Skip to content

controller: block Gateway deletion when AccessPolicy targets it#160

Open
HarshithaMS005 wants to merge 1 commit intokubernetes-sigs:mainfrom
HarshithaMS005:fix-gateway-finalizer-for-accesspolicy-refs
Open

controller: block Gateway deletion when AccessPolicy targets it#160
HarshithaMS005 wants to merge 1 commit intokubernetes-sigs:mainfrom
HarshithaMS005:fix-gateway-finalizer-for-accesspolicy-refs

Conversation

@HarshithaMS005
Copy link
Contributor

@HarshithaMS005 HarshithaMS005 commented Mar 10, 2026

What type of PR is this?
/kind bug

What this PR does / why we need it:
Deleting a Gateway that is still referenced by an AccessPolicy can lead to inconsistent state and reconciliation errors.

  • Finalizer protection: When reconciling a Gateway that is being deleted, the controller now also checks whether any XAccessPolicy in the same namespace has a targetRef to this Gateway (group gateway.networking.k8s.io, kind Gateway). If so, the Gateway’s finalizer is not removed and the Envoy proxy is not deleted until those AccessPolicies are removed.
  • Reconciliation on AccessPolicy delete: When an AccessPolicy is added, updated, or deleted, the controller enqueues any Gateway referenced by that policy’s targetRefs. So when an AccessPolicy that targeted a Gateway is deleted, the Gateway is reconciled and can then remove its finalizer and complete deletion, avoiding the deadlock pattern.

Which issue(s) this PR fixes:
Fixes #150

Does this PR introduce a user-facing change?:

NONE

@HarshithaMS005
controller: block Gateway deletion when AccessPolicy targets it
606288f 
Signed-off-by: Harshitha MS <harshitha.ms@ibm.com>
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Mar 10, 2026
@netlify
Copy link

netlify bot commented Mar 10, 2026
edited
Loading

Deploy Preview for kube-agentic-networking ready!

Name Link
🔨 Latest commit 606288f
🔍 Latest deploy log https://app.netlify.com/projects/kube-agentic-networking/deploys/69afc5206910cb00083e1256
😎 Deploy Preview https://deploy-preview-160--kube-agentic-networking.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Mar 10, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: HarshithaMS005
Once this PR has been reviewed and has the lgtm label, please assign haiyanmeng for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 10, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Mar 10, 2026

Hi @HarshithaMS005. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 10, 2026
@haiyanmeng
Copy link
Contributor

haiyanmeng commented Mar 10, 2026

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haiyanmeng haiyanmeng Awaiting requested review from haiyanmeng

@LiorLieberman LiorLieberman Awaiting requested review from LiorLieberman

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add finalizer protection for Gateway referenced by AccessPolicy

3 participants

@HarshithaMS005 @k8s-ci-robot @haiyanmeng