OpenMCF logoOpenMCF

Loading...

Kubernetes Reference Grant

Provision a Kubernetes Gateway API ReferenceGrant -- the cross-namespace trust primitive that authorizes resources in other namespaces to reference specified kinds of resources in this grant's namespace. Required for any Gateway API topology that spans namespaces (Gateways referencing cert Secrets, Routes referencing backend Services across namespace boundaries).

What Gets Created

  • A namespaced gateway.networking.k8s.io/v1 ReferenceGrant custom resource.
  • A from list (trusted source namespaces + kinds) and a to list (referenceable kinds, optionally a specific name) scoped to this grant's namespace.

Prerequisites

  • Gateway API CRDs installed on the cluster (KubernetesGatewayApiCrds).
  • The target ("to") namespace (KubernetesNamespace).

Quick Start

apiVersion: kubernetes.openmcf.org/v1
kind: KubernetesReferenceGrant
metadata:
  name: allow-frontend-to-backend
spec:
  namespace:
    value: backend-ns
  from:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: frontend-ns
  to:
    - group: ""
      kind: Service

openmcf apply -f referencegrant.yaml

Configuration Reference

Required Fields

FieldTypeDescription
namespacereferenceThe "to" namespace the grant is created in.
fromlistOne to 16 trusted (group, kind, namespace) sources.
tolistOne to 16 referenceable (group, kind, optional name) targets.

Optional Fields

FieldTypeDescription
from[].group / to[].groupstringAPI group; empty ("") means the core group.
to[].namestringNarrows the grant to a single named target; omit to cover all of the group/kind.

Stack Outputs

OutputDescription
referenceGrantNameName of the created ReferenceGrant (equals metadata.name).
namespaceNamespace the ReferenceGrant was created in.

Related Components

  • Kubernetes Gateway
  • Kubernetes HTTP Route
  • Kubernetes GRPC Route
  • Kubernetes TLS Route
  • Kubernetes TCP Route
  • Kubernetes Gateway API CRDs
  • Kubernetes Namespace

Next article

Kubernetes Request Authentication

Kubernetes Request Authentication Provision an Istio RequestAuthentication -- the mesh primitive that defines which JSON Web Tokens (JWTs) are accepted on your workloads. Validate end-user / caller tokens from one or more issuers at the mesh layer, surface verified identities to authorization policies, and forward selected claims to your backends. What Gets Created A namespaced security.istio.io/v1 RequestAuthentication custom resource. A set of jwtrules plus an optional workload selector or...
Read next article
Presets
2 ready-to-deploy configurationsView presets →