envoyproxy/gateway

Consider inverting the targetting between xPolicy(Especially SecurityPolicy) and xRoute

Open

#6,887 建立於 2025年9月2日

在 GitHub 查看
 (6 留言) (1 反應) (0 負責人)Go (802 fork)auto 404
help wanted

倉庫指標

Star
 (2,871 star)
PR 合併指標
 (PR 指標待抓取)

描述

Im going to use SecurityPolicy when describing this but it would also be relevant for BackendTrafficPolicy

Description: Currently SecurityPolicies are targeting xRoutes, this means that one can end up in a position where an HTTPRoute that is meant to be protected in some way, e.g. external authorization, can easily be deployed without this protection and there really is no way for Envoy Gateway to know without human intervention. This can happen if the SecurityPolicy uses incorrect targetRefs, in this case envoy can intuit that something is done incorrectly since the targetRef on the security policy doesnt resolve to a resource. If we however use targetSelectors and labels the HTTPRoute incorrectly, envoy has no way to know something is wrong.

In both these cases the HTTPRoute will be deployed without protection.

If we invert the targeting, i.e. SecurityPolicy would be attached/targeted via filters then Envoy can reject the faulty xRoute.


This doesnt have to be one way or the other, I think that both can be beneficial. For instance generic safe configuration in BackendTrafficPolicy via targetSelectors and SecurityPolicy via xRoute filters.

貢獻者指南