fix: exclude unmanaged route parents from xPolicy status ancestors#8321
Merged
cnvergence merged 3 commits intoenvoyproxy:mainfrom Feb 24, 2026
Merged
Conversation
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
✅ Deploy Preview for cerulean-figolla-1f9435 canceled.
|
zhaohuabing
changed the title
zhaohuabing
changed the title
zhaohuabing
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8321 +/- ##
==========================================
+ Coverage 73.66% 73.67% +0.01%
==========================================
Files 242 242
Lines 37007 37014 +7
==========================================
+ Hits 27261 27270 +9
Misses 7826 7826
+ Partials 1920 1918 -2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
zhaohuabing
commented
Feb 22, 2026
| - ancestorRef: | ||
| group: gateway.networking.k8s.io | ||
| kind: Gateway | ||
| name: unmanaged-gateway |
Member
Author
There was a problem hiding this comment.
The unmanaged-gateway should not be in status.
…nged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]>
zhaohuabing
force-pushed
the
fix-policy-status-mixed-parents
branch
from
00d163f to
d347e43
Compare
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
zhaohuabing
force-pushed
the
fix-policy-status-mixed-parents
branch
from
6ec20c0 to
d5ea0a4
Compare
kkk777-7
approved these changes
Feb 23, 2026
Member
|
LGTM, thanks! |
zirain
approved these changes
Feb 24, 2026
cnvergence
approved these changes
Feb 24, 2026
antonio-mazzini
pushed a commit
to antonio-mazzini/gateway
that referenced
this pull request
Mar 5, 2026
…nvoyproxy#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]>
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Mar 11, 2026
…nvoyproxy#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]>
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Mar 11, 2026
…nvoyproxy#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Karol Szwaj <[email protected]>
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Mar 11, 2026
…nvoyproxy#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Karol Szwaj <[email protected]>
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Mar 11, 2026
…nvoyproxy#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Karol Szwaj <[email protected]>
jukie
pushed a commit
that referenced
this pull request
Mar 12, 2026
* api: make ConnectionLimit.Value optional (#8478) * api: make ConnectionLimit.Value optional Signed-off-by: Felipe Sabadini Facina <[email protected]> * release-notes: add entry for ConnectionLimit.Value optional Signed-off-by: Felipe Sabadini Facina <[email protected]> * fix: add CEL rule to require value when closeDelay is set Signed-off-by: Felipe Sabadini Facina <[email protected]> --------- Signed-off-by: Felipe Sabadini Facina <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix up release notes Signed-off-by: Karol Szwaj <[email protected]> * fix: aggregate xRoute/xPolicy statuses across GWCs in gateway-api runner (#8387) * fix: aggregate xRoute/xPolicy statuses across GWCs in gateway-api runner Signed-off-by: y-rabie <[email protected]> * polish Signed-off-by: Huabing (Robin) Zhao <[email protected]> * add e2e test Signed-off-by: Huabing (Robin) Zhao <[email protected]> * release note Signed-off-by: Huabing (Robin) Zhao <[email protected]> * truncate policy status & add tests Signed-off-by: Huabing (Robin) Zhao <[email protected]> * update Signed-off-by: Huabing (Robin) Zhao <[email protected]> * update Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: y-rabie <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: y-rabie <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: active health check respect endpoint hostname (#8452) revert unrelated changes Signed-off-by: zirain <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: exclude unmanaged route parents from xPolicy status ancestors (#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: add ownerReferences to ratelimit ConfigMap and HPA (#8358) Signed-off-by: Tejasriram Parvathaneni <[email protected]> Co-authored-by: Karol Szwaj <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: computeHosts doesn't work when listener and route both wildcard (#8186) * fix: computeHosts doesn't work when listener and route both wildcard Signed-off-by: zirain <[email protected]> * remove skipped tests Signed-off-by: zirain <[email protected]> * Update internal/gatewayapi/helpers.go Co-authored-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: fixed local object reference resolution from parent in merged BackendTrafficPolicies (#8210) Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: XListenerSet allows route from same namespace (#8226) Previously, using allowedRoutes/Same for an XListenerSet with an xRoute in the same namespace would return an error. Now it properly allows xRoutes from the same namespace. Signed-off-by: Kris Hicks <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: API key auth (#8267) * add test for multiple keys Signed-off-by: Huabing (Robin) Zhao <[email protected]> * revert secret transform Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix gen-check Signed-off-by: Karol Szwaj <[email protected]> * add release notes Signed-off-by: Karol Szwaj <[email protected]> * add release notes for envoy proxy image Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Felipe Sabadini Facina <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: y-rabie <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: Tejasriram Parvathaneni <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: Kris Hicks <[email protected]> Co-authored-by: Felipe Sabadini Facina <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: y-rabie <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Tejasriram Parvathaneni <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: Kris Hicks <[email protected]>
rudrakhp
pushed a commit
to rudrakhp/gateway
that referenced
this pull request
Mar 12, 2026
…nvoyproxy#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]>
rudrakhp
pushed a commit
to rudrakhp/gateway
that referenced
this pull request
Mar 12, 2026
…nvoyproxy#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]>
rudrakhp
pushed a commit
to rudrakhp/gateway
that referenced
this pull request
Mar 12, 2026
…nvoyproxy#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]>
rudrakhp
pushed a commit
to rudrakhp/gateway
that referenced
this pull request
Mar 12, 2026
…nvoyproxy#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]>
rudrakhp
added a commit
that referenced
this pull request
Mar 12, 2026
* fix: fixed local object reference resolution from parent in merged BackendTrafficPolicies (#8210) Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: exclude unmanaged route parents from xPolicy status ancestors (#8321) * add test for mixed managed and unmanaged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix the policy status when the targeting routes have managed and unmanged Gateway parents Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: computeHosts doesn't work when listener and route both wildcard (#8186) * fix: computeHosts doesn't work when listener and route both wildcard Signed-off-by: zirain <[email protected]> * remove skipped tests Signed-off-by: zirain <[email protected]> * Update internal/gatewayapi/helpers.go Co-authored-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: aggregate xRoute/xPolicy statuses across GWCs in gateway-api runner (#8387) * fix: aggregate xRoute/xPolicy statuses across GWCs in gateway-api runner Signed-off-by: y-rabie <[email protected]> * polish Signed-off-by: Huabing (Robin) Zhao <[email protected]> * add e2e test Signed-off-by: Huabing (Robin) Zhao <[email protected]> * release note Signed-off-by: Huabing (Robin) Zhao <[email protected]> * truncate policy status & add tests Signed-off-by: Huabing (Robin) Zhao <[email protected]> * update Signed-off-by: Huabing (Robin) Zhao <[email protected]> * update Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: y-rabie <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: y-rabie <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: add ownerReferences to ratelimit ConfigMap and HPA (#8358) Signed-off-by: Tejasriram Parvathaneni <[email protected]> Co-authored-by: Karol Szwaj <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * api: make ConnectionLimit.Value optional (#8478) * api: make ConnectionLimit.Value optional Signed-off-by: Felipe Sabadini Facina <[email protected]> * release-notes: add entry for ConnectionLimit.Value optional Signed-off-by: Felipe Sabadini Facina <[email protected]> * fix: add CEL rule to require value when closeDelay is set Signed-off-by: Felipe Sabadini Facina <[email protected]> --------- Signed-off-by: Felipe Sabadini Facina <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix test race (#8180) * fix test race Signed-off-by: zirain <[email protected]> * use io.Discard Signed-off-by: zirain <[email protected]> * use sync.WaitGroup Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: Isaac Wilson <[email protected]> Co-authored-by: Isaac Wilson <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix gen check Signed-off-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: y-rabie <[email protected]> Signed-off-by: Tejasriram Parvathaneni <[email protected]> Signed-off-by: Felipe Sabadini Facina <[email protected]> Signed-off-by: Isaac Wilson <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: y-rabie <[email protected]> Co-authored-by: Teja079 <[email protected]> Co-authored-by: Karol Szwaj <[email protected]> Co-authored-by: Felipe Sabadini <[email protected]> Co-authored-by: Isaac Wilson <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes xPolicy route-target status ancestors for mixed managed and unmanaged parentRefs.
When an HTTPRoute has both:
xPolicy.status.ancestors should only include the Envoy Gateway-managed parent(s).
Before this change, unmanaged parents could appear in xPolicy.status.ancestors.
Example:
Given:
managed-gatewaywithgatewayClassName: envoy-gateway-classunmanaged-gatewaywithgatewayClassName: other-gateway-classHTTPRoute mixed-parents-routewith both parentRefsSecurityPolicy route-policytargetingmixed-parents-routeBefore this PR,
SecurityPolicy.status.ancestorscould include both gateways:After this PR, only EG-managed ancestors are reported:
Fixes: #8320