{referencepolicy-simple.png => referencegrant-simple.png} (100%) diff --git a/apis/v1alpha2/gateway_types.go b/apis/v1alpha2/gateway_types.go index ca639ca1c2..ecf8ff10c7 100644 --- a/apis/v1alpha2/gateway_types.go +++ b/apis/v1alpha2/gateway_types.go @@ -314,8 +314,8 @@ type GatewayTLSConfig struct { // a Listener, but this behavior is implementation-specific. // // References to a resource in different namespace are invalid UNLESS there - // is a ReferencePolicy in the target namespace that allows the certificate - // to be attached. If a ReferencePolicy does not allow this reference, the + // is a ReferenceGrant in the target namespace that allows the certificate + // to be attached. If a ReferenceGrant does not allow this reference, the // "ResolvedRefs" condition MUST be set to False for this listener with the // "InvalidCertificateRef" reason. // @@ -758,7 +758,7 @@ const ( // This reason is used with the "ResolvedRefs" condition when // one of the Listener's Routes has a BackendRef to an object in // another namespace, where the object in the other namespace does - // not have a ReferencePolicy explicitly allowing the reference. + // not have a ReferenceGrant explicitly allowing the reference. ListenerReasonRefNotPermitted ListenerConditionReason = "RefNotPermitted" ) diff --git a/apis/v1alpha2/httproute_types.go b/apis/v1alpha2/httproute_types.go index 0aa4affd74..865fb93344 100644 --- a/apis/v1alpha2/httproute_types.go +++ b/apis/v1alpha2/httproute_types.go @@ -204,7 +204,7 @@ type HTTPRouteRule struct { // * an unknown or unsupported kind of resource // * a resource that does not exist // * a resource in another namespace when the reference has not been - // explicitly allowed by a ReferencePolicy (or equivalent concept). + // explicitly allowed by a ReferenceGrant (or equivalent concept). // // When a BackendRef is invalid, 404 status codes MUST be returned for // requests that would have otherwise been routed to an invalid backend. If @@ -833,7 +833,7 @@ type HTTPRequestMirrorFilter struct { // this backend in the underlying implementation. // // If there is a cross-namespace reference to an *existing* object - // that is not allowed by a ReferencePolicy, the controller must ensure the + // that is not allowed by a ReferenceGrant, the controller must ensure the // "ResolvedRefs" condition on the Route is set to `status: False`, // with the "RefNotPermitted" reason and not configure this backend in the // underlying implementation. @@ -856,7 +856,7 @@ type HTTPBackendRef struct { // configure this backend in the underlying implementation. // // If there is a cross-namespace reference to an *existing* object - // that is not covered by a ReferencePolicy, the controller must ensure the + // that is not covered by a ReferenceGrant, the controller must ensure the // "ResolvedRefs" condition on the Route is set to `status: False`, // with the "RefNotPermitted" reason and not configure this backend in the // underlying implementation. diff --git a/apis/v1alpha2/object_reference_types.go b/apis/v1alpha2/object_reference_types.go index 270e9c825a..8365168106 100644 --- a/apis/v1alpha2/object_reference_types.go +++ b/apis/v1alpha2/object_reference_types.go @@ -65,9 +65,9 @@ type SecretObjectReference struct { // Namespace is the namespace of the backend. When unspecified, the local // namespace is inferred. // - // Note that when a namespace is specified, a ReferencePolicy object + // Note that when a namespace is specified, a ReferenceGrant object // is required in the referent namespace to allow that namespace's - // owner to accept the reference. See the ReferencePolicy documentation + // owner to accept the reference. See the ReferenceGrant documentation // for details. // // Support: Core @@ -80,9 +80,9 @@ type SecretObjectReference struct { // specific to BackendRef. It includes a few additional fields and features // than a regular ObjectReference. // -// Note that when a namespace is specified, a ReferencePolicy object +// Note that when a namespace is specified, a ReferenceGrant object // is required in the referent namespace to allow that namespace's -// owner to accept the reference. See the ReferencePolicy documentation +// owner to accept the reference. See the ReferenceGrant documentation // for details. // // The API object must be valid in the cluster; the Group and Kind must @@ -112,9 +112,9 @@ type BackendObjectReference struct { // Namespace is the namespace of the backend. When unspecified, the local // namespace is inferred. // - // Note that when a namespace is specified, a ReferencePolicy object + // Note that when a namespace is specified, a ReferenceGrant object // is required in the referent namespace to allow that namespace's - // owner to accept the reference. See the ReferencePolicy documentation + // owner to accept the reference. See the ReferenceGrant documentation // for details. // // Support: Core diff --git a/apis/v1alpha2/referencepolicy_types.go b/apis/v1alpha2/referencepolicy_types.go index 76f759ee3f..0aea80b8f0 100644 --- a/apis/v1alpha2/referencepolicy_types.go +++ b/apis/v1alpha2/referencepolicy_types.go @@ -24,25 +24,25 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +kubebuilder:storageversion // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` -// ReferencePolicy identifies kinds of resources in other namespaces that are +// ReferenceGrant identifies kinds of resources in other namespaces that are // trusted to reference the specified kinds of resources in the same namespace // as the policy. // -// Each ReferencePolicy can be used to represent a unique trust relationship. +// Each ReferenceGrant can be used to represent a unique trust relationship. // Additional Reference Policies can be used to add to the set of trusted // sources of inbound references for the namespace they are defined within. // // All cross-namespace references in Gateway API (with the exception of cross-namespace -// Gateway-route attachment) require a ReferencePolicy. +// Gateway-route attachment) require a ReferenceGrant. // // Support: Core // -type ReferencePolicy struct { +type ReferenceGrant struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec defines the desired state of ReferencePolicy. - Spec ReferencePolicySpec `json:"spec,omitempty"` + // Spec defines the desired state of ReferenceGrant. + Spec ReferenceGrantSpec `json:"spec,omitempty"` // Note that `Status` sub-resource has been excluded at the // moment as it was difficult to work out the design. @@ -50,16 +50,16 @@ type ReferencePolicy struct { } // +kubebuilder:object:root=true -// ReferencePolicyList contains a list of ReferencePolicy. -type ReferencePolicyList struct { +// ReferenceGrantList contains a list of ReferenceGrant. +type ReferenceGrantList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` - Items []ReferencePolicy `json:"items"` + Items []ReferenceGrant `json:"items"` } -// ReferencePolicySpec identifies a cross namespace relationship that is trusted +// ReferenceGrantSpec identifies a cross namespace relationship that is trusted // for Gateway API. -type ReferencePolicySpec struct { +type ReferenceGrantSpec struct { // From describes the trusted namespaces and kinds that can reference the // resources described in "To". Each entry in this list must be considered // to be an additional place that references can be valid from, or to put @@ -69,7 +69,7 @@ type ReferencePolicySpec struct { // // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=16 - From []ReferencePolicyFrom `json:"from"` + From []ReferenceGrantFrom `json:"from"` // To describes the resources that may be referenced by the resources // described in "From". Each entry in this list must be considered to be an @@ -80,11 +80,11 @@ type ReferencePolicySpec struct { // // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=16 - To []ReferencePolicyTo `json:"to"` + To []ReferenceGrantTo `json:"to"` } -// ReferencePolicyFrom describes trusted namespaces and kinds. -type ReferencePolicyFrom struct { +// ReferenceGrantFrom describes trusted namespaces and kinds. +type ReferenceGrantFrom struct { // Group is the group of the referent. // When empty, the Kubernetes core API group is inferred. // @@ -107,9 +107,9 @@ type ReferencePolicyFrom struct { Namespace Namespace `json:"namespace"` } -// ReferencePolicyTo describes what Kinds are allowed as targets of the +// ReferenceGrantTo describes what Kinds are allowed as targets of the // references. -type ReferencePolicyTo struct { +type ReferenceGrantTo struct { // Group is the group of the referent. // When empty, the Kubernetes core API group is inferred. // diff --git a/apis/v1alpha2/shared_types.go b/apis/v1alpha2/shared_types.go index 753f04e618..8611096b1e 100644 --- a/apis/v1alpha2/shared_types.go +++ b/apis/v1alpha2/shared_types.go @@ -150,9 +150,9 @@ type PortNumber int32 // BackendRef defines how a Route should forward a request to a Kubernetes // resource. // -// Note that when a namespace is specified, a ReferencePolicy object +// Note that when a namespace is specified, a ReferenceGrant object // is required in the referent namespace to allow that namespace's -// owner to accept the reference. See the ReferencePolicy documentation +// owner to accept the reference. See the ReferenceGrant documentation // for details. type BackendRef struct { // BackendObjectReference references a Kubernetes object. @@ -239,7 +239,7 @@ const ( // This reason is used with the "ResolvedRefs" condition when // one of the Listener's Routes has a BackendRef to an object in // another namespace, where the object in the other namespace does - // not have a ReferencePolicy explicitly allowing the reference. + // not have a ReferenceGrant explicitly allowing the reference. RouteReasonRefNotPermitted RouteConditionReason = "RefNotPermitted" ) diff --git a/apis/v1alpha2/zz_generated.deepcopy.go b/apis/v1alpha2/zz_generated.deepcopy.go index 7c50bad1c8..c8d3d6bbb3 100644 --- a/apis/v1alpha2/zz_generated.deepcopy.go +++ b/apis/v1alpha2/zz_generated.deepcopy.go @@ -1027,25 +1027,25 @@ func (in *PolicyTargetReference) DeepCopy() *PolicyTargetReference { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ReferencePolicy) DeepCopyInto(out *ReferencePolicy) { +func (in *ReferenceGrant) DeepCopyInto(out *ReferenceGrant) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferencePolicy. -func (in *ReferencePolicy) DeepCopy() *ReferencePolicy { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrant. +func (in *ReferenceGrant) DeepCopy() *ReferenceGrant { if in == nil { return nil } - out := new(ReferencePolicy) + out := new(ReferenceGrant) in.DeepCopyInto(out) return out } // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ReferencePolicy) DeepCopyObject() runtime.Object { +func (in *ReferenceGrant) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c } @@ -1053,46 +1053,46 @@ func (in *ReferencePolicy) DeepCopyObject() runtime.Object { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ReferencePolicyFrom) DeepCopyInto(out *ReferencePolicyFrom) { +func (in *ReferenceGrantFrom) DeepCopyInto(out *ReferenceGrantFrom) { *out = *in } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferencePolicyFrom. -func (in *ReferencePolicyFrom) DeepCopy() *ReferencePolicyFrom { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantFrom. +func (in *ReferenceGrantFrom) DeepCopy() *ReferenceGrantFrom { if in == nil { return nil } - out := new(ReferencePolicyFrom) + out := new(ReferenceGrantFrom) in.DeepCopyInto(out) return out } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ReferencePolicyList) DeepCopyInto(out *ReferencePolicyList) { +func (in *ReferenceGrantList) DeepCopyInto(out *ReferenceGrantList) { *out = *in out.TypeMeta = in.TypeMeta in.ListMeta.DeepCopyInto(&out.ListMeta) if in.Items != nil { in, out := &in.Items, &out.Items - *out = make([]ReferencePolicy, len(*in)) + *out = make([]ReferenceGrant, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferencePolicyList. -func (in *ReferencePolicyList) DeepCopy() *ReferencePolicyList { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantList. +func (in *ReferenceGrantList) DeepCopy() *ReferenceGrantList { if in == nil { return nil } - out := new(ReferencePolicyList) + out := new(ReferenceGrantList) in.DeepCopyInto(out) return out } // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ReferencePolicyList) DeepCopyObject() runtime.Object { +func (in *ReferenceGrantList) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c } @@ -1100,34 +1100,34 @@ func (in *ReferencePolicyList) DeepCopyObject() runtime.Object { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ReferencePolicySpec) DeepCopyInto(out *ReferencePolicySpec) { +func (in *ReferenceGrantSpec) DeepCopyInto(out *ReferenceGrantSpec) { *out = *in if in.From != nil { in, out := &in.From, &out.From - *out = make([]ReferencePolicyFrom, len(*in)) + *out = make([]ReferenceGrantFrom, len(*in)) copy(*out, *in) } if in.To != nil { in, out := &in.To, &out.To - *out = make([]ReferencePolicyTo, len(*in)) + *out = make([]ReferenceGrantTo, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferencePolicySpec. -func (in *ReferencePolicySpec) DeepCopy() *ReferencePolicySpec { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantSpec. +func (in *ReferenceGrantSpec) DeepCopy() *ReferenceGrantSpec { if in == nil { return nil } - out := new(ReferencePolicySpec) + out := new(ReferenceGrantSpec) in.DeepCopyInto(out) return out } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ReferencePolicyTo) DeepCopyInto(out *ReferencePolicyTo) { +func (in *ReferenceGrantTo) DeepCopyInto(out *ReferenceGrantTo) { *out = *in if in.Name != nil { in, out := &in.Name, &out.Name @@ -1136,12 +1136,12 @@ func (in *ReferencePolicyTo) DeepCopyInto(out *ReferencePolicyTo) { } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferencePolicyTo. -func (in *ReferencePolicyTo) DeepCopy() *ReferencePolicyTo { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceGrantTo. +func (in *ReferenceGrantTo) DeepCopy() *ReferenceGrantTo { if in == nil { return nil } - out := new(ReferencePolicyTo) + out := new(ReferenceGrantTo) in.DeepCopyInto(out) return out } diff --git a/apis/v1alpha2/zz_generated.register.go b/apis/v1alpha2/zz_generated.register.go index 94dc2ff41b..7505084fa4 100644 --- a/apis/v1alpha2/zz_generated.register.go +++ b/apis/v1alpha2/zz_generated.register.go @@ -64,8 +64,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &GatewayList{}, &HTTPRoute{}, &HTTPRouteList{}, - &ReferencePolicy{}, - &ReferencePolicyList{}, + &ReferenceGrant{}, + &ReferenceGrantList{}, &TCPRoute{}, &TCPRouteList{}, &TLSRoute{}, diff --git a/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml b/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml index f600483ab2..563ea1271d 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml @@ -331,9 +331,9 @@ spec: MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are - invalid UNLESS there is a ReferencePolicy in the target + invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. - If a ReferencePolicy does not allow this reference, the + If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"InvalidCertificateRef\" reason. \n This field is required to have at least one element when @@ -378,10 +378,10 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - \n Note that when a namespace is specified, a ReferencePolicy + \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. - See the ReferencePolicy documentation for details. + See the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 diff --git a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml index 5b83e8c227..4b83a9db1d 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml @@ -224,7 +224,7 @@ spec: invalid when it refers to: \n * an unknown or unsupported kind of resource * a resource that does not exist * a resource in another namespace when the reference has not been explicitly - allowed by a ReferencePolicy (or equivalent concept). \n When + allowed by a ReferenceGrant (or equivalent concept). \n When a BackendRef is invalid, 404 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are @@ -411,7 +411,7 @@ spec: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* - object that is not allowed by a ReferencePolicy, + object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" \ condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason @@ -449,10 +449,10 @@ spec: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that - when a namespace is specified, a ReferencePolicy + when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept - the reference. See the ReferencePolicy + the reference. See the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 @@ -660,10 +660,10 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferencePolicy + Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See - the ReferencePolicy documentation for details. \n Support: + the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 @@ -872,7 +872,7 @@ spec: is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* - object that is not allowed by a ReferencePolicy, + object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" \ condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure @@ -908,9 +908,9 @@ spec: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is - specified, a ReferencePolicy object is required + specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's - owner to accept the reference. See the ReferencePolicy + owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 diff --git a/config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml b/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml similarity index 90% rename from config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml rename to config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml index 74736cf74c..d3511539da 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml @@ -6,18 +6,18 @@ metadata: gateway.networking.k8s.io/bundle-version: v0.5.0-dev gateway.networking.k8s.io/channel: experimental creationTimestamp: null - name: referencepolicies.gateway.networking.k8s.io + name: referencegrants.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: ReferencePolicy - listKind: ReferencePolicyList - plural: referencepolicies + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants shortNames: - refpol - singular: referencepolicy + singular: referencegrant scope: Namespaced versions: - additionalPrinterColumns: @@ -27,14 +27,14 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: "ReferencePolicy identifies kinds of resources in other namespaces + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same - namespace as the policy. \n Each ReferencePolicy can be used to represent + namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Policies can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require - a ReferencePolicy. \n Support: Core" + a ReferenceGrant. \n Support: Core" properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -49,7 +49,7 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ReferencePolicy. + description: Spec defines the desired state of ReferenceGrant. properties: from: description: "From describes the trusted namespaces and kinds that @@ -58,7 +58,7 @@ spec: can be valid from, or to put this another way, entries must be combined using OR. \n Support: Core" items: - description: ReferencePolicyFrom describes trusted namespaces and + description: ReferenceGrantFrom describes trusted namespaces and kinds. properties: group: @@ -98,8 +98,8 @@ spec: to, or to put this another way, entries must be combined using OR. \n Support: Core" items: - description: ReferencePolicyTo describes what Kinds are allowed - as targets of the references. + description: ReferenceGrantTo describes what Kinds are allowed as + targets of the references. properties: group: description: "Group is the group of the referent. When empty, diff --git a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml index 09b189ad4d..d65eacd0bf 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml @@ -170,9 +170,9 @@ spec: items: description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a - namespace is specified, a ReferencePolicy object is required + namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner - to accept the reference. See the ReferencePolicy documentation + to accept the reference. See the ReferenceGrant documentation for details." properties: group: @@ -200,10 +200,10 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferencePolicy + Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See - the ReferencePolicy documentation for details. \n Support: + the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 diff --git a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml index f44b2b6ea0..6acbeca272 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml @@ -219,9 +219,9 @@ spec: items: description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a - namespace is specified, a ReferencePolicy object is required + namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner - to accept the reference. See the ReferencePolicy documentation + to accept the reference. See the ReferenceGrant documentation for details." properties: group: @@ -249,10 +249,10 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferencePolicy + Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See - the ReferencePolicy documentation for details. \n Support: + the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 diff --git a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml index 2b94825eee..d38bd917e2 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml @@ -170,9 +170,9 @@ spec: items: description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a - namespace is specified, a ReferencePolicy object is required + namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner - to accept the reference. See the ReferencePolicy documentation + to accept the reference. See the ReferenceGrant documentation for details." properties: group: @@ -200,10 +200,10 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferencePolicy + Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See - the ReferencePolicy documentation for details. \n Support: + the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index eac5f241e1..197fc9ef9b 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -2,7 +2,7 @@ resources: - stable/gateway.networking.k8s.io_gatewayclasses.yaml - stable/gateway.networking.k8s.io_gateways.yaml - stable/gateway.networking.k8s.io_httproutes.yaml -- stable/gateway.networking.k8s.io_referencepolicies.yaml +- stable/gateway.networking.k8s.io_referencegrants.yaml - stable/gateway.networking.k8s.io_tcproutes.yaml - stable/gateway.networking.k8s.io_tlsroutes.yaml - stable/gateway.networking.k8s.io_udproutes.yaml diff --git a/config/crd/stable/gateway.networking.k8s.io_gateways.yaml b/config/crd/stable/gateway.networking.k8s.io_gateways.yaml index bf29293357..de0070c2d8 100644 --- a/config/crd/stable/gateway.networking.k8s.io_gateways.yaml +++ b/config/crd/stable/gateway.networking.k8s.io_gateways.yaml @@ -331,9 +331,9 @@ spec: MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are - invalid UNLESS there is a ReferencePolicy in the target + invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. - If a ReferencePolicy does not allow this reference, the + If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"InvalidCertificateRef\" reason. \n This field is required to have at least one element when @@ -378,10 +378,10 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - \n Note that when a namespace is specified, a ReferencePolicy + \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. - See the ReferencePolicy documentation for details. + See the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 diff --git a/config/crd/stable/gateway.networking.k8s.io_httproutes.yaml b/config/crd/stable/gateway.networking.k8s.io_httproutes.yaml index 495020e794..9c5aefa395 100644 --- a/config/crd/stable/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/stable/gateway.networking.k8s.io_httproutes.yaml @@ -198,7 +198,7 @@ spec: invalid when it refers to: \n * an unknown or unsupported kind of resource * a resource that does not exist * a resource in another namespace when the reference has not been explicitly - allowed by a ReferencePolicy (or equivalent concept). \n When + allowed by a ReferenceGrant (or equivalent concept). \n When a BackendRef is invalid, 404 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are @@ -385,7 +385,7 @@ spec: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* - object that is not allowed by a ReferencePolicy, + object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" \ condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason @@ -423,10 +423,10 @@ spec: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that - when a namespace is specified, a ReferencePolicy + when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept - the reference. See the ReferencePolicy + the reference. See the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 @@ -553,10 +553,10 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferencePolicy + Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See - the ReferencePolicy documentation for details. \n Support: + the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 @@ -765,7 +765,7 @@ spec: is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* - object that is not allowed by a ReferencePolicy, + object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" \ condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure @@ -801,9 +801,9 @@ spec: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is - specified, a ReferencePolicy object is required + specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's - owner to accept the reference. See the ReferencePolicy + owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 diff --git a/config/crd/stable/gateway.networking.k8s.io_referencepolicies.yaml b/config/crd/stable/gateway.networking.k8s.io_referencegrants.yaml similarity index 90% rename from config/crd/stable/gateway.networking.k8s.io_referencepolicies.yaml rename to config/crd/stable/gateway.networking.k8s.io_referencegrants.yaml index 508dfaa178..6fa5f8d280 100644 --- a/config/crd/stable/gateway.networking.k8s.io_referencepolicies.yaml +++ b/config/crd/stable/gateway.networking.k8s.io_referencegrants.yaml @@ -6,18 +6,18 @@ metadata: gateway.networking.k8s.io/bundle-version: v0.5.0-dev gateway.networking.k8s.io/channel: stable creationTimestamp: null - name: referencepolicies.gateway.networking.k8s.io + name: referencegrants.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: ReferencePolicy - listKind: ReferencePolicyList - plural: referencepolicies + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants shortNames: - refpol - singular: referencepolicy + singular: referencegrant scope: Namespaced versions: - additionalPrinterColumns: @@ -27,14 +27,14 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: "ReferencePolicy identifies kinds of resources in other namespaces + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same - namespace as the policy. \n Each ReferencePolicy can be used to represent + namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Policies can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require - a ReferencePolicy. \n Support: Core" + a ReferenceGrant. \n Support: Core" properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -49,7 +49,7 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ReferencePolicy. + description: Spec defines the desired state of ReferenceGrant. properties: from: description: "From describes the trusted namespaces and kinds that @@ -58,7 +58,7 @@ spec: can be valid from, or to put this another way, entries must be combined using OR. \n Support: Core" items: - description: ReferencePolicyFrom describes trusted namespaces and + description: ReferenceGrantFrom describes trusted namespaces and kinds. properties: group: @@ -98,8 +98,8 @@ spec: to, or to put this another way, entries must be combined using OR. \n Support: Core" items: - description: ReferencePolicyTo describes what Kinds are allowed - as targets of the references. + description: ReferenceGrantTo describes what Kinds are allowed as + targets of the references. properties: group: description: "Group is the group of the referent. When empty, diff --git a/config/crd/stable/gateway.networking.k8s.io_tcproutes.yaml b/config/crd/stable/gateway.networking.k8s.io_tcproutes.yaml index 20c7370797..d643b08ac7 100644 --- a/config/crd/stable/gateway.networking.k8s.io_tcproutes.yaml +++ b/config/crd/stable/gateway.networking.k8s.io_tcproutes.yaml @@ -144,9 +144,9 @@ spec: items: description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a - namespace is specified, a ReferencePolicy object is required + namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner - to accept the reference. See the ReferencePolicy documentation + to accept the reference. See the ReferenceGrant documentation for details." properties: group: @@ -174,10 +174,10 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferencePolicy + Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See - the ReferencePolicy documentation for details. \n Support: + the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 diff --git a/config/crd/stable/gateway.networking.k8s.io_tlsroutes.yaml b/config/crd/stable/gateway.networking.k8s.io_tlsroutes.yaml index 1d2b753c81..671abd0d1a 100644 --- a/config/crd/stable/gateway.networking.k8s.io_tlsroutes.yaml +++ b/config/crd/stable/gateway.networking.k8s.io_tlsroutes.yaml @@ -193,9 +193,9 @@ spec: items: description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a - namespace is specified, a ReferencePolicy object is required + namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner - to accept the reference. See the ReferencePolicy documentation + to accept the reference. See the ReferenceGrant documentation for details." properties: group: @@ -223,10 +223,10 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferencePolicy + Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See - the ReferencePolicy documentation for details. \n Support: + the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 diff --git a/config/crd/stable/gateway.networking.k8s.io_udproutes.yaml b/config/crd/stable/gateway.networking.k8s.io_udproutes.yaml index db0f36a4ca..80cf52e4ae 100644 --- a/config/crd/stable/gateway.networking.k8s.io_udproutes.yaml +++ b/config/crd/stable/gateway.networking.k8s.io_udproutes.yaml @@ -144,9 +144,9 @@ spec: items: description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a - namespace is specified, a ReferencePolicy object is required + namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner - to accept the reference. See the ReferencePolicy documentation + to accept the reference. See the ReferenceGrant documentation for details." properties: group: @@ -174,10 +174,10 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferencePolicy + Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See - the ReferencePolicy documentation for details. \n Support: + the ReferenceGrant documentation for details. \n Support: Core" maxLength: 63 minLength: 1 diff --git a/conformance/conformance_test.go b/conformance/conformance_test.go index 707936424d..e5a1a52ca8 100644 --- a/conformance/conformance_test.go +++ b/conformance/conformance_test.go @@ -49,7 +49,7 @@ func TestConformance(t *testing.T) { Debug: *flags.ShowDebug, CleanupBaseResources: *flags.CleanupBaseResources, SupportedFeatures: []suite.SupportedFeature{ - suite.SupportReferencePolicy, + suite.SupportReferenceGrant, }, }) cSuite.Setup(t) diff --git a/conformance/tests/httproute-invalid-cross-namespace-backend-ref.go b/conformance/tests/httproute-invalid-cross-namespace-backend-ref.go index 17316e719f..37ab26f668 100644 --- a/conformance/tests/httproute-invalid-cross-namespace-backend-ref.go +++ b/conformance/tests/httproute-invalid-cross-namespace-backend-ref.go @@ -33,9 +33,9 @@ func init() { var HTTPRouteInvalidCrossNamespaceBackendRef = suite.ConformanceTest{ ShortName: "HTTPRouteInvalidCrossNamespaceBackendRef", - Description: "A single HTTPRoute in the gateway-conformance-infra namespace should set a ResolvedRefs status False with reason RefNotPermitted when attempting to bind to a Gateway in the same namespace if the route has a BackendRef Service in the gateway-conformance-web-backend namespace and a ReferencePolicy granting permission to route to that Service does not exist", + Description: "A single HTTPRoute in the gateway-conformance-infra namespace should set a ResolvedRefs status False with reason RefNotPermitted when attempting to bind to a Gateway in the same namespace if the route has a BackendRef Service in the gateway-conformance-web-backend namespace and a ReferenceGrant granting permission to route to that Service does not exist", Exemptions: []suite.ExemptFeature{ - suite.ExemptReferencePolicy, + suite.ExemptReferenceGrant, }, Manifests: []string{"tests/httproute-invalid-cross-namespace-backend-ref.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/conformance/tests/httproute-invalid-reference-policy.go b/conformance/tests/httproute-invalid-reference-policy.go index 9fb72a207d..79081411f6 100644 --- a/conformance/tests/httproute-invalid-reference-policy.go +++ b/conformance/tests/httproute-invalid-reference-policy.go @@ -29,18 +29,18 @@ import ( ) func init() { - ConformanceTests = append(ConformanceTests, HTTPRouteInvalidReferencePolicy) + ConformanceTests = append(ConformanceTests, HTTPRouteInvalidReferenceGrant) } -var HTTPRouteInvalidReferencePolicy = suite.ConformanceTest{ - ShortName: "HTTPRouteInvalidReferencePolicy", - Description: "A single HTTPRoute in the gateway-conformance-infra namespace should fail to attach to a Gateway in the same namespace if the route has a backendRef Service in the gateway-conformance-app-backend namespace and a ReferencePolicy exists but does not grant permission to route to that specific Service", +var HTTPRouteInvalidReferenceGrant = suite.ConformanceTest{ + ShortName: "HTTPRouteInvalidReferenceGrant", + Description: "A single HTTPRoute in the gateway-conformance-infra namespace should fail to attach to a Gateway in the same namespace if the route has a backendRef Service in the gateway-conformance-app-backend namespace and a ReferenceGrant exists but does not grant permission to route to that specific Service", Features: []suite.SupportedFeature{ - suite.SupportReferencePolicy, + suite.SupportReferenceGrant, }, - Manifests: []string{"tests/httproute-invalid-reference-policy.yaml"}, + Manifests: []string{"tests/httproute-invalid-reference-grant.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { - routeNN := types.NamespacedName{Name: "invalid-reference-policy", Namespace: "gateway-conformance-infra"} + routeNN := types.NamespacedName{Name: "invalid-reference-grant", Namespace: "gateway-conformance-infra"} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: "gateway-conformance-infra"} ns := v1alpha2.Namespace(gwNN.Namespace) diff --git a/conformance/tests/httproute-invalid-reference-policy.yaml b/conformance/tests/httproute-invalid-reference-policy.yaml index 9817fa2db6..144109a288 100644 --- a/conformance/tests/httproute-invalid-reference-policy.yaml +++ b/conformance/tests/httproute-invalid-reference-policy.yaml @@ -1,7 +1,7 @@ apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: ReferencePolicy +kind: ReferenceGrant metadata: - name: invalid-reference-policy + name: invalid-reference-grant namespace: gateway-conformance-app-backend spec: from: @@ -16,7 +16,7 @@ spec: apiVersion: gateway.networking.k8s.io/v1alpha2 kind: HTTPRoute metadata: - name: invalid-reference-policy + name: invalid-reference-grant namespace: gateway-conformance-infra spec: parentRefs: diff --git a/conformance/tests/httproute-reference-policy.go b/conformance/tests/httproute-reference-policy.go index b60c996513..50f720c6c7 100644 --- a/conformance/tests/httproute-reference-policy.go +++ b/conformance/tests/httproute-reference-policy.go @@ -27,18 +27,18 @@ import ( ) func init() { - ConformanceTests = append(ConformanceTests, HTTPRouteReferencePolicy) + ConformanceTests = append(ConformanceTests, HTTPRouteReferenceGrant) } -var HTTPRouteReferencePolicy = suite.ConformanceTest{ - ShortName: "HTTPRouteReferencePolicy", +var HTTPRouteReferenceGrant = suite.ConformanceTest{ + ShortName: "HTTPRouteReferenceGrant", Description: "A single HTTPRoute in the gateway-conformance-infra namespace, with a backendRef in the gateway-conformance-web-backend namespace, should attach to Gateway in the gateway-conformance-infra namespace", Features: []suite.SupportedFeature{ - suite.SupportReferencePolicy, + suite.SupportReferenceGrant, }, - Manifests: []string{"tests/httproute-reference-policy.yaml"}, + Manifests: []string{"tests/httproute-reference-grant.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { - routeNN := types.NamespacedName{Name: "reference-policy", Namespace: "gateway-conformance-infra"} + routeNN := types.NamespacedName{Name: "reference-grant", Namespace: "gateway-conformance-infra"} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: "gateway-conformance-infra"} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeReady(t, s.Client, s.ControllerName, gwNN, routeNN) diff --git a/conformance/tests/httproute-reference-policy.yaml b/conformance/tests/httproute-reference-policy.yaml index 8ccd4e3e9c..6dbbd273c4 100644 --- a/conformance/tests/httproute-reference-policy.yaml +++ b/conformance/tests/httproute-reference-policy.yaml @@ -1,7 +1,7 @@ apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: ReferencePolicy +kind: ReferenceGrant metadata: - name: reference-policy + name: reference-grant namespace: gateway-conformance-web-backend spec: from: @@ -16,7 +16,7 @@ spec: apiVersion: gateway.networking.k8s.io/v1alpha2 kind: HTTPRoute metadata: - name: reference-policy + name: reference-grant namespace: gateway-conformance-infra spec: parentRefs: diff --git a/conformance/utils/suite/suite.go b/conformance/utils/suite/suite.go index 5950a270df..a1295c2ad5 100644 --- a/conformance/utils/suite/suite.go +++ b/conformance/utils/suite/suite.go @@ -33,9 +33,9 @@ type ExemptFeature string const ( // This option indicates the implementation is exempting itself from the - // requirement of a ReferencePolicy to allow cross-namesapce references, + // requirement of a ReferenceGrant to allow cross-namesapce references, // and has instead implemented alternative safeguards. - ExemptReferencePolicy ExemptFeature = "ReferencePolicy" + ExemptReferenceGrant ExemptFeature = "ReferenceGrant" ) // SupportedFeature allows opting in to additional conformance tests at an @@ -43,8 +43,8 @@ const ( type SupportedFeature string const ( - // This option indicates support for the ReferencePolicy object. - SupportReferencePolicy SupportedFeature = "ReferencePolicy" + // This option indicates support for the ReferenceGrant object. + SupportReferenceGrant SupportedFeature = "ReferenceGrant" ) // ConformanceTestSuite defines the test suite used to run Gateway API diff --git a/examples/v1alpha2/reference-policy.yaml b/examples/v1alpha2/reference-grant.yaml similarity index 93% rename from examples/v1alpha2/reference-policy.yaml rename to examples/v1alpha2/reference-grant.yaml index ed7d118f93..1c0d71b12b 100644 --- a/examples/v1alpha2/reference-policy.yaml +++ b/examples/v1alpha2/reference-grant.yaml @@ -2,7 +2,7 @@ ## - site-src/concepts/security-model.md ## - site-src/blog/2021/introducing-v1alpha2.md apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: ReferencePolicy +kind: ReferenceGrant metadata: name: allow-prod-traffic spec: diff --git a/examples/v1alpha2/tls-cert-cross-namespace.yaml b/examples/v1alpha2/tls-cert-cross-namespace.yaml index b2b87ace88..156fa42b7d 100644 --- a/examples/v1alpha2/tls-cert-cross-namespace.yaml +++ b/examples/v1alpha2/tls-cert-cross-namespace.yaml @@ -20,7 +20,7 @@ spec: namespace: gateway-api-example-ns2 --- apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: ReferencePolicy +kind: ReferenceGrant metadata: name: allow-ns1-gateways-to-ref-secrets namespace: gateway-api-example-ns2 diff --git a/hack/invalid-examples/v1alpha2/referencepolicy/missing-from.yaml b/hack/invalid-examples/v1alpha2/referencegrant/missing-from.yaml similarity index 84% rename from hack/invalid-examples/v1alpha2/referencepolicy/missing-from.yaml rename to hack/invalid-examples/v1alpha2/referencegrant/missing-from.yaml index 628a70d850..928c17b41c 100644 --- a/hack/invalid-examples/v1alpha2/referencepolicy/missing-from.yaml +++ b/hack/invalid-examples/v1alpha2/referencegrant/missing-from.yaml @@ -1,5 +1,5 @@ apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: ReferencePolicy +kind: ReferenceGrant metadata: name: missing-from spec: diff --git a/hack/invalid-examples/v1alpha2/referencepolicy/missing-ns.yaml b/hack/invalid-examples/v1alpha2/referencegrant/missing-ns.yaml similarity index 89% rename from hack/invalid-examples/v1alpha2/referencepolicy/missing-ns.yaml rename to hack/invalid-examples/v1alpha2/referencegrant/missing-ns.yaml index cb681340ea..9619f3730e 100644 --- a/hack/invalid-examples/v1alpha2/referencepolicy/missing-ns.yaml +++ b/hack/invalid-examples/v1alpha2/referencegrant/missing-ns.yaml @@ -1,5 +1,5 @@ apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: ReferencePolicy +kind: ReferenceGrant metadata: name: missing-ns spec: diff --git a/hack/invalid-examples/v1alpha2/referencepolicy/missing-to.yaml b/hack/invalid-examples/v1alpha2/referencegrant/missing-to.yaml similarity index 87% rename from hack/invalid-examples/v1alpha2/referencepolicy/missing-to.yaml rename to hack/invalid-examples/v1alpha2/referencegrant/missing-to.yaml index df8a8eabf0..b5ce8c54ba 100644 --- a/hack/invalid-examples/v1alpha2/referencepolicy/missing-to.yaml +++ b/hack/invalid-examples/v1alpha2/referencegrant/missing-to.yaml @@ -1,5 +1,5 @@ apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: ReferencePolicy +kind: ReferenceGrant metadata: name: missing-to spec: diff --git a/mkdocs.yml b/mkdocs.yml index 1d66a814c8..737d577ea0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -67,7 +67,7 @@ nav: GatewayClass: v1alpha2/api-types/gatewayclass.md Gateway: v1alpha2/api-types/gateway.md HTTPRoute: v1alpha2/api-types/httproute.md - ReferencePolicy: v1alpha2/api-types/referencepolicy.md + ReferenceGrant: v1alpha2/api-types/referencegrant.md - API specification: v1alpha2/references/spec.md - Policy Attachment: v1alpha2/references/policy-attachment.md - v1alpha1: diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go index 05747312a8..604504621f 100644 --- a/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/apis_client.go @@ -29,7 +29,7 @@ type GatewayV1alpha2Interface interface { GatewaysGetter GatewayClassesGetter HTTPRoutesGetter - ReferencePoliciesGetter + ReferenceGrantsGetter TCPRoutesGetter TLSRoutesGetter UDPRoutesGetter @@ -52,8 +52,8 @@ func (c *GatewayV1alpha2Client) HTTPRoutes(namespace string) HTTPRouteInterface return newHTTPRoutes(c, namespace) } -func (c *GatewayV1alpha2Client) ReferencePolicies(namespace string) ReferencePolicyInterface { - return newReferencePolicies(c, namespace) +func (c *GatewayV1alpha2Client) ReferenceGrants(namespace string) ReferenceGrantInterface { + return newReferenceGrants(c, namespace) } func (c *GatewayV1alpha2Client) TCPRoutes(namespace string) TCPRouteInterface { diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go index 4bed16a91f..f1e58b0b02 100644 --- a/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_apis_client.go @@ -40,8 +40,8 @@ func (c *FakeGatewayV1alpha2) HTTPRoutes(namespace string) v1alpha2.HTTPRouteInt return &FakeHTTPRoutes{c, namespace} } -func (c *FakeGatewayV1alpha2) ReferencePolicies(namespace string) v1alpha2.ReferencePolicyInterface { - return &FakeReferencePolicies{c, namespace} +func (c *FakeGatewayV1alpha2) ReferenceGrants(namespace string) v1alpha2.ReferenceGrantInterface { + return &FakeReferenceGrants{c, namespace} } func (c *FakeGatewayV1alpha2) TCPRoutes(namespace string) v1alpha2.TCPRouteInterface { diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_referencegrant.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_referencegrant.go new file mode 100644 index 0000000000..7c4c5b6c5d --- /dev/null +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_referencegrant.go @@ -0,0 +1,130 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" + v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" +) + +// FakeReferenceGrants implements ReferenceGrantInterface +type FakeReferenceGrants struct { + Fake *FakeGatewayV1alpha2 + ns string +} + +var referencegrantsResource = schema.GroupVersionResource{Group: "gateway.networking.k8s.io", Version: "v1alpha2", Resource: "referencegrants"} + +var referencegrantsKind = schema.GroupVersionKind{Group: "gateway.networking.k8s.io", Version: "v1alpha2", Kind: "ReferenceGrant"} + +// Get takes name of the referenceGrant, and returns the corresponding referenceGrant object, and an error if there is any. +func (c *FakeReferenceGrants) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha2.ReferenceGrant, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(referencegrantsResource, c.ns, name), &v1alpha2.ReferenceGrant{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ReferenceGrant), err +} + +// List takes label and field selectors, and returns the list of ReferenceGrants that match those selectors. +func (c *FakeReferenceGrants) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha2.ReferenceGrantList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(referencegrantsResource, referencegrantsKind, c.ns, opts), &v1alpha2.ReferenceGrantList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha2.ReferenceGrantList{ListMeta: obj.(*v1alpha2.ReferenceGrantList).ListMeta} + for _, item := range obj.(*v1alpha2.ReferenceGrantList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested referenceGrants. +func (c *FakeReferenceGrants) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(referencegrantsResource, c.ns, opts)) + +} + +// Create takes the representation of a referenceGrant and creates it. Returns the server's representation of the referenceGrant, and an error, if there is any. +func (c *FakeReferenceGrants) Create(ctx context.Context, referenceGrant *v1alpha2.ReferenceGrant, opts v1.CreateOptions) (result *v1alpha2.ReferenceGrant, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(referencegrantsResource, c.ns, referenceGrant), &v1alpha2.ReferenceGrant{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ReferenceGrant), err +} + +// Update takes the representation of a referenceGrant and updates it. Returns the server's representation of the referenceGrant, and an error, if there is any. +func (c *FakeReferenceGrants) Update(ctx context.Context, referenceGrant *v1alpha2.ReferenceGrant, opts v1.UpdateOptions) (result *v1alpha2.ReferenceGrant, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(referencegrantsResource, c.ns, referenceGrant), &v1alpha2.ReferenceGrant{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ReferenceGrant), err +} + +// Delete takes name of the referenceGrant and deletes it. Returns an error if one occurs. +func (c *FakeReferenceGrants) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(referencegrantsResource, c.ns, name), &v1alpha2.ReferenceGrant{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeReferenceGrants) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(referencegrantsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha2.ReferenceGrantList{}) + return err +} + +// Patch applies the patch and returns the patched referenceGrant. +func (c *FakeReferenceGrants) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ReferenceGrant, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(referencegrantsResource, c.ns, name, pt, data, subresources...), &v1alpha2.ReferenceGrant{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha2.ReferenceGrant), err +} diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_referencepolicy.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_referencepolicy.go deleted file mode 100644 index 414a985f2c..0000000000 --- a/pkg/client/clientset/versioned/typed/apis/v1alpha2/fake/fake_referencepolicy.go +++ /dev/null @@ -1,130 +0,0 @@ -/* -Copyright The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - labels "k8s.io/apimachinery/pkg/labels" - schema "k8s.io/apimachinery/pkg/runtime/schema" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - testing "k8s.io/client-go/testing" - v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" -) - -// FakeReferencePolicies implements ReferencePolicyInterface -type FakeReferencePolicies struct { - Fake *FakeGatewayV1alpha2 - ns string -} - -var referencepoliciesResource = schema.GroupVersionResource{Group: "gateway.networking.k8s.io", Version: "v1alpha2", Resource: "referencepolicies"} - -var referencepoliciesKind = schema.GroupVersionKind{Group: "gateway.networking.k8s.io", Version: "v1alpha2", Kind: "ReferencePolicy"} - -// Get takes name of the referencePolicy, and returns the corresponding referencePolicy object, and an error if there is any. -func (c *FakeReferencePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha2.ReferencePolicy, err error) { - obj, err := c.Fake. - Invokes(testing.NewGetAction(referencepoliciesResource, c.ns, name), &v1alpha2.ReferencePolicy{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha2.ReferencePolicy), err -} - -// List takes label and field selectors, and returns the list of ReferencePolicies that match those selectors. -func (c *FakeReferencePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha2.ReferencePolicyList, err error) { - obj, err := c.Fake. - Invokes(testing.NewListAction(referencepoliciesResource, referencepoliciesKind, c.ns, opts), &v1alpha2.ReferencePolicyList{}) - - if obj == nil { - return nil, err - } - - label, _, _ := testing.ExtractFromListOptions(opts) - if label == nil { - label = labels.Everything() - } - list := &v1alpha2.ReferencePolicyList{ListMeta: obj.(*v1alpha2.ReferencePolicyList).ListMeta} - for _, item := range obj.(*v1alpha2.ReferencePolicyList).Items { - if label.Matches(labels.Set(item.Labels)) { - list.Items = append(list.Items, item) - } - } - return list, err -} - -// Watch returns a watch.Interface that watches the requested referencePolicies. -func (c *FakeReferencePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { - return c.Fake. - InvokesWatch(testing.NewWatchAction(referencepoliciesResource, c.ns, opts)) - -} - -// Create takes the representation of a referencePolicy and creates it. Returns the server's representation of the referencePolicy, and an error, if there is any. -func (c *FakeReferencePolicies) Create(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.CreateOptions) (result *v1alpha2.ReferencePolicy, err error) { - obj, err := c.Fake. - Invokes(testing.NewCreateAction(referencepoliciesResource, c.ns, referencePolicy), &v1alpha2.ReferencePolicy{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha2.ReferencePolicy), err -} - -// Update takes the representation of a referencePolicy and updates it. Returns the server's representation of the referencePolicy, and an error, if there is any. -func (c *FakeReferencePolicies) Update(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.UpdateOptions) (result *v1alpha2.ReferencePolicy, err error) { - obj, err := c.Fake. - Invokes(testing.NewUpdateAction(referencepoliciesResource, c.ns, referencePolicy), &v1alpha2.ReferencePolicy{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha2.ReferencePolicy), err -} - -// Delete takes name of the referencePolicy and deletes it. Returns an error if one occurs. -func (c *FakeReferencePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { - _, err := c.Fake. - Invokes(testing.NewDeleteAction(referencepoliciesResource, c.ns, name), &v1alpha2.ReferencePolicy{}) - - return err -} - -// DeleteCollection deletes a collection of objects. -func (c *FakeReferencePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { - action := testing.NewDeleteCollectionAction(referencepoliciesResource, c.ns, listOpts) - - _, err := c.Fake.Invokes(action, &v1alpha2.ReferencePolicyList{}) - return err -} - -// Patch applies the patch and returns the patched referencePolicy. -func (c *FakeReferencePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ReferencePolicy, err error) { - obj, err := c.Fake. - Invokes(testing.NewPatchSubresourceAction(referencepoliciesResource, c.ns, name, pt, data, subresources...), &v1alpha2.ReferencePolicy{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha2.ReferencePolicy), err -} diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go index bf9c1d9718..96b653b9d5 100644 --- a/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/generated_expansion.go @@ -24,7 +24,7 @@ type GatewayClassExpansion interface{} type HTTPRouteExpansion interface{} -type ReferencePolicyExpansion interface{} +type ReferenceGrantExpansion interface{} type TCPRouteExpansion interface{} diff --git a/pkg/client/clientset/versioned/typed/apis/v1alpha2/referencepolicy.go b/pkg/client/clientset/versioned/typed/apis/v1alpha2/referencegrant.go similarity index 50% rename from pkg/client/clientset/versioned/typed/apis/v1alpha2/referencepolicy.go rename to pkg/client/clientset/versioned/typed/apis/v1alpha2/referencegrant.go index f3e784c417..954fb6a248 100644 --- a/pkg/client/clientset/versioned/typed/apis/v1alpha2/referencepolicy.go +++ b/pkg/client/clientset/versioned/typed/apis/v1alpha2/referencegrant.go @@ -30,45 +30,45 @@ import ( scheme "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/scheme" ) -// ReferencePoliciesGetter has a method to return a ReferencePolicyInterface. +// ReferenceGrantsGetter has a method to return a ReferenceGrantInterface. // A group's client should implement this interface. -type ReferencePoliciesGetter interface { - ReferencePolicies(namespace string) ReferencePolicyInterface +type ReferenceGrantsGetter interface { + ReferenceGrants(namespace string) ReferenceGrantInterface } -// ReferencePolicyInterface has methods to work with ReferencePolicy resources. -type ReferencePolicyInterface interface { - Create(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.CreateOptions) (*v1alpha2.ReferencePolicy, error) - Update(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.UpdateOptions) (*v1alpha2.ReferencePolicy, error) +// ReferenceGrantInterface has methods to work with ReferenceGrant resources. +type ReferenceGrantInterface interface { + Create(ctx context.Context, referenceGrant *v1alpha2.ReferenceGrant, opts v1.CreateOptions) (*v1alpha2.ReferenceGrant, error) + Update(ctx context.Context, referenceGrant *v1alpha2.ReferenceGrant, opts v1.UpdateOptions) (*v1alpha2.ReferenceGrant, error) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error - Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha2.ReferencePolicy, error) - List(ctx context.Context, opts v1.ListOptions) (*v1alpha2.ReferencePolicyList, error) + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha2.ReferenceGrant, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha2.ReferenceGrantList, error) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) - Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ReferencePolicy, err error) - ReferencePolicyExpansion + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ReferenceGrant, err error) + ReferenceGrantExpansion } -// referencePolicies implements ReferencePolicyInterface -type referencePolicies struct { +// referenceGrants implements ReferenceGrantInterface +type referenceGrants struct { client rest.Interface ns string } -// newReferencePolicies returns a ReferencePolicies -func newReferencePolicies(c *GatewayV1alpha2Client, namespace string) *referencePolicies { - return &referencePolicies{ +// newReferenceGrants returns a ReferenceGrants +func newReferenceGrants(c *GatewayV1alpha2Client, namespace string) *referenceGrants { + return &referenceGrants{ client: c.RESTClient(), ns: namespace, } } -// Get takes name of the referencePolicy, and returns the corresponding referencePolicy object, and an error if there is any. -func (c *referencePolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha2.ReferencePolicy, err error) { - result = &v1alpha2.ReferencePolicy{} +// Get takes name of the referenceGrant, and returns the corresponding referenceGrant object, and an error if there is any. +func (c *referenceGrants) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha2.ReferenceGrant, err error) { + result = &v1alpha2.ReferenceGrant{} err = c.client.Get(). Namespace(c.ns). - Resource("referencepolicies"). + Resource("referencegrants"). Name(name). VersionedParams(&options, scheme.ParameterCodec). Do(ctx). @@ -76,16 +76,16 @@ func (c *referencePolicies) Get(ctx context.Context, name string, options v1.Get return } -// List takes label and field selectors, and returns the list of ReferencePolicies that match those selectors. -func (c *referencePolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha2.ReferencePolicyList, err error) { +// List takes label and field selectors, and returns the list of ReferenceGrants that match those selectors. +func (c *referenceGrants) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha2.ReferenceGrantList, err error) { var timeout time.Duration if opts.TimeoutSeconds != nil { timeout = time.Duration(*opts.TimeoutSeconds) * time.Second } - result = &v1alpha2.ReferencePolicyList{} + result = &v1alpha2.ReferenceGrantList{} err = c.client.Get(). Namespace(c.ns). - Resource("referencepolicies"). + Resource("referencegrants"). VersionedParams(&opts, scheme.ParameterCodec). Timeout(timeout). Do(ctx). @@ -93,8 +93,8 @@ func (c *referencePolicies) List(ctx context.Context, opts v1.ListOptions) (resu return } -// Watch returns a watch.Interface that watches the requested referencePolicies. -func (c *referencePolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { +// Watch returns a watch.Interface that watches the requested referenceGrants. +func (c *referenceGrants) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { var timeout time.Duration if opts.TimeoutSeconds != nil { timeout = time.Duration(*opts.TimeoutSeconds) * time.Second @@ -102,44 +102,44 @@ func (c *referencePolicies) Watch(ctx context.Context, opts v1.ListOptions) (wat opts.Watch = true return c.client.Get(). Namespace(c.ns). - Resource("referencepolicies"). + Resource("referencegrants"). VersionedParams(&opts, scheme.ParameterCodec). Timeout(timeout). Watch(ctx) } -// Create takes the representation of a referencePolicy and creates it. Returns the server's representation of the referencePolicy, and an error, if there is any. -func (c *referencePolicies) Create(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.CreateOptions) (result *v1alpha2.ReferencePolicy, err error) { - result = &v1alpha2.ReferencePolicy{} +// Create takes the representation of a referenceGrant and creates it. Returns the server's representation of the referenceGrant, and an error, if there is any. +func (c *referenceGrants) Create(ctx context.Context, referenceGrant *v1alpha2.ReferenceGrant, opts v1.CreateOptions) (result *v1alpha2.ReferenceGrant, err error) { + result = &v1alpha2.ReferenceGrant{} err = c.client.Post(). Namespace(c.ns). - Resource("referencepolicies"). + Resource("referencegrants"). VersionedParams(&opts, scheme.ParameterCodec). - Body(referencePolicy). + Body(referenceGrant). Do(ctx). Into(result) return } -// Update takes the representation of a referencePolicy and updates it. Returns the server's representation of the referencePolicy, and an error, if there is any. -func (c *referencePolicies) Update(ctx context.Context, referencePolicy *v1alpha2.ReferencePolicy, opts v1.UpdateOptions) (result *v1alpha2.ReferencePolicy, err error) { - result = &v1alpha2.ReferencePolicy{} +// Update takes the representation of a referenceGrant and updates it. Returns the server's representation of the referenceGrant, and an error, if there is any. +func (c *referenceGrants) Update(ctx context.Context, referenceGrant *v1alpha2.ReferenceGrant, opts v1.UpdateOptions) (result *v1alpha2.ReferenceGrant, err error) { + result = &v1alpha2.ReferenceGrant{} err = c.client.Put(). Namespace(c.ns). - Resource("referencepolicies"). - Name(referencePolicy.Name). + Resource("referencegrants"). + Name(referenceGrant.Name). VersionedParams(&opts, scheme.ParameterCodec). - Body(referencePolicy). + Body(referenceGrant). Do(ctx). Into(result) return } -// Delete takes name of the referencePolicy and deletes it. Returns an error if one occurs. -func (c *referencePolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { +// Delete takes name of the referenceGrant and deletes it. Returns an error if one occurs. +func (c *referenceGrants) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { return c.client.Delete(). Namespace(c.ns). - Resource("referencepolicies"). + Resource("referencegrants"). Name(name). Body(&opts). Do(ctx). @@ -147,14 +147,14 @@ func (c *referencePolicies) Delete(ctx context.Context, name string, opts v1.Del } // DeleteCollection deletes a collection of objects. -func (c *referencePolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { +func (c *referenceGrants) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { var timeout time.Duration if listOpts.TimeoutSeconds != nil { timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second } return c.client.Delete(). Namespace(c.ns). - Resource("referencepolicies"). + Resource("referencegrants"). VersionedParams(&listOpts, scheme.ParameterCodec). Timeout(timeout). Body(&opts). @@ -162,12 +162,12 @@ func (c *referencePolicies) DeleteCollection(ctx context.Context, opts v1.Delete Error() } -// Patch applies the patch and returns the patched referencePolicy. -func (c *referencePolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ReferencePolicy, err error) { - result = &v1alpha2.ReferencePolicy{} +// Patch applies the patch and returns the patched referenceGrant. +func (c *referenceGrants) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha2.ReferenceGrant, err error) { + result = &v1alpha2.ReferenceGrant{} err = c.client.Patch(pt). Namespace(c.ns). - Resource("referencepolicies"). + Resource("referencegrants"). Name(name). SubResource(subresources...). VersionedParams(&opts, scheme.ParameterCodec). diff --git a/pkg/client/informers/externalversions/apis/v1alpha2/interface.go b/pkg/client/informers/externalversions/apis/v1alpha2/interface.go index 76943afe23..6f7f716d52 100644 --- a/pkg/client/informers/externalversions/apis/v1alpha2/interface.go +++ b/pkg/client/informers/externalversions/apis/v1alpha2/interface.go @@ -30,8 +30,8 @@ type Interface interface { GatewayClasses() GatewayClassInformer // HTTPRoutes returns a HTTPRouteInformer. HTTPRoutes() HTTPRouteInformer - // ReferencePolicies returns a ReferencePolicyInformer. - ReferencePolicies() ReferencePolicyInformer + // ReferenceGrants returns a ReferenceGrantInformer. + ReferenceGrants() ReferenceGrantInformer // TCPRoutes returns a TCPRouteInformer. TCPRoutes() TCPRouteInformer // TLSRoutes returns a TLSRouteInformer. @@ -66,9 +66,9 @@ func (v *version) HTTPRoutes() HTTPRouteInformer { return &hTTPRouteInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } -// ReferencePolicies returns a ReferencePolicyInformer. -func (v *version) ReferencePolicies() ReferencePolicyInformer { - return &referencePolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +// ReferenceGrants returns a ReferenceGrantInformer. +func (v *version) ReferenceGrants() ReferenceGrantInformer { + return &referenceGrantInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } // TCPRoutes returns a TCPRouteInformer. diff --git a/pkg/client/informers/externalversions/apis/v1alpha2/referencepolicy.go b/pkg/client/informers/externalversions/apis/v1alpha2/referencegrant.go similarity index 55% rename from pkg/client/informers/externalversions/apis/v1alpha2/referencepolicy.go rename to pkg/client/informers/externalversions/apis/v1alpha2/referencegrant.go index 08e1551d2d..d7a91c434c 100644 --- a/pkg/client/informers/externalversions/apis/v1alpha2/referencepolicy.go +++ b/pkg/client/informers/externalversions/apis/v1alpha2/referencegrant.go @@ -32,59 +32,59 @@ import ( v1alpha2 "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1alpha2" ) -// ReferencePolicyInformer provides access to a shared informer and lister for -// ReferencePolicies. -type ReferencePolicyInformer interface { +// ReferenceGrantInformer provides access to a shared informer and lister for +// ReferenceGrants. +type ReferenceGrantInformer interface { Informer() cache.SharedIndexInformer - Lister() v1alpha2.ReferencePolicyLister + Lister() v1alpha2.ReferenceGrantLister } -type referencePolicyInformer struct { +type referenceGrantInformer struct { factory internalinterfaces.SharedInformerFactory tweakListOptions internalinterfaces.TweakListOptionsFunc namespace string } -// NewReferencePolicyInformer constructs a new informer for ReferencePolicy type. +// NewReferenceGrantInformer constructs a new informer for ReferenceGrant type. // Always prefer using an informer factory to get a shared informer instead of getting an independent // one. This reduces memory footprint and number of connections to the server. -func NewReferencePolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { - return NewFilteredReferencePolicyInformer(client, namespace, resyncPeriod, indexers, nil) +func NewReferenceGrantInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredReferenceGrantInformer(client, namespace, resyncPeriod, indexers, nil) } -// NewFilteredReferencePolicyInformer constructs a new informer for ReferencePolicy type. +// NewFilteredReferenceGrantInformer constructs a new informer for ReferenceGrant type. // Always prefer using an informer factory to get a shared informer instead of getting an independent // one. This reduces memory footprint and number of connections to the server. -func NewFilteredReferencePolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { +func NewFilteredReferenceGrantInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { return cache.NewSharedIndexInformer( &cache.ListWatch{ ListFunc: func(options v1.ListOptions) (runtime.Object, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.GatewayV1alpha2().ReferencePolicies(namespace).List(context.TODO(), options) + return client.GatewayV1alpha2().ReferenceGrants(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.GatewayV1alpha2().ReferencePolicies(namespace).Watch(context.TODO(), options) + return client.GatewayV1alpha2().ReferenceGrants(namespace).Watch(context.TODO(), options) }, }, - &apisv1alpha2.ReferencePolicy{}, + &apisv1alpha2.ReferenceGrant{}, resyncPeriod, indexers, ) } -func (f *referencePolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { - return NewFilteredReferencePolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +func (f *referenceGrantInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredReferenceGrantInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) } -func (f *referencePolicyInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&apisv1alpha2.ReferencePolicy{}, f.defaultInformer) +func (f *referenceGrantInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&apisv1alpha2.ReferenceGrant{}, f.defaultInformer) } -func (f *referencePolicyInformer) Lister() v1alpha2.ReferencePolicyLister { - return v1alpha2.NewReferencePolicyLister(f.Informer().GetIndexer()) +func (f *referenceGrantInformer) Lister() v1alpha2.ReferenceGrantLister { + return v1alpha2.NewReferenceGrantLister(f.Informer().GetIndexer()) } diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go index 9caba89b7a..6f17f4f85f 100644 --- a/pkg/client/informers/externalversions/generic.go +++ b/pkg/client/informers/externalversions/generic.go @@ -59,8 +59,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().GatewayClasses().Informer()}, nil case v1alpha2.SchemeGroupVersion.WithResource("httproutes"): return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().HTTPRoutes().Informer()}, nil - case v1alpha2.SchemeGroupVersion.WithResource("referencepolicies"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().ReferencePolicies().Informer()}, nil + case v1alpha2.SchemeGroupVersion.WithResource("referencegrants"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().ReferenceGrants().Informer()}, nil case v1alpha2.SchemeGroupVersion.WithResource("tcproutes"): return &genericInformer{resource: resource.GroupResource(), informer: f.Gateway().V1alpha2().TCPRoutes().Informer()}, nil case v1alpha2.SchemeGroupVersion.WithResource("tlsroutes"): diff --git a/pkg/client/listers/apis/v1alpha2/expansion_generated.go b/pkg/client/listers/apis/v1alpha2/expansion_generated.go index 1e8f44a0af..7d3d39e47b 100644 --- a/pkg/client/listers/apis/v1alpha2/expansion_generated.go +++ b/pkg/client/listers/apis/v1alpha2/expansion_generated.go @@ -38,13 +38,13 @@ type HTTPRouteListerExpansion interface{} // HTTPRouteNamespaceLister. type HTTPRouteNamespaceListerExpansion interface{} -// ReferencePolicyListerExpansion allows custom methods to be added to -// ReferencePolicyLister. -type ReferencePolicyListerExpansion interface{} +// ReferenceGrantListerExpansion allows custom methods to be added to +// ReferenceGrantLister. +type ReferenceGrantListerExpansion interface{} -// ReferencePolicyNamespaceListerExpansion allows custom methods to be added to -// ReferencePolicyNamespaceLister. -type ReferencePolicyNamespaceListerExpansion interface{} +// ReferenceGrantNamespaceListerExpansion allows custom methods to be added to +// ReferenceGrantNamespaceLister. +type ReferenceGrantNamespaceListerExpansion interface{} // TCPRouteListerExpansion allows custom methods to be added to // TCPRouteLister. diff --git a/pkg/client/listers/apis/v1alpha2/referencegrant.go b/pkg/client/listers/apis/v1alpha2/referencegrant.go new file mode 100644 index 0000000000..eb8c7a5615 --- /dev/null +++ b/pkg/client/listers/apis/v1alpha2/referencegrant.go @@ -0,0 +1,99 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" + v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" +) + +// ReferenceGrantLister helps list ReferenceGrants. +// All objects returned here must be treated as read-only. +type ReferenceGrantLister interface { + // List lists all ReferenceGrants in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha2.ReferenceGrant, err error) + // ReferenceGrants returns an object that can list and get ReferenceGrants. + ReferenceGrants(namespace string) ReferenceGrantNamespaceLister + ReferenceGrantListerExpansion +} + +// referenceGrantLister implements the ReferenceGrantLister interface. +type referenceGrantLister struct { + indexer cache.Indexer +} + +// NewReferenceGrantLister returns a new ReferenceGrantLister. +func NewReferenceGrantLister(indexer cache.Indexer) ReferenceGrantLister { + return &referenceGrantLister{indexer: indexer} +} + +// List lists all ReferenceGrants in the indexer. +func (s *referenceGrantLister) List(selector labels.Selector) (ret []*v1alpha2.ReferenceGrant, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha2.ReferenceGrant)) + }) + return ret, err +} + +// ReferenceGrants returns an object that can list and get ReferenceGrants. +func (s *referenceGrantLister) ReferenceGrants(namespace string) ReferenceGrantNamespaceLister { + return referenceGrantNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// ReferenceGrantNamespaceLister helps list and get ReferenceGrants. +// All objects returned here must be treated as read-only. +type ReferenceGrantNamespaceLister interface { + // List lists all ReferenceGrants in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha2.ReferenceGrant, err error) + // Get retrieves the ReferenceGrant from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha2.ReferenceGrant, error) + ReferenceGrantNamespaceListerExpansion +} + +// referenceGrantNamespaceLister implements the ReferenceGrantNamespaceLister +// interface. +type referenceGrantNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all ReferenceGrants in the indexer for a given namespace. +func (s referenceGrantNamespaceLister) List(selector labels.Selector) (ret []*v1alpha2.ReferenceGrant, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha2.ReferenceGrant)) + }) + return ret, err +} + +// Get retrieves the ReferenceGrant from the indexer for a given namespace and name. +func (s referenceGrantNamespaceLister) Get(name string) (*v1alpha2.ReferenceGrant, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha2.Resource("referencegrant"), name) + } + return obj.(*v1alpha2.ReferenceGrant), nil +} diff --git a/pkg/client/listers/apis/v1alpha2/referencepolicy.go b/pkg/client/listers/apis/v1alpha2/referencepolicy.go deleted file mode 100644 index 5a1f994b9d..0000000000 --- a/pkg/client/listers/apis/v1alpha2/referencepolicy.go +++ /dev/null @@ -1,99 +0,0 @@ -/* -Copyright The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha2 - -import ( - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/client-go/tools/cache" - v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" -) - -// ReferencePolicyLister helps list ReferencePolicies. -// All objects returned here must be treated as read-only. -type ReferencePolicyLister interface { - // List lists all ReferencePolicies in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha2.ReferencePolicy, err error) - // ReferencePolicies returns an object that can list and get ReferencePolicies. - ReferencePolicies(namespace string) ReferencePolicyNamespaceLister - ReferencePolicyListerExpansion -} - -// referencePolicyLister implements the ReferencePolicyLister interface. -type referencePolicyLister struct { - indexer cache.Indexer -} - -// NewReferencePolicyLister returns a new ReferencePolicyLister. -func NewReferencePolicyLister(indexer cache.Indexer) ReferencePolicyLister { - return &referencePolicyLister{indexer: indexer} -} - -// List lists all ReferencePolicies in the indexer. -func (s *referencePolicyLister) List(selector labels.Selector) (ret []*v1alpha2.ReferencePolicy, err error) { - err = cache.ListAll(s.indexer, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha2.ReferencePolicy)) - }) - return ret, err -} - -// ReferencePolicies returns an object that can list and get ReferencePolicies. -func (s *referencePolicyLister) ReferencePolicies(namespace string) ReferencePolicyNamespaceLister { - return referencePolicyNamespaceLister{indexer: s.indexer, namespace: namespace} -} - -// ReferencePolicyNamespaceLister helps list and get ReferencePolicies. -// All objects returned here must be treated as read-only. -type ReferencePolicyNamespaceLister interface { - // List lists all ReferencePolicies in the indexer for a given namespace. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha2.ReferencePolicy, err error) - // Get retrieves the ReferencePolicy from the indexer for a given namespace and name. - // Objects returned here must be treated as read-only. - Get(name string) (*v1alpha2.ReferencePolicy, error) - ReferencePolicyNamespaceListerExpansion -} - -// referencePolicyNamespaceLister implements the ReferencePolicyNamespaceLister -// interface. -type referencePolicyNamespaceLister struct { - indexer cache.Indexer - namespace string -} - -// List lists all ReferencePolicies in the indexer for a given namespace. -func (s referencePolicyNamespaceLister) List(selector labels.Selector) (ret []*v1alpha2.ReferencePolicy, err error) { - err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha2.ReferencePolicy)) - }) - return ret, err -} - -// Get retrieves the ReferencePolicy from the indexer for a given namespace and name. -func (s referencePolicyNamespaceLister) Get(name string) (*v1alpha2.ReferencePolicy, error) { - obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) - if err != nil { - return nil, err - } - if !exists { - return nil, errors.NewNotFound(v1alpha2.Resource("referencepolicy"), name) - } - return obj.(*v1alpha2.ReferencePolicy), nil -} diff --git a/site-src/blog/2021/introducing-v1alpha2.md b/site-src/blog/2021/introducing-v1alpha2.md index 13bfe3597a..18245d6b90 100644 --- a/site-src/blog/2021/introducing-v1alpha2.md +++ b/site-src/blog/2021/introducing-v1alpha2.md @@ -53,20 +53,20 @@ Gateway API, we had several key feature requests that required this capability. Most notably, forwarding traffic to backends in other namespaces and referring to TLS certificates in other namespaces. -To accomplish this, we've introduced a new ReferencePolicy resource that +To accomplish this, we've introduced a new ReferenceGrant resource that provides a handshake mechanism. By default, references across namespaces are not permitted; creating a reference across a namespace (like a Route referencing a Service in another namespace) must be rejected by implementations. These -references can be accepted by creating a ReferencePolicy in the referent +references can be accepted by creating a ReferenceGrant in the referent (target) namespace, that specifies what Kind is allowed to accept incoming references, and from what namespace and Kind the references may be. -For example, the following ReferencePolicy would allow HTTPRoutes in the prod -namespace to forward traffic to Services wherever this ReferencePolicy was +For example, the following ReferenceGrant would allow HTTPRoutes in the prod +namespace to forward traffic to Services wherever this ReferenceGrant was installed: ```yaml -{% include 'v1alpha2/reference-policy.yaml' %} +{% include 'v1alpha2/reference-grant.yaml' %} ``` This is covered in more detail in [GEP 709](https://gateway-api.sigs.k8s.io/geps/gep-709/). diff --git a/site-src/concepts/security-model.md b/site-src/concepts/security-model.md index aefba84a0c..b2fd7f674e 100644 --- a/site-src/concepts/security-model.md +++ b/site-src/concepts/security-model.md @@ -106,23 +106,23 @@ guarantee. If you used a custom label such as `env`, anyone that is able to label namespaces within your cluster would effectively be able to change the set of namespaces your Gateway supported. -### 2. ReferencePolicy +### 2. ReferenceGrant There are some cases where we allow other object references to cross namespace boundaries. This includes Gateways referencing Secrets and Routes referencing Backends (usually Services). In these cases, the required handshake is -accomplished with a ReferencePolicy resource. This resource exists within a +accomplished with a ReferenceGrant resource. This resource exists within a target namespace and can be used to allow references from other namespaces. -For example, the following ReferencePolicy allows references from Gateways in +For example, the following ReferenceGrant allows references from Gateways in the "prod" namespace to HTTPRoutes that are deployed in the same namespace as -the ReferencePolicy. +the ReferenceGrant. ```yaml -{% include 'v1alpha2/reference-policy.yaml' %} +{% include 'v1alpha2/reference-grant.yaml' %} ``` -For more information on ReferencePolicy, refer to our [detailed documentation -for this resource](/v1alpha2/api-types/referencepolicy.md). +For more information on ReferenceGrant, refer to our [detailed documentation +for this resource](/v1alpha2/api-types/referencegrant.md). ## Advanced Concept: Limiting Namespaces Where a GatewayClass Can Be Used Some infrastructure providers or cluster operators may wish to limit the diff --git a/site-src/geps/gep-1016.md b/site-src/geps/gep-1016.md index fb97fba897..2b537009e4 100644 --- a/site-src/geps/gep-1016.md +++ b/site-src/geps/gep-1016.md @@ -580,7 +580,7 @@ type GRPCBackendRef struct { // configure this backend in the underlying implementation. // // If there is a cross-namespace reference to an *existing* object - // that is not covered by a ReferencePolicy, the controller must ensure the + // that is not covered by a ReferenceGrant, the controller must ensure the // "ResolvedRefs" condition on the Route is set to `status: False`, // with the "RefNotPermitted" reason and not configure this backend in the // underlying implementation. diff --git a/site-src/geps/gep-709.md b/site-src/geps/gep-709.md index 10f1094749..ff5f1fc8b2 100644 --- a/site-src/geps/gep-709.md +++ b/site-src/geps/gep-709.md @@ -3,12 +3,16 @@ * Issue: [#709](https://github.com/kubernetes-sigs/gateway-api/issues/709) * Status: Implemented +!!! note + This resource was originally named "ReferencePolicy". It was renamed + to "ReferenceGrant" to avoid any confusion with policy attachment. + ## TLDR This GEP attempts to enable cross namespace forwarding from Routes and provide a way to simplify adding Route inclusion (Routes including other Routes) in the future. These are closely related concepts that can be solved with a new -ReferencePolicy resource that enables app admins to describe where they trust +ReferenceGrant resource that enables app admins to describe where they trust references from. ## Motivation/User Journeys/Background @@ -22,7 +26,7 @@ capabilities for cross namespace references: 1. Mesh overrides to target Services in different namespaces. (For more info, see GEP [#713](https://github.com/kubernetes-sigs/gateway-api/issues/713)) -## ReferencePolicy +## ReferenceGrant Anytime we allow crossing a namespace boundary, we need to be very cautious. In the past, we've seen that forwarding traffic across namespace boundaries is @@ -32,17 +36,17 @@ emerge. To ensure that Gateway API is able to safely provide this functionality, we need to enforce a handshake mechanism that requires resources in both namespaces to -agree to this reference. To accomplish that, a new ReferencePolicy resource +agree to this reference. To accomplish that, a new ReferenceGrant resource should be introduced. -![Reference Policy](images/709-referencepolicy.png) +![Reference Policy](images/709-referencegrant.png) With this model, Routes would be able to directly reference Routes and Services in other namespaces. These references would only be considered valid if a -ReferencePolicy in the target namespace explicitly allowed it. +ReferenceGrant in the target namespace explicitly allowed it. The following example shows how a HTTPRoute in namespace foo could reference -a Service in namespace bar. In this example a ReferencePolicy in the bar +a Service in namespace bar. In this example a ReferenceGrant in the bar namespace explicitly allows references to Services from HTTPRoutes in the foo namespace. @@ -60,7 +64,7 @@ spec: - name: bar namespace: bar --- -kind: ReferencePolicy +kind: ReferenceGrant metadata: name: bar namespace: bar @@ -78,8 +82,8 @@ spec: This proposed API is fairly straightforward, but comes with a few notable decisions: -1. Each ReferencePolicy only supports a single From and To section. Additional - trust relationships can be modeled with additional ReferencePolicy resources. +1. Each ReferenceGrant only supports a single From and To section. Additional + trust relationships can be modeled with additional ReferenceGrant resources. 1. Resource names are intentionally excluded from this policy for simplicity and because they rarely provide any meaningful protection. A user that is able to write to resources of a certain kind within a namespace can always rename @@ -88,23 +92,23 @@ decisions: more powerful it may encourage unnecessarily insecure configuration. ```go -// ReferencePolicy identifies kinds of resources in other namespaces that are +// ReferenceGrant identifies kinds of resources in other namespaces that are // trusted to reference the specified kinds of resources in the local namespace. -// Each ReferencePolicy can be used to represent a unique trust relationship. +// Each ReferenceGrant can be used to represent a unique trust relationship. // Additional Reference Policies can be used to add to the set of trusted // sources of inbound references for the namespace they are defined within. -type ReferencePolicy struct { +type ReferenceGrant struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec defines the desired state of ReferencePolicy. - Spec ReferencePolicySpec `json:"spec,omitempty"` + // Spec defines the desired state of ReferenceGrant. + Spec ReferenceGrantSpec `json:"spec,omitempty"` } -// ReferencePolicySpec identifies a cross namespace relationship that is trusted +// ReferenceGrantSpec identifies a cross namespace relationship that is trusted // for Gateway API. -type ReferencePolicySpec struct { +type ReferenceGrantSpec struct { // From describes the trusted namespaces and kinds that can reference the // resources described in "To". Each entry in this list must be considered // to be an additional place that references can be valid from, or to put @@ -113,7 +117,7 @@ type ReferencePolicySpec struct { // Support: Core // // +kubebuilder:validation:MinItems=1 - From []ReferencePolicyFrom `json:"from"` + From []ReferenceGrantFrom `json:"from"` // To describes the resources that may be referenced by the resources // described in "From". Each entry in this list must be considered to be an @@ -123,11 +127,11 @@ type ReferencePolicySpec struct { // Support: Core // // +kubebuilder:validation:MinItems=1 - To []ReferencePolicyTo `json:"to"` + To []ReferenceGrantTo `json:"to"` } -// ReferencePolicyFrom describes trusted namespaces and kinds. -type ReferencePolicyFrom struct { +// ReferenceGrantFrom describes trusted namespaces and kinds. +type ReferenceGrantFrom struct { // Group is the group of the referrent. // // Support: Core @@ -158,9 +162,9 @@ type ReferencePolicyFrom struct { Namespace string `json:"namespace,omitempty"` } -// ReferencePolicyTo describes what Kinds are allowed as targets of the +// ReferenceGrantTo describes what Kinds are allowed as targets of the // references. -type ReferencePolicyTo struct { +type ReferenceGrantTo struct { // Group is the group of the referrent. // // Support: Core @@ -193,17 +197,17 @@ type ReferencePolicyTo struct { references. * Provides consistent way to control references to any resource from a Route. * Can be extended in the future for additional use cases. -* A single ReferencePolicy resource can be used for a namespace in place of +* A single ReferenceGrant resource can be used for a namespace in place of separate handshake config on each Service or Route resource. #### Exceptions -There are some situations where it MAY be acceptable to ignore ReferencePolicy +There are some situations where it MAY be acceptable to ignore ReferenceGrant in favor of some other security mechanism. This MAY only be done if other mechanisms like NetworkPolicy can effectively limit cross-namespace references by the implementation. An implementation choosing to make this exception MUST clearly document that -ReferencePolicy is not honored by their implementations and detail which +ReferenceGrant is not honored by their implementations and detail which alternative safeguards are available. Note that this is unlikely to apply to ingress implementations of the API and will not apply to all mesh implementations. @@ -211,7 +215,7 @@ implementations. For an example of the risks involved in cross-namespace references, refer to [CVE-2021-25740](https://github.com/kubernetes/kubernetes/issues/103675). Implementations of this API need to be very careful to avoid confused deputy -attacks. ReferencePolicy provides a safeguard for that. Exceptions MUST only +attacks. ReferenceGrant provides a safeguard for that. Exceptions MUST only be made by implementations that are absolutely certain that other equally effective safeguards are in place. @@ -239,7 +243,7 @@ type BackendRef struct { ## Alternatives ### Inline Config -Instead of ReferencePolicy, it is possible to represent these relationships +Instead of ReferenceGrant, it is possible to represent these relationships inline. ![Inline](images/709-inline.png) @@ -275,7 +279,7 @@ concept to all potential backend types. * Although closely related, this GEP does not attempt to improve the Gateway->Route relationship. That will instead be covered by a future GEP. -* Although this GEP explores how ReferencePolicy could enable Route inclusion, +* Although this GEP explores how ReferenceGrant could enable Route inclusion, the details of that feature will be left for a future GEP. ## References diff --git a/site-src/geps/gep-724.md b/site-src/geps/gep-724.md index 4b86369c92..5e2506c276 100644 --- a/site-src/geps/gep-724.md +++ b/site-src/geps/gep-724.md @@ -163,10 +163,10 @@ Of course we do still need a handshake that will enable cross-namespace references between Routes and Gateways. This proposal leaves in the core capabilities of the v1alpha1 API for this. Gateways can specify the namespaces they trust Routes to bind from, and Routes directly reference the Gateways they -want to attach to. This is largely similar to the ReferencePolicy model proposed +want to attach to. This is largely similar to the ReferenceGrant model proposed for Route->Service references, but is embedded within the Route and Gateway resources. The alternatives below explore what this could look like with -ReferencePolicy. +ReferenceGrant. ## API Changes @@ -524,7 +524,7 @@ struct would be replaced with the `ParentRef` struct included above. ### Disadvantages * Attaching a Route to a named listener with SectionName may be a bit confusing. -* Does not utilize existing ReferencePolicy mechanism. +* Does not utilize existing ReferenceGrant mechanism. * May be more difficult to understand which Routes are attached to a Gateway. * Adding/replacing a Gateway requires changes to Routes. @@ -535,15 +535,15 @@ complexity. ## Alternatives -### 1. ReferencePolicy with Gateways selecting Routes +### 1. ReferenceGrant with Gateways selecting Routes -![ReferencePolicy with Gateways selecting Routes](images/724-alt1.png) +![ReferenceGrant with Gateways selecting Routes](images/724-alt1.png) A compelling alternative to this proposal would involve retaining the Route selector in Gateway and replacing the trust concept in Routes with -ReferencePolicy. To represent the same example as above, we'd use a Route +ReferenceGrant. To represent the same example as above, we'd use a Route selector on Gateway, a corresponding label on the HTTPRoute, and a -ReferencePolicy that allowed it: +ReferenceGrant that allowed it: ```yaml kind: Gateway @@ -576,7 +576,7 @@ spec: matches: - path: /bar --- -kind: ReferencePolicy +kind: ReferenceGrant metadata: name: infra-gateways namespace: foo @@ -592,34 +592,34 @@ spec: #### Advantages -* Consistent use of ReferencePolicy throughout the API. +* Consistent use of ReferenceGrant throughout the API. * Provides a single way of binding Gateways to Routes. #### Disadvantages * Even the simplest cross-namespace reference from Gateway -> Route would - require a ReferencePolicy in each target namespace. + require a ReferenceGrant in each target namespace. * Existing demos and examples would become significantly more verbose. * Does not suppport attaching Routes to arbitrary parents. * Does not prevent accidental exposure of Routes. * Route owners have limited control in terms of which Gateways their Route is attached to. -### 2. ReferencePolicy with Routes referencing Gateways +### 2. ReferenceGrant with Routes referencing Gateways -![ReferencePolicy with Routes referencing Gateways](images/724-alt2.png) +![ReferenceGrant with Routes referencing Gateways](images/724-alt2.png) -The other way we could use ReferencePolicy would be with Routes referencing +The other way we could use ReferenceGrant would be with Routes referencing Gateways. Unfortunately the nested structure of Gateways makes this nearly impossible to do effectively. A core concept for Gateways is that each listener should be able to attach to an entirely different set of Routes. For example, a Gateway may want to delegate foo.com to the foo namespace and bar.com to the bar namespace. Unfortunately that would be very difficult to recreate with -ReferencePolicy. +ReferenceGrant. -ReferencePolicy is fundamentally about trusting references from resource of kind +ReferenceGrant is fundamentally about trusting references from resource of kind Foo in to resources of kind Bar. Names and section names are intentionally -excluded. If we added both of those concepts to ReferencePolicy, this would be +excluded. If we added both of those concepts to ReferenceGrant, this would be possible, but quite complex and verbose. This is what the example from above would look like with this approach: @@ -634,7 +634,7 @@ spec: hostname: foo.com port: 80 --- -kind: ReferencePolicy +kind: ReferenceGrant metadata: name: foo-lb namespace: infra @@ -667,7 +667,7 @@ spec: #### Advantages -* Consistent use of ReferencePolicy throughout the API. +* Consistent use of ReferenceGrant throughout the API. * Provides a single way of binding Gateways to Routes. * Supports attaching Routes to arbitrary parents. * Prevents accidental exposure of Routes. @@ -675,18 +675,18 @@ spec: #### Disadvantages * In most cases, each listener in a Gateway would require a unique - ReferencePolicy resource. + ReferenceGrant resource. * Even the simplest cross-namespace reference from Route -> Gateway would - require a ReferencePolicy in each target namespace. This could either rule + require a ReferenceGrant in each target namespace. This could either rule out or significantly complicate self-service use-cases. * Existing demos and examples would become significantly more verbose. -* ReferencePolicy would become more complex for all other use cases. +* ReferenceGrant would become more complex for all other use cases. ## References **GEPs** -* [GEP 709: ReferencePolicy + Cross Namespace References from Routes](/geps/gep-709) +* [GEP 709: ReferenceGrant + Cross Namespace References from Routes](/geps/gep-709) **Docs:** diff --git a/site-src/geps/gep-746.md b/site-src/geps/gep-746.md index 4cb41168d8..1a0c9798b0 100644 --- a/site-src/geps/gep-746.md +++ b/site-src/geps/gep-746.md @@ -65,7 +65,7 @@ tools like cert-manager that can watch Routes, generate certs for them, and attach them to a Gateway. #### 2. Cross Namespace Cert Direct References from Gateways -With the already established ReferencePolicy concept, we have established a safe +With the already established ReferenceGrant concept, we have established a safe way to reference resources across namespaces. Although this would require some coordination between Gateway and App owners, it would enable App owners to retain full control of the certs used by their app without the extra confusion @@ -95,7 +95,7 @@ one of the following safeguards: domain. 2. A way to configure which namespaces could attach certificates to each Gateway (or Listener). -3. A way to use ReferencePolicy to indicate where references from Secrets to +3. A way to use ReferenceGrant to indicate where references from Secrets to Gateways were trusted from and to. ## API @@ -105,7 +105,7 @@ The API changes proposed here are quite small, mostly removing fields. ### Changes 1. The `LocalObjectReference` used for the `CertificateRef` field in `GatewayTLSConfig` would be replaced with an `ObjectReference`. -1. `ReferencePolicy` would be updated to note that references from Gateways to +1. `ReferenceGrant` would be updated to note that references from Gateways to Secrets were part of the Core support level. ### Removals diff --git a/site-src/geps/gep-851.md b/site-src/geps/gep-851.md index dfe40ac639..7e5d474f16 100644 --- a/site-src/geps/gep-851.md +++ b/site-src/geps/gep-851.md @@ -54,8 +54,8 @@ following `CertificateRefs` field: // a Listener, but this behavior is implementation-specific. // // References to a resource in different namespace are invalid UNLESS there - // is a ReferencePolicy in the target namespace that allows the certificate - // to be attached. If a ReferencePolicy does not allow this reference, the + // is a ReferenceGrant in the target namespace that allows the certificate + // to be attached. If a ReferenceGrant does not allow this reference, the // "ResolvedRefs" condition MUST be set to False for this listener with the // "InvalidCertificateRef" reason. // diff --git a/site-src/geps/gep-917.md b/site-src/geps/gep-917.md index 2f04d8b8f0..aeb83d410e 100644 --- a/site-src/geps/gep-917.md +++ b/site-src/geps/gep-917.md @@ -88,7 +88,7 @@ All implementations must support all the Core functions on the following resourc - GatewayClass - Gateway -- ReferencePolicy +- ReferenceGrant The following resources are optional to support, but have defined behavior if you do: diff --git a/site-src/geps/images/709-referencepolicy.png b/site-src/geps/images/709-referencegrant.png similarity index 100% rename from site-src/geps/images/709-referencepolicy.png rename to site-src/geps/images/709-referencegrant.png diff --git a/site-src/implementations.md b/site-src/implementations.md index 719c192070..9013bc3495 100644 --- a/site-src/implementations.md +++ b/site-src/implementations.md @@ -172,7 +172,7 @@ Kuma is actively working on an implementation of Gateway API specification for t Traefik currently supports version `v1alpha2` (`v0.4.x`) of the Gateway API specification, check the [Kubernetes Gateway Documentation][traefik-1] for information on how to deploy and use Traefik's Gateway implementation. -Traefik is currently working on implementing UDP, and ReferencePolicy. Status updates and documentation will be provided here as the work progresses. +Traefik is currently working on implementing UDP, and ReferenceGrant. Status updates and documentation will be provided here as the work progresses. [traefik]:https://traefik.io [traefik-1]:https://doc.traefik.io/traefik/routing/providers/kubernetes-gateway/ diff --git a/site-src/v1alpha2/api-types/referencepolicy.md b/site-src/v1alpha2/api-types/referencegrant.md similarity index 74% rename from site-src/v1alpha2/api-types/referencepolicy.md rename to site-src/v1alpha2/api-types/referencegrant.md index 81564c23b1..7a8290ff80 100644 --- a/site-src/v1alpha2/api-types/referencepolicy.md +++ b/site-src/v1alpha2/api-types/referencegrant.md @@ -1,22 +1,26 @@ -# ReferencePolicy +# ReferenceGrant -A ReferencePolicy can be used to enable cross namespace references within +!!! note + This resource was originally named "ReferencePolicy". It was renamed + to "ReferenceGrant" to avoid any confusion with policy attachment. + +A ReferenceGrant can be used to enable cross namespace references within Gateway API. In particular, Routes may forward traffic to backends in other namespaces, or Gateways may refer to Secrets in another namespace. -![Reference Policy](/v1alpha2/images/referencepolicy-simple.png) +![Reference Grant](/v1alpha2/images/referencegrant-simple.png) In the past, we've seen that forwarding traffic across namespace boundaries is a -desired feature, but without a safeguard like ReferencePolicy, +desired feature, but without a safeguard like ReferenceGrant, [vulnerabilities](https://github.com/kubernetes/kubernetes/issues/103675) can emerge. If an object is referred to from outside its namespace, the object's owner must -create a ReferencePolicy resource to explicitly allow that reference. Without a -ReferencePolicy, a cross namespace reference is invalid. +create a ReferenceGrant resource to explicitly allow that reference. Without a +ReferenceGrant, a cross namespace reference is invalid. ## Structure -Fundamentally a ReferencePolicy is made up of two lists, a list of resources +Fundamentally a ReferenceGrant is made up of two lists, a list of resources references may come from, and a list of resources that may be referenced. The `from` list allows you to specify the group, kind, and namespace of @@ -24,12 +28,12 @@ resources that may reference items described in the `to` list. The `to` list allows you to specify the group and kind of resources that may be referenced by items described in the `from` list. The namespace is not necessary -in the `to` list because a ReferencePolicy can only be used to allow references -to resources in the same namespace as the ReferencePolicy. +in the `to` list because a ReferenceGrant can only be used to allow references +to resources in the same namespace as the ReferenceGrant. ## Example The following example shows how a HTTPRoute in namespace `foo` can reference a -Service in namespace `bar`. In this example a ReferencePolicy in the `bar` +Service in namespace `bar`. In this example a ReferenceGrant in the `bar` namespace explicitly allows references to Services from HTTPRoutes in the `foo` namespace. @@ -47,7 +51,7 @@ spec: - name: bar namespace: bar --- -kind: ReferencePolicy +kind: ReferenceGrant metadata: name: bar namespace: bar @@ -64,8 +68,8 @@ spec: ## API design decisions While the API is simplistic in nature, it comes with a few notable decisions: -1. Each ReferencePolicy only supports a single From and To section. Additional - trust relationships must be modeled with additional ReferencePolicy +1. Each ReferenceGrant only supports a single From and To section. Additional + trust relationships must be modeled with additional ReferenceGrant resources. 1. Resource names are intentionally excluded from this policy for simplicity and because they rarely provide any meaningful protection. A user that is able to @@ -77,25 +81,25 @@ While the API is simplistic in nature, it comes with a few notable decisions: other. This makes it impossible for them to conflict with each other. Please see the [API -Specification](/v1alpha2/references/spec#gateway.networking.k8s.io/v1alpha2.ReferencePolicy) -for more details on how specific ReferencePolicy fields are interpreted. +Specification](/v1alpha2/references/spec#gateway.networking.k8s.io/v1alpha2.ReferenceGrant) +for more details on how specific ReferenceGrant fields are interpreted. ## Exceptions Cross namespace Route -> Gateway binding follows a slightly different pattern where the handshake mechanism is built into the Gateway resource. For more information on that approach, refer to the relevant [Security Model documentation](/concepts/security-model). Although conceptually similar to -ReferencePolicy, this configuration is built directly into Gateway Listeners, +ReferenceGrant, this configuration is built directly into Gateway Listeners, and allows for fine-grained per Listener configuration that would not be -possible with ReferencePolicy. +possible with ReferenceGrant. -There are some situations where it MAY be acceptable to ignore ReferencePolicy +There are some situations where it MAY be acceptable to ignore ReferenceGrant in favor of some other security mechanism. This MAY only be done if other mechanisms like NetworkPolicy can effectively limit cross-namespace references by the implementation. An implementation choosing to make this exception MUST clearly document that -ReferencePolicy is not honored by their implementations and detail which +ReferenceGrant is not honored by their implementations and detail which alternative safeguards are available. Note that this is unlikely to apply to ingress implementations of the API and will not apply to all mesh implementations. @@ -103,12 +107,12 @@ implementations. For an example of the risks involved in cross-namespace references, refer to [CVE-2021-25740](https://github.com/kubernetes/kubernetes/issues/103675). Implementations of this API need to be very careful to avoid confused deputy -attacks. ReferencePolicy provides a safeguard for that. Exceptions MUST only be +attacks. ReferenceGrant provides a safeguard for that. Exceptions MUST only be made by implementations that are absolutely certain that other equally effective safeguards are in place. ## Conformance Level -ReferencePolicy support is a "CORE" conformance level requirement for +ReferenceGrant support is a "CORE" conformance level requirement for cross-namespace references that originate from the following objects: - HTTPRoute diff --git a/site-src/v1alpha2/guides/tls.md b/site-src/v1alpha2/guides/tls.md index 685a74db26..b57deaf421 100644 --- a/site-src/v1alpha2/guides/tls.md +++ b/site-src/v1alpha2/guides/tls.md @@ -87,8 +87,8 @@ Since a specific match takes priority, the Gateway will serve #### Cross namespace certificate references In this example, the Gateway is configured to reference a certificate in a -different namespace. This is allowed by the ReferencePolicy created in the -target namespace. Without that ReferencePolicy, the cross-namespace reference +different namespace. This is allowed by the ReferenceGrant created in the +target namespace. Without that ReferenceGrant, the cross-namespace reference would be invalid. ```yaml diff --git a/site-src/v1alpha2/images/referencepolicy-simple.png b/site-src/v1alpha2/images/referencegrant-simple.png similarity index 100% rename from site-src/v1alpha2/images/referencepolicy-simple.png rename to site-src/v1alpha2/images/referencegrant-simple.png