Skip to content

Controller creates VPC Lattice Service from unauthorized HTTPRoute namespace #786

New issue
New issue
Open
Open
Controller creates VPC Lattice Service from unauthorized HTTPRoute namespace#786
Labels
bugSomething isn't working
@Abdelwaheb-Hnaien

Description

@Abdelwaheb-Hnaien
Abdelwaheb-Hnaien
opened on Jul 31, 2025

When an HTTPRoute is created in a namespace that is not authorized to attach to the Gateway (according to the allowedRoutes policy), the controller still proceeds to create a VPC Lattice service. This behavior is unexpected, as the HTTPRoute should be rejected or ignored entirely if it does not meet the namespace constraints defined in the Gateway configuration. The lack of enforcement at the VPC Lattice provisioning layer can lead to confusion, unintended resource creation, and potential misconfiguration across namespace boundaries.

Controller version: 1.1.3

Gateway definition:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: my-hotel
  namespace: default
spec:
  gatewayClassName: amazon-vpc-lattice
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: Selector
          selector:
            matchExpressions:
              - key: kubernetes.io/metadata.name
                operator: In
                values:
                  - default

Httproute definition:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: db
  namespace: db
spec:
  parentRefs:
    - name: my-hotel
      namespace: default
      sectionName: http
  rules:
    - backendRefs:
        - name: db
          kind: Service
          port: 3306

k get httproute db -n db -o yaml:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  annotations:
    application-networking.k8s.aws/lattice-assigned-domain-name: db-db-0340ce31bbef6f3f6.7d67968.vpc-lattice-svcs.us-east-1.on.aws
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"gateway.networking.k8s.io/v1","kind":"HTTPRoute","metadata":{"annotations":{},"name":"db","namespace":"db"},"spec":{"parentRefs":[{"name":"my-hotel","namespace":"default","sectionName":"http"}],"rules":[{"backendRefs":[{"kind":"Service","name":"db","port":3306}]}]}}
  creationTimestamp: "2025-07-31T13:19:21Z"
  finalizers:
  - httproute.k8s.aws/resources
  generation: 1
  name: db
  namespace: db
  resourceVersion: "104250"
  uid: 820a0cc1-584e-4f39-b53d-c36f15478549
spec:
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: my-hotel
    namespace: default
    sectionName: http
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: db
      port: 3306
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /
status:
  parents:
  - conditions:
    - lastTransitionTime: "2025-07-31T13:20:24Z"
      message: ""
      observedGeneration: 1
      reason: Accepted
      status: "True"
      type: Accepted
    - lastTransitionTime: "2025-07-31T13:20:24Z"
      message: ""
      observedGeneration: 1
      reason: ResolvedRefs
      status: "True"
      type: ResolvedRefs
    controllerName: application-networking.k8s.aws/gateway-api-controller
    parentRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: my-hotel
      namespace: default
      sectionName: http

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions