From cdff9e2f68bb9d0e69846969b461eff87e93cb2c Mon Sep 17 00:00:00 2001
From: Alex Leong <alex@buoyant.io>
Date: Wed, 30 Apr 2025 15:54:54 -0700
Subject: [PATCH] fix(policy): allow gateway api httproutes as
 authorizationpolicy target type (#13962)

AuthorizationPolicies may have HTTPRoutes as targetRefs.  However, the validation admission controller webhook for AuthorizationPolicies rejects any which have a httproutes.gateway.networking.k8s.io target (as opposed to httproutes.policy.linkerd.io which are accepted).

We allow httproutes.gateway.networking.k8s.io as a target ref by removing this overly restrictive validation.  This validation was, in fact, completely redundant since the target type is checked during conversion and validated that it is a supported target (including httproutes.gateway.networking.k8s.io).

Validated by running through https://linkerd.io/2-edge/tasks/configuring-per-route-policy/ and replacing the httproutes.policy.linkerd.io with httproutes.gateway.networking.io (including targetRefs).

Signed-off-by: Alex Leong <alex@buoyant.io>
---
 policy-controller/runtime/src/admission.rs | 30 +++-------------------
 1 file changed, 4 insertions(+), 26 deletions(-)

diff --git a/policy-controller/runtime/src/admission.rs b/policy-controller/runtime/src/admission.rs
index ee7cb7e17..1af3e44ab 100644
--- a/policy-controller/runtime/src/admission.rs
+++ b/policy-controller/runtime/src/admission.rs
@@ -1,7 +1,7 @@
 use super::validation;
 use crate::k8s::policy::{
     httproute, AuthorizationPolicy, AuthorizationPolicySpec, EgressNetwork, EgressNetworkSpec,
-    HttpLocalRateLimitPolicy, HttpRoute, HttpRouteSpec, LocalTargetRef, MeshTLSAuthentication,
+    HttpLocalRateLimitPolicy, HttpRoute, HttpRouteSpec, MeshTLSAuthentication,
     MeshTLSAuthenticationSpec, NamespacedTargetRef, Network, NetworkAuthentication,
     NetworkAuthenticationSpec, RateLimitPolicySpec, Server, ServerAuthorization,
     ServerAuthorizationSpec, ServerSpec,
@@ -228,30 +228,6 @@ fn parse_spec<T: DeserializeOwned>(req: AdmissionRequest) -> Result<(DynamicObje
     Ok((obj, spec))
 }
 
-/// Validates the target of an `AuthorizationPolicy`.
-fn validate_policy_target(ns: &str, tgt: &LocalTargetRef) -> Result<()> {
-    if tgt.targets_kind::<Server>() {
-        return Ok(());
-    }
-
-    if tgt.targets_kind::<HttpRoute>() {
-        return Ok(());
-    }
-
-    if tgt.targets_kind::<gateway::GRPCRoute>() {
-        return Ok(());
-    }
-
-    if tgt.targets_kind::<Namespace>() {
-        if tgt.name != ns {
-            bail!("cannot target another namespace: {}", tgt.name);
-        }
-        return Ok(());
-    }
-
-    bail!("invalid targetRef kind: {}", tgt.canonical_kind());
-}
-
 #[async_trait::async_trait]
 impl Validate<AuthorizationPolicySpec> for Admission {
     async fn validate(
@@ -261,7 +237,9 @@ impl Validate<AuthorizationPolicySpec> for Admission {
         _annotations: &BTreeMap<String, String>,
         spec: AuthorizationPolicySpec,
     ) -> Result<()> {
-        validate_policy_target(ns, &spec.target_ref)?;
+        if spec.target_ref.targets_kind::<Namespace>() && spec.target_ref.name != ns {
+            bail!("cannot target another namespace: {}", &spec.target_ref.name);
+        }
 
         let mtls_authns_count = spec
             .required_authentication_refs