Description
As a Cluster Admin I want to restrict what elements of my system have access to Gateway ingress, I want to create predictable isolation across GatewayClasses and dataplanes, I want to help App Devs by restricting Route binding so they see predictable attachments and not unintentional or unexpected traffic routing.
Conversely, I want to allow App Devs in different organizations access to my Gateway controller by specifying All namespaces, a selection, or only same namespaces are supported.
AllowedRoutes allows admins to shape the traffic of their system. Deploying multiple GatewayClasses, Gateways, and dataplanes, then shape which Gateways serve the App Dev routes; a TLS only Gateway, a test and dev set, specific namespaces having exposure to ingress.
Acceptance Criteria
- Support AllowedRoutes; Namespace specification, Namespace selection.
- FromNamespaces:
- All, Same, Selector
- FromNamespaces:
- Routes by Kind
- Support kinds field.
- Add SupportedKinds ListenerStatus for every listener in a Gateway.
- Gateway updates require a re-binding reconciliation; new routes will be allowed, old routes will be disallowed.
- If HTTPRoute is not allowed, set RouteStatus to
Accepted/False/NotAllowedByListeners(condition/value/reason) - Update documentation
- Update gateway compatibility doc
- Add example for Selector FromNamespaces
- Make sure any relevant conformance tests would pass
Aha! Link: https://nginx.aha.io/features/NKG-59