You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: geps/gep-1713/index.md
+21-8Lines changed: 21 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -464,6 +464,27 @@ spec:
464
464
sectionName: foo
465
465
```
466
466
467
+
#### Optional Section Name
468
+
469
+
If a `sectionName` in a Route's `parentRef` is not set then the Route MUST attach to only the listeners in the referenced parent. As an example given a `Gateway` and it's child `ListenerSets` a route attaching to the `Gateway` with an empty `sectionName` shall only attach to the listeners in the `Gateways` immediate `spec.listeners` list. In other words, the Route will not attach to any listeners in the `ListenerSets`.
470
+
471
+
### Policy Attachment
472
+
473
+
Policy attachment is [under discussion] in https://github.com/kubernetes-sigs/gateway-api/discussions/2927
474
+
475
+
Similar to Routes, `ListenerSet` can inherit policy from a Gateway.
476
+
Policies that attach to a `ListenerSet` apply to all listeners defined in that resource, but do not impact listeners in the parent `Gateway`. This allows `ListenerSets` attached to the same `Gateway` to have different policies.
477
+
If the implementation cannot apply the policy to only specific listeners, it should reject the policy.
478
+
479
+
### ReferenceGrant Semantics
480
+
481
+
When a `ReferenceGrant` is applied to a `Gateway` it MUST NOT be inherited by child `ListenerSets`. Thus a `ListenerSet` listener MUST NOT access secrets granted to the `Gateway` listeners.
482
+
483
+
When a `ReferenceGrant` is applied to a `ListenerSet` it MUST NOT grant permission to the parent `Gateway`'s listeners. Thus a `Gateway` listener MUST NOT access secrets granted to the `ListenerSet` listeners.
484
+
485
+
A `ListenerSet` must be able to reference a secret/backend in the same namespace as itself without a `ReferenceGrant`.
486
+
487
+
467
488
### Listener Validation
468
489
469
490
Within a single resource such as a `Gateway` or `ListenerSet` the list of listeners MUST have unique names. Implementations MUST allow listeners from a child `ListenerSet` to be merged into a parent `Gateway` when listeners have the same name. Likewise implementations MUST allow sibling `ListenerSets` listeners with matching names to be merged into a parent `Gateway`. This allows for authors of Routes to simply attach to their desired parentRef and listener without having to worry about naming conflicts across resources.
@@ -561,14 +582,6 @@ If a listener has a conflict, this should be reported in the `ListenerEntryStatu
561
582
562
583
Implementations SHOULD be cautious about what information from the parent or siblings are reported to avoid accidentally leaking sensitive information that the child would not otherwise have access to. This can include contents of secrets etc.
563
584
564
-
### Policy Attachment
565
-
566
-
Policy attachment is [under discussion] in https://github.com/kubernetes-sigs/gateway-api/discussions/2927
567
-
568
-
Similar to Routes, `ListenerSet` can inherit policy from a Gateway.
569
-
Policies that attach to a `ListenerSet` apply to all listeners defined in that resource, but do not impact listeners in the parent `Gateway`. This allows `ListenerSets` attached to the same `Gateway` to have different policies.
570
-
If the implementation cannot apply the policy to only specific listeners, it should reject the policy.
0 commit comments