envoyproxy/gateway

Consider inverting the targetting between xPolicy(Especially SecurityPolicy) and xRoute

Open

#6887 aperta il 2 set 2025

Vedi su GitHub
 (6 commenti) (1 reazione) (0 assegnatari)Go (802 fork)auto 404
help wanted

Metriche repository

Star
 (2871 star)
Metriche merge PR
 (Metriche PR in attesa)

Descrizione

Im going to use SecurityPolicy when describing this but it would also be relevant for BackendTrafficPolicy

Description: Currently SecurityPolicies are targeting xRoutes, this means that one can end up in a position where an HTTPRoute that is meant to be protected in some way, e.g. external authorization, can easily be deployed without this protection and there really is no way for Envoy Gateway to know without human intervention. This can happen if the SecurityPolicy uses incorrect targetRefs, in this case envoy can intuit that something is done incorrectly since the targetRef on the security policy doesnt resolve to a resource. If we however use targetSelectors and labels the HTTPRoute incorrectly, envoy has no way to know something is wrong.

In both these cases the HTTPRoute will be deployed without protection.

If we invert the targeting, i.e. SecurityPolicy would be attached/targeted via filters then Envoy can reject the faulty xRoute.


This doesnt have to be one way or the other, I think that both can be beneficial. For instance generic safe configuration in BackendTrafficPolicy via targetSelectors and SecurityPolicy via xRoute filters.

Guida contributor