Consider inverting the targetting between xPolicy(Especially SecurityPolicy) and xRoute
#6,887 opened on 2025年9月2日
Repository metrics
- Stars
- (2,871 stars)
- PR merge metrics
- (PR metrics pending)
説明
Im going to use SecurityPolicy when describing this but it would also be relevant for BackendTrafficPolicy
Description:
Currently SecurityPolicies are targeting xRoutes, this means that one can end up in a position where an HTTPRoute that is meant to be protected in some way, e.g. external authorization, can easily be deployed without this protection and there really is no way for Envoy Gateway to know without human intervention.
This can happen if the SecurityPolicy uses incorrect targetRefs, in this case envoy can intuit that something is done incorrectly since the targetRef on the security policy doesnt resolve to a resource. If we however use targetSelectors and labels the HTTPRoute incorrectly, envoy has no way to know something is wrong.
In both these cases the HTTPRoute will be deployed without protection.
If we invert the targeting, i.e. SecurityPolicy would be attached/targeted via filters then Envoy can reject the faulty xRoute.
This doesnt have to be one way or the other, I think that both can be beneficial. For instance generic safe configuration in BackendTrafficPolicy via targetSelectors and SecurityPolicy via xRoute filters.