Skip to content

feat(gatewayapi): calico-system policy for namespaced data-plane proxies#4970

Open
electricjesus wants to merge 3 commits into
tigera:masterfrom
electricjesus:seth/gatewayapi-proxy-allow-policy
Open

feat(gatewayapi): calico-system policy for namespaced data-plane proxies#4970
electricjesus wants to merge 3 commits into
tigera:masterfrom
electricjesus:seth/gatewayapi-proxy-allow-policy

Conversation

@electricjesus

@electricjesus electricjesus commented Jun 26, 2026

Copy link
Copy Markdown
Member

Description

Bug fix.

Since #4690 we run a single envoy-gateway controller in calico-system with deploy.type=GatewayNamespace. The data-plane proxies now run in each Gateway's own namespace, not in calico-system.

We render one gateway policy in the calico-system tier: calico-system.envoy-gateway. It lives in calico-system and selects the controller and certgen pods. The proxies run elsewhere and match no policy in that tier. When a Gateway namespace runs a default-deny tier, the proxy there has nothing to let its traffic through. This is the same kind of miss as the conformance MetalLB pool that stayed pinned to tigera-gateway (projectcalico/calico#13095).

This adds a GlobalNetworkPolicy, calico-system.envoy-gateway-proxy, that selects the proxy pods by k8s-app == 'calico-gateway-api-proxy'. The operator stamps that Calico-owned label on the proxy pods through the EnvoyProxy pod spec, so the policy keys off a label we control rather than Envoy Gateway's own gateway.envoyproxy.io/owning-gateway-name, which we do not own and which could change upstream. A GNP covers any Gateway namespace, including ones created later, with no re-render. It allows:

  • Egress to DNS, plus xDS (18000) and Wasm fetch (18002) to the controller in calico-system. The proxy dials the controller (see envoyproxy/gateway internal/infrastructure/kubernetes/proxy/resource.go and internal/xds/bootstrap). 18001 is the ratelimit path, not a proxy path, so it is left out.
  • Ingress on all inbound TCP. Listener ports are user-defined, so the proxy has to accept any port to work out of the box. This also covers the 19001 metrics scrape.

The same Calico-owned labelling now covers all three envoy-gateway components (controller, certgen, proxy) from one documented place in the gateway render. It is not set through the standard labeller in pkg/controller/utils/component.go on purpose: that labeller keys off the object name, and the proxy pods are created by the envoy-gateway controller at runtime, so the operator never renders them to label.

How I tested it

I built this operator image and ran it on an OSS master cluster (eBPF, namespaced mode). I put a Gateway, an HTTPRoute, and an nginx backend in a normal user namespace, scoped a Calico default-deny to the proxy pod, and curled the proxy from inside the cluster.

Step Setup Result
Baseline no deny HTTP 200
Reproduce default-deny, stock operator (no GNP) times out, proxy fully blocked
This PR default-deny, our operator (GNP) HTTP 503: proxy reachable and routing, only the backend hop is denied
Backend allow user allows proxy to backend HTTP 200

I also tried the narrower ingress idea (allow only 19001, then Pass). Under default-deny it times out: listener traffic falls through to the user's deny and the Gateway stops serving. So allowing all inbound TCP is the right default. The cost is that an Allow is terminal in this tier, so a user cannot narrow proxy ingress with their own policy. Scaling the operator back up showed it reverts any drift on the GNP and the Gateway recovers.

I re-ran the whole repro after switching the selector to the Calico-owned k8s-app label (OSS master, eBPF, namespaced mode). The operator stamps k8s-app: calico-gateway-api-proxy on the proxy pod, the rendered GNP calico-system.envoy-gateway-proxy selects it, and the table holds: baseline 200; under a Gateway-namespace default-deny the proxy returns 503 (reachable and routing, only the backend hop denied); allowing proxy to backend gives 200. Scaling the operator down and deleting the GNP drops the proxy to a full timeout, and scaling it back up re-renders the GNP and the Gateway recovers. One thing to watch when testing this by hand: the 503 lands after Envoy's ~10s upstream timeout, so a curl timeout under 10s reads as a connect failure even though the proxy is reachable..

One thing to know

The GNP covers the proxy's own needs: DNS, the control-plane link, and ingress. It does not open egress to backends, because backends are arbitrary user workloads. A user who runs default-deny in a Gateway namespace has to allow the proxy to reach their backend themselves. Until they do, the proxy is up and configured but returns 503 on the upstream. This matches how the controller policy already works, and is worth a line in the docs.

Release Note

Add a `calico-system`-tier GlobalNetworkPolicy for Envoy Gateway data-plane proxies so Gateways work under a default-deny tier when proxies run in per-Gateway namespaces (deploy.type=GatewayNamespace).

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files (n/a, no API change).
  • If changing versions, run make gen-versions (n/a).

@marvin-tigera marvin-tigera added this to the v1.44.0 milestone Jun 26, 2026
@electricjesus electricjesus force-pushed the seth/gatewayapi-proxy-allow-policy branch from d3d69a5 to 311699b Compare June 26, 2026 08:09
@electricjesus electricjesus marked this pull request as ready for review June 26, 2026 08:16
@electricjesus electricjesus requested a review from a team as a code owner June 26, 2026 08:16
Since deploy.type=GatewayNamespace (tigera#4690) the data-plane envoy proxies run
in each Gateway's own namespace, not calico-system. The only calico-system
gateway policy selects the controller/certgen pods in calico-system, so the
proxies match nothing and have no policy punching through a default-deny
tier in the namespaces they now run in.

Add a GlobalNetworkPolicy selecting the EG proxy pods (label
gateway.envoyproxy.io/owning-gateway-name) so it covers every Gateway
namespace with no re-render: DNS + xDS(18000)/Wasm(18002) egress to the
controller in calico-system, and all inbound TCP so a managed Gateway serves
traffic out of the box under a default-deny tier. Backend egress is left to
the user, matching the controller policy.
@electricjesus electricjesus force-pushed the seth/gatewayapi-proxy-allow-policy branch from 311699b to fe034ab Compare June 26, 2026 10:13
@electricjesus electricjesus changed the title feat(gatewayapi): allow-tigera policy for namespaced data-plane proxies feat(gatewayapi): calico-system policy for namespaced data-plane proxies Jun 26, 2026
Comment thread pkg/render/gatewayapi/gateway_api.go Outdated
// not calico-system, so they need their own policy in the calico-system tier. EnvoyProxy
// stamps gateway.envoyproxy.io/owning-gateway-name on every proxy pod, so use it as the selector.
ProxyPolicyName = networkpolicy.CalicoComponentPolicyPrefix + "envoy-gateway-proxy"
EnvoyProxyPolicySelector = "has(gateway.envoyproxy.io/owning-gateway-name)"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we set some calico labels on these objects and use those for policy?

Related: do the envoy related components have standard labels that we set in utils/component.go? If not,that is a gap.

Per review: instead of selecting the data-plane proxy pods on Envoy
Gateway's gateway.envoyproxy.io/owning-gateway-name label, which we do
not own and which could change upstream without notice, stamp our own
k8s-app=calico-gateway-api-proxy label on the proxy pods through the
EnvoyProxy pod spec and point the calico-system-tier proxy policy at
that. Any user-supplied pod labels from a custom EnvoyProxy are kept.
Put the Calico-owned k8s-app labeling for all three envoy-gateway
components in one documented place. The operator-rendered controller and
certgen pods go through setGatewayComponentLabel; the runtime-created
proxy pods, which the operator never renders, go through the EnvoyProxy
pod spec (ensureGatewayProxyLabel). Documents why this lives in the
gateway render and not the standard labeler in component.go, which keys
off the object name and cannot reach a runtime-created pod.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants