fix: update XAccessPolicy status when rules are skipped during translation by HarshithaMS005 · Pull Request #236 · kubernetes-sigs/kube-agentic-networking

HarshithaMS005 · 2026-04-09T18:09:06Z

What type of PR is this?
/kind feature

What this PR does / why we need it:
This PR implements [translation feedback] so the controller no longer leaves XAccessPolicy in a misleading Accepted: True state when the translator skips or only partially applies rules that still pass API validation.
Today, failures such as HTTP ExternalAuth with a non-Service backend or externalAuthUniqueID errors are only logged; Envoy may omit behaviour while status still looks healthy. Issue #233 asks for Gateway API–style policy conditions: Accepted: False with reason Invalid (PolicyReasonInvalid).

Which issue(s) this PR fixes:
Fixes #233

Does this PR introduce a user-facing change?:

NONE

netlify · 2026-04-09T18:09:13Z

✅ Deploy Preview for kube-agentic-networking ready!

Name	Link
🔨 Latest commit	`40d64e5`
🔍 Latest deploy log	https://app.netlify.com/projects/kube-agentic-networking/deploys/69f8498dec04920008d3d3da
😎 Deploy Preview	https://deploy-preview-236--kube-agentic-networking.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

k8s-ci-robot · 2026-04-09T18:09:16Z

Hi @HarshithaMS005. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

haiyanmeng · 2026-04-09T18:13:24Z

/ok-to-test

haiyanmeng

@HarshithaMS005 , thanks for the PR!

Can you add unit test for this change?

haiyanmeng · 2026-04-09T18:59:42Z

/cc @guicassolato

/hold @guicassolato please take a look at this change.

bowei · 2026-04-22T06:54:26Z

/hold

k8s-ci-robot · 2026-04-29T15:42:18Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: HarshithaMS005
Once this PR has been reviewed and has the lgtm label, please assign liorlieberman for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Collect semantic translation failures during Gateway xDS translation (ext_authz build + externalAuth fingerprint) and set XAccessPolicy Accepted=False with Gateway API PolicyReasonInvalid. Re-evaluate per-target acceptance when translation recovers. Also added unittests for the same. Signed-off-by: Harshitha MS <harshitha.ms@ibm.com>

HarshithaMS005 · 2026-05-04T08:54:39Z

/test pull-kube-agentic-networking-e2e

haiyanmeng · 2026-05-11T20:16:53Z

/lgtm

/hold for @LiorLieberman to approve

david-martin · 2026-05-12T09:38:16Z

@HarshithaMS005

Two questions as I read through this:

Should we reject the entire policy rather than partially enforcing it when a rule can't be translated? Partial enforcement of security policy means the effective behavior differs from what the user wrote, which could be a security gap. Gateway API takes an all-or-nothing approach with HTTPRoute. Curious what you and @guicassolato think.
For the ExternalAuth HTTP backend kind restriction, could we catch that earlier with a CEL validation rule on the CRD? The user would get immediate feedback from kubectl apply rather than waiting for the controller to reconcile.

Neither of these block the current PR, just want to make sure we've thought through the design before it sets a pattern.

LiorLieberman · 2026-05-13T15:56:20Z

/hold
Will review today, thanks!

guicassolato · 2026-05-13T16:38:51Z

+		return
+	}
+	for _, ap := range attached {
+		policy, err := c.agentic.accessPolicyLister.XAccessPolicies(ap.Namespace).Get(ap.Name)


What's the goal of getting the policy object again? Is it to ensure the latest spec.targetRefs after getting state of the object from listing at line 347.

This seems almost the same as #236 (comment). I wonder if we this step is really needed.

If we can confirm this builds on the informer's cache and won't issue a request to the API server for each policy object unless the generation of the resource has changed, then perhaps there's no harm in keeping it. Otherwise, I'd probably advocate for avoiding the overhead on the API server, given another reconciliation event may have been enqueued already by the time this happens.

k8s-ci-robot · 2026-05-16T11:04:24Z

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 9, 2026

k8s-ci-robot requested review from LiorLieberman and haiyanmeng April 9, 2026 18:09

k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 9, 2026

k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Apr 9, 2026

k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 9, 2026

haiyanmeng reviewed Apr 9, 2026

View reviewed changes

k8s-ci-robot requested a review from guicassolato April 9, 2026 18:59

k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 9, 2026

HarshithaMS005 force-pushed the fix/xaccesspolicy-translation-status-233 branch from 05ae15c to 4945ab5 Compare April 10, 2026 07:42

k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 10, 2026

guicassolato reviewed Apr 16, 2026

View reviewed changes

Comment thread pkg/translator/accesspolicy.go Outdated

guicassolato reviewed Apr 16, 2026

View reviewed changes

Comment thread pkg/controller/accesspolicy.go Outdated

haiyanmeng mentioned this pull request Apr 20, 2026

feat: add dynamic authorization using CEL in AccessPolicy #241

Merged

HarshithaMS005 force-pushed the fix/xaccesspolicy-translation-status-233 branch 3 times, most recently from ce1e662 to 46a849f Compare April 21, 2026 09:00

bowei reviewed Apr 22, 2026

View reviewed changes

Comment thread pkg/controller/accesspolicy.go Outdated

Comment thread pkg/translator/listener.go

Comment thread pkg/translator/translator.go Outdated

Comment thread pkg/translator/translator.go Outdated

Comment thread pkg/translator/listener.go Outdated

Comment thread pkg/translator/listener.go

haiyanmeng reviewed Apr 22, 2026

View reviewed changes

HarshithaMS005 force-pushed the fix/xaccesspolicy-translation-status-233 branch from 46a849f to e74d678 Compare April 29, 2026 15:42

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 29, 2026

HarshithaMS005 force-pushed the fix/xaccesspolicy-translation-status-233 branch from e74d678 to f3a9ee3 Compare April 29, 2026 16:38

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 29, 2026

HarshithaMS005 force-pushed the fix/xaccesspolicy-translation-status-233 branch 2 times, most recently from a0817bb to 7a2b27d Compare April 29, 2026 17:38

haiyanmeng reviewed Apr 29, 2026

View reviewed changes

Comment thread pkg/translator/accesspolicy_index.go Outdated

Comment thread pkg/translator/listener.go

Comment thread pkg/translator/listener.go

bowei reviewed Apr 29, 2026

View reviewed changes

Comment thread pkg/translator/accesspolicy_index.go Outdated

Comment thread pkg/translator/accesspolicy_index.go Outdated

Comment thread pkg/translator/translator.go Outdated

Comment thread pkg/translator/translator.go Outdated

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 30, 2026

HarshithaMS005 force-pushed the fix/xaccesspolicy-translation-status-233 branch from 7a2b27d to 5791bcd Compare May 4, 2026 07:09

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 4, 2026

HarshithaMS005 force-pushed the fix/xaccesspolicy-translation-status-233 branch from 5791bcd to 40d64e5 Compare May 4, 2026 07:23

k8s-ci-robot assigned haiyanmeng May 11, 2026

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 11, 2026

guicassolato reviewed May 13, 2026

View reviewed changes

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 16, 2026

Conversation

HarshithaMS005 commented Apr 9, 2026

Uh oh!

netlify Bot commented Apr 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for kube-agentic-networking ready!

Uh oh!

k8s-ci-robot commented Apr 9, 2026

Uh oh!

haiyanmeng commented Apr 9, 2026

Uh oh!

haiyanmeng left a comment

Choose a reason for hiding this comment

Uh oh!

haiyanmeng commented Apr 9, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bowei commented Apr 22, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

k8s-ci-robot commented Apr 29, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

HarshithaMS005 commented May 4, 2026

Uh oh!

haiyanmeng commented May 11, 2026

Uh oh!

david-martin commented May 12, 2026

Uh oh!

LiorLieberman commented May 13, 2026

Uh oh!

guicassolato May 13, 2026

Choose a reason for hiding this comment

Uh oh!

k8s-ci-robot commented May 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

netlify Bot commented Apr 9, 2026 •

edited

Loading