Skip to content

Add security considerations guide, update security model #4219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rikatz wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add security considerations guide, update security model #4219

rikatz wants to merge 3 commits into from
+248 −9

Conversation

@rikatz
Copy link
Member

@rikatz rikatz commented Nov 3, 2025

What type of PR is this?
/kind documentation

What this PR does / why we need it:
Adds a security considerations guide for Gateway API
Which issue(s) this PR fixes:
Related #3709

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/documentation Categorizes issue or PR as related to documentation. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 3, 2025
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 3, 2025
@rikatz
Copy link
Member Author

rikatz commented Nov 3, 2025

/hold
wait for some reviews

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 3, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 3, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rikatz
Once this PR has been reviewed and has the lgtm label, please assign robscott for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 3, 2025
rikatz
rikatz commented Nov 3, 2025
View reviewed changes
robscott
robscott reviewed Nov 3, 2025
View reviewed changes
Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @rikatz, this is great!

site-src/concepts/security-considerations.md
## Avoiding hostname/domain hijacking

Gateway controllers work to disambiguate and detect conflicts caused by sharing
different ports, protocols, etc. between various listeners. (?)
Copy link
Member

@robscott robscott Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe instead of focusing on listeners, focus on the overall theme that it's possible in Gateway API for different Routes or ListenerSets to both claim the same hostname + path, and that Gateway controllers are responsible for conflict resolution.

Copy link
Member Author

@rikatz rikatz Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rob, I am having some bad time here to give you a proper resolution :D do you mind doing a suggestion on how this should look like (unless it is more than 1 line of change!)

site-src/concepts/security-considerations.md Outdated
Owners of resources should be aware of the usage of [ReferenceGrants](../api-types/referencegrant.md).
This should be audited and limited by admins (needs some better writing here).

The intended use of ReferenceGrants is to allow for the *owner* of an object where
Copy link
Member

@robscott robscott Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One concern here is that we may end up rewriting/duplicating some of the ReferenceGrant docs. I think it makes sense to keep most ReferenceGrant-specific information in those docs, and then keep this doc for suggestions on how to further limit the use of ReferenceGrant.

Copy link
Member Author

@rikatz rikatz Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@robscott do you think the referencegrant docs already cover enough of this?

I am adding then just a reference on the ReferenceGrant docs for the security considerations, and on this document I am removing almost all of this text, and leaving bare minimum related to security.

cc @youngnick I didn't erased your text from the original document :) so if you feel we still should add that part of ReferenceGrant here or on ReferenceGrant api-reference lmk!

@kflynn kflynn mentioned this pull request Nov 18, 2025
Open
1 task
@rikatz
Copy link
Member Author

rikatz commented Nov 26, 2025

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 26, 2025
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 6, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robscott robscott robscott left review comments

@candita candita Awaiting requested review from candita

@kflynn kflynn Awaiting requested review from kflynn

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/documentation Categorizes issue or PR as related to documentation. release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rikatz @k8s-ci-robot @robscott