Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReferenceGrants are ignored by GRPCRoute #2333

Closed
kate-osborn opened this issue Aug 6, 2024 · 0 comments · Fixed by #2337
Closed

ReferenceGrants are ignored by GRPCRoute #2333

kate-osborn opened this issue Aug 6, 2024 · 0 comments · Fixed by #2337
Assignees
@kate-osborn

Comments

@kate-osborn
Copy link
Contributor

Describe the bug
If a GRPCRoute references a Service in a different namespace and a ReferenceGrant exists permitting this cross-namespace reference, the reference is incorrectly rejected.

To Reproduce
Steps to reproduce the behavior:

Apply the following resources:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: permit-grpcroute-to-test-services
  namespace: test
spec:
  to:
  - group: ""
    kind: Service
  from:
  - group: gateway.networking.k8s.io
    kind: GRPCRoute
    namespace: default
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: same-namespace
spec:
  gatewayClassName: nginx
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same
---
apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
  name: exact-matching
spec:
  parentRefs:
  - name: same-namespace
  rules:
  - matches:
    - method:
        service: helloworld.Greeter
        method: SayHello
    backendRefs:
    - name: grpc-infra-backend-v1
      namespace: test
      port: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: grpc-infra-backend-v1
  namespace: test
spec:
  selector:
    app: grpc-infra-backend-v1
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 50051
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grpc-infra-backend-v1
  namespace: test
  labels:
    app: grpc-infra-backend-v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grpc-infra-backend-v1
  template:
    metadata:
      labels:
        app: grpc-infra-backend-v1
    spec:
      containers:
      - name: grpc-infra-backend-v1
        image: ghcr.io/nginxinc/kic-test-grpc-server:0.2.1
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        resources:
          requests:
            cpu: 10m

Describe the GRPCRoute:

kubectl describe grpcroute

See the error condition for ResolvedRefs:

  Last Transition Time:  2024-08-06T15:38:00Z
  Message:               Backend ref to Service test/grpc-infra-backend-v1 not permitted by any ReferenceGrant
  Observed Generation:   1
  Reason:                RefNotPermitted
  Status:                False
  Type:                  ResolvedRefs
Controller Name:         gateway.nginx.org/nginx-gateway-controller

Expected behavior
ResolvedRefs condition on GRPCRoute should be True

Your environment

  • Version of the NGINX Gateway Fabric - edge f24ab6f

Additional context
Add any other context about the problem here. Any log files you want to share.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kate-osborn kate-osborn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check for ReferenceGrants from GRPCRoutes to Services kate-osborn/nginx-gateway-fabric
1 participant
@kate-osborn