Skip to content

ReferenceGrants are ignored by GRPCRoute #2333

New issue
New issue
Closed
#2337
Closed
ReferenceGrants are ignored by GRPCRoute#2333
#2337
Assignees
kate-osborn
@kate-osborn

Description

@kate-osborn
kate-osborn
opened on Aug 6, 2024

Describe the bug
If a GRPCRoute references a Service in a different namespace and a ReferenceGrant exists permitting this cross-namespace reference, the reference is incorrectly rejected.

To Reproduce
Steps to reproduce the behavior:

Apply the following resources:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: permit-grpcroute-to-test-services
  namespace: test
spec:
  to:
  - group: ""
    kind: Service
  from:
  - group: gateway.networking.k8s.io
    kind: GRPCRoute
    namespace: default
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: same-namespace
spec:
  gatewayClassName: nginx
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same
---
apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
  name: exact-matching
spec:
  parentRefs:
  - name: same-namespace
  rules:
  - matches:
    - method:
        service: helloworld.Greeter
        method: SayHello
    backendRefs:
    - name: grpc-infra-backend-v1
      namespace: test
      port: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: grpc-infra-backend-v1
  namespace: test
spec:
  selector:
    app: grpc-infra-backend-v1
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 50051
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grpc-infra-backend-v1
  namespace: test
  labels:
    app: grpc-infra-backend-v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grpc-infra-backend-v1
  template:
    metadata:
      labels:
        app: grpc-infra-backend-v1
    spec:
      containers:
      - name: grpc-infra-backend-v1
        image: ghcr.io/nginxinc/kic-test-grpc-server:0.2.1
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        resources:
          requests:
            cpu: 10m

Describe the GRPCRoute:

kubectl describe grpcroute

See the error condition for ResolvedRefs:

  Last Transition Time:  2024-08-06T15:38:00Z
  Message:               Backend ref to Service test/grpc-infra-backend-v1 not permitted by any ReferenceGrant
  Observed Generation:   1
  Reason:                RefNotPermitted
  Status:                False
  Type:                  ResolvedRefs
Controller Name:         gateway.nginx.org/nginx-gateway-controller

Expected behavior
ResolvedRefs condition on GRPCRoute should be True

Your environment

  • Version of the NGINX Gateway Fabric - edge f24ab6f

Additional context
Add any other context about the problem here. Any log files you want to share.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions