From 13306411ba85cb453e288499480444cffc74e896 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Fri, 3 Jun 2022 16:10:18 -0400 Subject: [PATCH 1/5] Update ReferencePolicy docs to include Gateway -> Secret use case --- apis/v1alpha2/referencepolicy_types.go | 2 ++ .../gateway.networking.k8s.io_referencegrants.yaml | 5 +++-- .../stable/gateway.networking.k8s.io_referencegrants.yaml | 5 +++-- site-src/v1alpha2/api-types/referencegrant.md | 5 +++-- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/apis/v1alpha2/referencepolicy_types.go b/apis/v1alpha2/referencepolicy_types.go index 0aea80b8f0..45b29dcbe8 100644 --- a/apis/v1alpha2/referencepolicy_types.go +++ b/apis/v1alpha2/referencepolicy_types.go @@ -95,6 +95,7 @@ type ReferenceGrantFrom struct { // additional resources, the following Route types are part of the "Core" // support level for this field: // + // * Gateway // * HTTPRoute // * TCPRoute // * TLSRoute @@ -120,6 +121,7 @@ type ReferenceGrantTo struct { // additional resources, the following types are part of the "Core" // support level for this field: // + // * Secret // * Service Kind Kind `json:"kind"` diff --git a/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml b/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml index d3511539da..f6c40dd2c2 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml @@ -71,7 +71,7 @@ spec: description: "Kind is the kind of the referent. Although implementations may support additional resources, the following Route types are part of the \"Core\" support level for this field: \n - * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + * Gateway * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -110,7 +110,8 @@ spec: kind: description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are - part of the \"Core\" support level for this field: \n * Service" + part of the \"Core\" support level for this field: \n * Secret + * Service" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ diff --git a/config/crd/stable/gateway.networking.k8s.io_referencegrants.yaml b/config/crd/stable/gateway.networking.k8s.io_referencegrants.yaml index 6fa5f8d280..f75e7c128d 100644 --- a/config/crd/stable/gateway.networking.k8s.io_referencegrants.yaml +++ b/config/crd/stable/gateway.networking.k8s.io_referencegrants.yaml @@ -71,7 +71,7 @@ spec: description: "Kind is the kind of the referent. Although implementations may support additional resources, the following Route types are part of the \"Core\" support level for this field: \n - * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + * Gateway * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -110,7 +110,8 @@ spec: kind: description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are - part of the \"Core\" support level for this field: \n * Service" + part of the \"Core\" support level for this field: \n * Secret + * Service" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ diff --git a/site-src/v1alpha2/api-types/referencegrant.md b/site-src/v1alpha2/api-types/referencegrant.md index 7a8290ff80..219c2b5922 100644 --- a/site-src/v1alpha2/api-types/referencegrant.md +++ b/site-src/v1alpha2/api-types/referencegrant.md @@ -115,14 +115,15 @@ safeguards are in place. ReferenceGrant support is a "CORE" conformance level requirement for cross-namespace references that originate from the following objects: +- Gateway - HTTPRoute - TLSRoute - TCPRoute - UDPRoute That is, all implementations MUST use this flow for any cross namespace -references in any of the core xRoute types, except as noted in the Exceptions -section above. +references in the Gateway and any of the core xRoute types, except as noted +in the Exceptions section above. Other "ImplementationSpecific" objects and references MUST also use this flow for cross-namespace references, except as noted in the Exceptions section above. From efaf1a873ae87bcf35a8770899608143bf4707a4 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 29 Jun 2022 15:52:55 -0400 Subject: [PATCH 2/5] Move previous changes to ReferenceGrant --- apis/v1alpha2/referencegrant_types.go | 2 + apis/v1alpha2/referencepolicy_types.go | 76 -------------------------- 2 files changed, 2 insertions(+), 76 deletions(-) diff --git a/apis/v1alpha2/referencegrant_types.go b/apis/v1alpha2/referencegrant_types.go index e6d59a952e..1ee6168348 100644 --- a/apis/v1alpha2/referencegrant_types.go +++ b/apis/v1alpha2/referencegrant_types.go @@ -95,6 +95,7 @@ type ReferenceGrantFrom struct { // additional resources, the following Route types are part of the "Core" // support level for this field: // + // * Gateway // * HTTPRoute // * TCPRoute // * TLSRoute @@ -120,6 +121,7 @@ type ReferenceGrantTo struct { // additional resources, the following types are part of the "Core" // support level for this field: // + // * Secret // * Service Kind Kind `json:"kind"` diff --git a/apis/v1alpha2/referencepolicy_types.go b/apis/v1alpha2/referencepolicy_types.go index 71144df230..dc41701a8e 100644 --- a/apis/v1alpha2/referencepolicy_types.go +++ b/apis/v1alpha2/referencepolicy_types.go @@ -60,79 +60,3 @@ type ReferencePolicyList struct { metav1.ListMeta `json:"metadata,omitempty"` Items []ReferencePolicy `json:"items"` } - -// ReferenceGrantSpec identifies a cross namespace relationship that is trusted -// for Gateway API. -type ReferenceGrantSpec struct { - // From describes the trusted namespaces and kinds that can reference the - // resources described in "To". Each entry in this list must be considered - // to be an additional place that references can be valid from, or to put - // this another way, entries must be combined using OR. - // - // Support: Core - // - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=16 - From []ReferenceGrantFrom `json:"from"` - - // To describes the resources that may be referenced by the resources - // described in "From". Each entry in this list must be considered to be an - // additional place that references can be valid to, or to put this another - // way, entries must be combined using OR. - // - // Support: Core - // - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=16 - To []ReferenceGrantTo `json:"to"` -} - -// ReferenceGrantFrom describes trusted namespaces and kinds. -type ReferenceGrantFrom struct { - // Group is the group of the referent. - // When empty, the Kubernetes core API group is inferred. - // - // Support: Core - Group Group `json:"group"` - - // Kind is the kind of the referent. Although implementations may support - // additional resources, the following Route types are part of the "Core" - // support level for this field: - // - // * Gateway - // * HTTPRoute - // * TCPRoute - // * TLSRoute - // * UDPRoute - Kind Kind `json:"kind"` - - // Namespace is the namespace of the referent. - // - // Support: Core - Namespace Namespace `json:"namespace"` -} - -// ReferenceGrantTo describes what Kinds are allowed as targets of the -// references. -type ReferenceGrantTo struct { - // Group is the group of the referent. - // When empty, the Kubernetes core API group is inferred. - // - // Support: Core - Group Group `json:"group"` - - // Kind is the kind of the referent. Although implementations may support - // additional resources, the following types are part of the "Core" - // support level for this field: - // - // * Secret - // * Service - Kind Kind `json:"kind"` - - // Name is the name of the referent. When unspecified, this policy - // refers to all resources of the specified Group and Kind in the local - // namespace. - // - // +optional - Name *ObjectName `json:"name,omitempty"` -} From c796522c7ff8bb4dfcdb23cf28e45268f671724e Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 29 Jun 2022 16:08:04 -0400 Subject: [PATCH 3/5] Revert changes to ReferencePolicy CRD --- .../gateway.networking.k8s.io_referencepolicies.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml b/config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml index eff692033d..bfd28dcba3 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml @@ -76,7 +76,7 @@ spec: description: "Kind is the kind of the referent. Although implementations may support additional resources, the following Route types are part of the \"Core\" support level for this field: \n - * Gateway * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -115,8 +115,7 @@ spec: kind: description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are - part of the \"Core\" support level for this field: \n * Secret - * Service" + part of the \"Core\" support level for this field: \n * Service" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ From ccb513784d6ba2216c606cda23ecade7e4d96edb Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 29 Jun 2022 16:36:56 -0400 Subject: [PATCH 4/5] Adjust docs to include ReferenceGrant From and To compatibility --- apis/v1alpha2/object_reference_types.go | 16 ++++++++-------- apis/v1alpha2/referencegrant_types.go | 13 +++++++++---- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/apis/v1alpha2/object_reference_types.go b/apis/v1alpha2/object_reference_types.go index 8365168106..f67b80a836 100644 --- a/apis/v1alpha2/object_reference_types.go +++ b/apis/v1alpha2/object_reference_types.go @@ -65,10 +65,10 @@ type SecretObjectReference struct { // Namespace is the namespace of the backend. When unspecified, the local // namespace is inferred. // - // Note that when a namespace is specified, a ReferenceGrant object - // is required in the referent namespace to allow that namespace's - // owner to accept the reference. See the ReferenceGrant documentation - // for details. + // Note that when a different namespace is specified, a ReferenceGrant + // object with ReferenceGrantTo.Kind=Secret is required in the referent + // namespace to allow that namespace's owner to accept the reference. + // See the ReferenceGrant documentation for details. // // Support: Core // @@ -112,10 +112,10 @@ type BackendObjectReference struct { // Namespace is the namespace of the backend. When unspecified, the local // namespace is inferred. // - // Note that when a namespace is specified, a ReferenceGrant object - // is required in the referent namespace to allow that namespace's - // owner to accept the reference. See the ReferenceGrant documentation - // for details. + // Note that when a different namespace is specified, a ReferenceGrant + // object with ReferenceGrantTo.Kind=Service is required in the referent + // namespace to allow that namespace's owner to accept the reference. + // See the ReferenceGrant documentation for details. // // Support: Core // diff --git a/apis/v1alpha2/referencegrant_types.go b/apis/v1alpha2/referencegrant_types.go index 1ee6168348..9da3057486 100644 --- a/apis/v1alpha2/referencegrant_types.go +++ b/apis/v1alpha2/referencegrant_types.go @@ -92,10 +92,15 @@ type ReferenceGrantFrom struct { Group Group `json:"group"` // Kind is the kind of the referent. Although implementations may support - // additional resources, the following Route types are part of the "Core" - // support level for this field: + // additional resources, the following types are part of the "Core" + // support level for this field. + // + // When used to permit a SecretObjectReference: // // * Gateway + // + // When used to permit a BackendObjectReference: + // // * HTTPRoute // * TCPRoute // * TLSRoute @@ -121,8 +126,8 @@ type ReferenceGrantTo struct { // additional resources, the following types are part of the "Core" // support level for this field: // - // * Secret - // * Service + // * Secret when used to permit a SecretObjectReference + // * Service when used to permit a BackendObjectReference Kind Kind `json:"kind"` // Name is the name of the referent. When unspecified, this policy From 8623dfb5d0fa53b7b120507b7352e0a1e4e18874 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 29 Jun 2022 17:46:48 -0400 Subject: [PATCH 5/5] Regenerate CRDs --- .../gateway.networking.k8s.io_gateways.yaml | 11 ++++---- .../gateway.networking.k8s.io_httproutes.yaml | 26 ++++++++++--------- ...way.networking.k8s.io_referencegrants.yaml | 11 +++++--- ...y.networking.k8s.io_referencepolicies.yaml | 12 ++++++--- .../gateway.networking.k8s.io_tcproutes.yaml | 10 +++---- .../gateway.networking.k8s.io_tlsroutes.yaml | 10 +++---- .../gateway.networking.k8s.io_udproutes.yaml | 10 +++---- .../gateway.networking.k8s.io_gateways.yaml | 11 ++++---- .../gateway.networking.k8s.io_httproutes.yaml | 26 ++++++++++--------- 9 files changed, 70 insertions(+), 57 deletions(-) diff --git a/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml b/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml index efec3d42ab..d6dc5374d4 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml @@ -377,11 +377,12 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - \n Note that when a namespace is specified, a ReferenceGrant - object is required in the referent namespace to - allow that namespace's owner to accept the reference. - See the ReferenceGrant documentation for details. - \n Support: Core" + \n Note that when a different namespace is specified, + a ReferenceGrant object with ReferenceGrantTo.Kind=Secret + is required in the referent namespace to allow that + namespace's owner to accept the reference. See the + ReferenceGrant documentation for details. \n Support: + Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml index f12e2e976f..d8592a6687 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml @@ -449,8 +449,9 @@ spec: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that - when a namespace is specified, a ReferenceGrant - object is required in the referent namespace + when a different namespace is specified, + a ReferenceGrant object with ReferenceGrantTo.Kind=Service + is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: @@ -678,11 +679,11 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferenceGrant - object is required in the referent namespace to allow - that namespace's owner to accept the reference. See - the ReferenceGrant documentation for details. \n Support: - Core" + Note that when a different namespace is specified, a + ReferenceGrant object with ReferenceGrantTo.Kind=Service + is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -931,11 +932,12 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace - is inferred. \n Note that when a namespace is - specified, a ReferenceGrant object is required - in the referent namespace to allow that namespace's - owner to accept the reference. See the ReferenceGrant - documentation for details. \n Support: Core" + is inferred. \n Note that when a different namespace + is specified, a ReferenceGrant object with ReferenceGrantTo.Kind=Service + is required in the referent namespace to allow + that namespace's owner to accept the reference. + See the ReferenceGrant documentation for details. + \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml b/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml index 812975c5dc..3b4c144bd7 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml @@ -69,9 +69,11 @@ spec: type: string kind: description: "Kind is the kind of the referent. Although implementations - may support additional resources, the following Route types - are part of the \"Core\" support level for this field: \n - * Gateway * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + may support additional resources, the following types are + part of the \"Core\" support level for this field. \n When + used to permit a SecretObjectReference: \n * Gateway \n When + used to permit a BackendObjectReference: \n * HTTPRoute * + TCPRoute * TLSRoute * UDPRoute" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -111,7 +113,8 @@ spec: description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret - * Service" + when used to permit a SecretObjectReference * Service when + used to permit a BackendObjectReference" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml b/config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml index bfd28dcba3..cabfa9d334 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_referencepolicies.yaml @@ -74,9 +74,11 @@ spec: type: string kind: description: "Kind is the kind of the referent. Although implementations - may support additional resources, the following Route types - are part of the \"Core\" support level for this field: \n - * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + may support additional resources, the following types are + part of the \"Core\" support level for this field. \n When + used to permit a SecretObjectReference: \n * Gateway \n When + used to permit a BackendObjectReference: \n * HTTPRoute * + TCPRoute * TLSRoute * UDPRoute" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -115,7 +117,9 @@ spec: kind: description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are - part of the \"Core\" support level for this field: \n * Service" + part of the \"Core\" support level for this field: \n * Secret + when used to permit a SecretObjectReference * Service when + used to permit a BackendObjectReference" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml index 428a4d2957..992ad7f79a 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml @@ -200,11 +200,11 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferenceGrant - object is required in the referent namespace to allow - that namespace's owner to accept the reference. See - the ReferenceGrant documentation for details. \n Support: - Core" + Note that when a different namespace is specified, a + ReferenceGrant object with ReferenceGrantTo.Kind=Service + is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml index 6ae7209938..78548139af 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml @@ -249,11 +249,11 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferenceGrant - object is required in the referent namespace to allow - that namespace's owner to accept the reference. See - the ReferenceGrant documentation for details. \n Support: - Core" + Note that when a different namespace is specified, a + ReferenceGrant object with ReferenceGrantTo.Kind=Service + is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml index c623631e33..2a3aab314a 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml @@ -200,11 +200,11 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferenceGrant - object is required in the referent namespace to allow - that namespace's owner to accept the reference. See - the ReferenceGrant documentation for details. \n Support: - Core" + Note that when a different namespace is specified, a + ReferenceGrant object with ReferenceGrantTo.Kind=Service + is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/standard/gateway.networking.k8s.io_gateways.yaml b/config/crd/standard/gateway.networking.k8s.io_gateways.yaml index 1a83191573..eb367a3dd0 100644 --- a/config/crd/standard/gateway.networking.k8s.io_gateways.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_gateways.yaml @@ -377,11 +377,12 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - \n Note that when a namespace is specified, a ReferenceGrant - object is required in the referent namespace to - allow that namespace's owner to accept the reference. - See the ReferenceGrant documentation for details. - \n Support: Core" + \n Note that when a different namespace is specified, + a ReferenceGrant object with ReferenceGrantTo.Kind=Secret + is required in the referent namespace to allow that + namespace's owner to accept the reference. See the + ReferenceGrant documentation for details. \n Support: + Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ diff --git a/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml b/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml index 11e66c8077..dcbcc0217a 100644 --- a/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml @@ -423,8 +423,9 @@ spec: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that - when a namespace is specified, a ReferenceGrant - object is required in the referent namespace + when a different namespace is specified, + a ReferenceGrant object with ReferenceGrantTo.Kind=Service + is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: @@ -553,11 +554,11 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n - Note that when a namespace is specified, a ReferenceGrant - object is required in the referent namespace to allow - that namespace's owner to accept the reference. See - the ReferenceGrant documentation for details. \n Support: - Core" + Note that when a different namespace is specified, a + ReferenceGrant object with ReferenceGrantTo.Kind=Service + is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -806,11 +807,12 @@ spec: namespace: description: "Namespace is the namespace of the backend. When unspecified, the local namespace - is inferred. \n Note that when a namespace is - specified, a ReferenceGrant object is required - in the referent namespace to allow that namespace's - owner to accept the reference. See the ReferenceGrant - documentation for details. \n Support: Core" + is inferred. \n Note that when a different namespace + is specified, a ReferenceGrant object with ReferenceGrantTo.Kind=Service + is required in the referent namespace to allow + that namespace's owner to accept the reference. + See the ReferenceGrant documentation for details. + \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$