fix(kubernetes): apply namespace selector filtering to List operations#8312
Merged
cnvergence merged 10 commits intoenvoyproxy:mainfrom Feb 25, 2026
Merged
fix(kubernetes): apply namespace selector filtering to List operations#8312cnvergence merged 10 commits intoenvoyproxy:mainfrom
cnvergence merged 10 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: Shahar Harari <shahar.harari@sap.com>
Signed-off-by: Shahar Harari <shahar.harari@sap.com>
Signed-off-by: Shahar Harari <shahar.harari@sap.com>
Signed-off-by: Shahar Harari <shahar.harari@sap.com>
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8312 +/- ##
==========================================
+ Coverage 73.73% 73.83% +0.10%
==========================================
Files 241 242 +1
Lines 37077 37046 -31
==========================================
+ Hits 27337 27353 +16
+ Misses 7796 7761 -35
+ Partials 1944 1932 -12 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Signed-off-by: Shahar Harari <shahar.harari@sap.com>
Signed-off-by: Shahar Harari <shahar.harari@sap.com>
Contributor
Author
|
/retest |
zhaohuabing
reviewed
Feb 20, 2026
zhaohuabing
reviewed
Feb 20, 2026
zhaohuabing
reviewed
Feb 20, 2026
zhaohuabing
reviewed
Feb 20, 2026
zhaohuabing
reviewed
Feb 20, 2026
| } | ||
|
|
||
| // Set the filtered items back to the list | ||
| if err := meta.SetList(list, filtered); err != nil { |
Member
There was a problem hiding this comment.
Nit: this can be skipped if the length of the resulting list is the same as the original one.
zhaohuabing
reviewed
Feb 20, 2026
| // Filter items based on namespace labels | ||
| var filtered []runtime.Object | ||
| for _, item := range items { | ||
| obj, ok := item.(metav1.Object) |
Member
There was a problem hiding this comment.
Nit: Could we cache namespace match results in a map (keyed by namespace) and check that first, to avoid repeatedly calling checkObjectNamespaceLabels for objects in the same namespace?
Member
|
Hi @shahar-h thanks for the fix! This looks good overall. I left a few minor nits for follow-up. |
Contributor
Author
|
/retest |
kkk777-7
previously approved these changes
Feb 22, 2026
Member
|
LGTM, thanks! |
Member
|
Hi @shahar-h — once the conflict is resolved, we should be good to go. |
Signed-off-by: Shahar Harari <shahar.harari@sap.com>
Contributor
Author
Done |
zhaohuabing
previously approved these changes
Feb 23, 2026
Member
zhaohuabing
left a comment
zhaohuabing
left a comment
There was a problem hiding this comment.
LGTM. Thanks for fixing this!
Signed-off-by: shahar-h <shahar.harari@sap.com>
Contributor
Author
|
/retest |
kkk777-7
approved these changes
Feb 24, 2026
Contributor
Author
|
/retest |
1 similar comment
Contributor
Author
|
/retest |
Contributor
Author
|
Can this be merged if there are no further comments? |
antonio-mazzini
pushed a commit
to antonio-mazzini/gateway
that referenced
this pull request
Mar 5, 2026
envoyproxy#8312) * fix(kubernetes): apply namespace selector filtering to List operations Signed-off-by: Shahar Harari <shahar.harari@sap.com> * disable codecov Signed-off-by: Shahar Harari <shahar.harari@sap.com> * cleanup Signed-off-by: Shahar Harari <shahar.harari@sap.com> * fix(kubernetes): apply namespace selector filtering to List operations Signed-off-by: Shahar Harari <shahar.harari@sap.com> * Update release notes Signed-off-by: Shahar Harari <shahar.harari@sap.com> * Improve coverage Signed-off-by: Shahar Harari <shahar.harari@sap.com> * Fix lint error Signed-off-by: Shahar Harari <shahar.harari@sap.com> * cr fixes Signed-off-by: Shahar Harari <shahar.harari@sap.com> --------- Signed-off-by: Shahar Harari <shahar.harari@sap.com> Signed-off-by: shahar-h <shahar.harari@sap.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
When using the Kubernetes provider with
NamespaceSelectorwatch mode, namespace filtering afterclient.Listoperations was implemented for some resources (Gateway, xRoute, ReferenceGrant) but was missing for xPolicy resources (SecurityPolicy, BackendTrafficPolicy, ClientTrafficPolicy, etc.). This caused xPolicy resources from all namespaces to be processed during reconciliation, even when those namespaces didn't match the configured selector.This PR centralizes the namespace filtering logic by introducing a
namespaceSelectorClientwrapper that automatically filters List results. This approach:Note: Watch predicates in
watchResourcesstill have their own namespace filtering checks for filtering incoming events.Which issue(s) this PR fixes:
Fixes #8305
Release Notes: Yes