Closed as not planned
Description
As cluster operator and/or application admin, I want to be able to use ReferenceGrant to selectively enable cross-namespace references so that I can ensure secure and controlled access to cross-namespace resources. Specifically, I want to use ReferenceGrants to allow Gateways to reference Secrets and Routes to reference Backend (Services).
Acceptance Criteria
- The ReferenceGrant should permit Gateways to reference Secrets across namespace boundaries.
- The ReferenceGrant should permit Routes to reference Backends (Services) across namespace boundaries.
- Cross-namespace references without a grant should not be permitted.
- Each ReferenceGrant should represent a unique trust relationship, allowing me to add or remove grants to manage access to cross-namespace resources.
- When a ReferenceGrant is removed, the access that the grant allowed should be automatically revoked.
- When a ReferenceGrant is changed, the access that the grant allowed should be automatically recalculated and applied accordingly.
- If a cross-namespace reference is made without an applicable ReferenceGrant, do NOT expose information about the existence of a resource in another namespace. NKG should only report that the ReferenceGrant does not exist to allow this reference. Do not give hints about whether or not the referenced resource exists.
- Update the documentation
- Update the compatibility doc
- Add an example for both Gateway -> Secret and Route -> Backend cross-namespace routing
- Make sure all relevant conformance tests would pass
https://gateway-api.sigs.k8s.io/api-types/referencegrant/
https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferenceGrant
Aha! Link: https://nginx.aha.io/features/NKG-61