Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GEP-1762 enforces resources to be created in the Gateway namespace #3366

Open
arkodg opened this issue Sep 27, 2024 · 3 comments
Open

GEP-1762 enforces resources to be created in the Gateway namespace #3366

arkodg opened this issue Sep 27, 2024 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@arkodg
Copy link
Contributor

arkodg commented Sep 27, 2024

What happened:

The Automated Deployments section with GEP-1762 mentions the following

MUST provision generated resources in the same namespace as the Gateway if they are namespace scoped resources.

What you expected to happen:

My suggestion is to modify the MUST to SHOULD . Some implementations such as Envoy Gateway dont have write access into user namespaces and can write into an infrastructure namespace

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:
@arkodg arkodg added the kind/bug Categorizes issue or PR as related to a bug. label Sep 27, 2024
@arkodg arkodg mentioned this issue Sep 27, 2024
Closed
@arkodg
Copy link
Contributor Author

arkodg commented Oct 1, 2024

discussed this issue in the community meeting today, here's a summary

  • Debugging is convenient if generated resources live in the same namespace, however this doesnt need to be enforced, since some implementations may not have privileges to write into other namespaces, so moving the statement to SHOULD should be okay.
  • To fix the discoverability issue of finding the generated resources if they exist in a different namespace, can be solved by adding an additional label like gateway.networking.k8s.io/gateway-namespace
  • The above GEP statements havent yet made their way into the API docs but the GatewayInfrastructure conformance test tests this out, so this test can be marked as Provisional until the GEP and API docs reflect the updated changes
    cc @youngnick @robscott

arkodg added a commit to arkodg/gateway-api that referenced this issue Oct 1, 2024
@arkodg
mark the GatewayInfrastructure test as Provisional
b873e42 
The test expects generated Gateway resources to
have the `gateway.networking.k8s.io/gateway` label set.
Mark the test as provisional until these statements have
moved into the API docs.

Relates to kubernetes-sigs#3366 (comment)

Signed-off-by: Arko Dasgupta <[email protected]>
@arkodg arkodg mentioned this issue Oct 1, 2024
Merged
k8s-ci-robot pushed a commit that referenced this issue Oct 2, 2024
@arkodg
mark the GatewayInfrastructure test as Provisional (#3373)
b311b1c 
The test expects generated Gateway resources to
have the `gateway.networking.k8s.io/gateway` label set.
Mark the test as provisional until these statements have
moved into the API docs.

Relates to #3366 (comment)

Signed-off-by: Arko Dasgupta <[email protected]>
@rouke-broersma
Copy link

rouke-broersma commented Oct 15, 2024
edited
Loading

Some implementations such as Envoy Gateway dont have write access into user namespaces and can write into an infrastructure namespace

I'm curious what in this model a user and an infrastructure namespace entails. In my mind with the design goal of gateway api and it's personas a gateway resource would never live in a 'user' namespace, this would always live in some kind of infrastructure namespace (depending on definitions of these types of namespaces).

@arkodg
Copy link
Contributor Author

arkodg commented Oct 22, 2024
edited
Loading

Some implementations such as Envoy Gateway dont have write access into user namespaces and can write into an infrastructure namespace

I'm curious what in this model a user and an infrastructure namespace entails. In my mind with the design goal of gateway api and it's personas a gateway resource would never live in a 'user' namespace, this would always live in some kind of infrastructure namespace (depending on definitions of these types of namespaces).

@rouke-broersma, the user here is the platform engineer/admin. The point this GH issue is trying to make is that both the deployment models are valid, some implementations support both these models, but will default to 1. or 2.

  1. deploying generated resources in a separate infrastructure namespace to limit write access to the controller/implementation, troubleshooting can still be achieved by analyzing Gateway.Status
  2. deploying generated resources in the Gateway namespace for more control of the generated resource

so the MUST enforcement should be relaxed to a SHOULD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rouke-broersma @arkodg