Add v1alpha1 api

[LiorLieberman]

What type of PR is this?

What this PR does / why we need it:
Add v1alpha1 API
Move ExternalAuth to top level and add more native mcp support as discussed.
Which issue(s) this PR fixes:

Relates to #255

Does this PR introduce a user-facing change?:

add v1alpha1 api for XAccessPolicy

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[netlify]

✅ Deploy Preview for kube-agentic-networking ready!

Name	Link
🔨 Latest commit	7b2e1ae
🔍 Latest deploy log	https://app.netlify.com/projects/kube-agentic-networking/deploys/69fa6c6c37ad6b0008433a4b
😎 Deploy Preview	https://deploy-preview-259--kube-agentic-networking.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[haiyanmeng]

/retest

[haiyanmeng]

@LiorLieberman , can you add test coverage into https://github.com/kubernetes-sigs/kube-agentic-networking/tree/main/tests/cel and https://github.com/kubernetes-sigs/kube-agentic-networking/tree/main/tests/crd? Thanks!

[haiyanmeng]

why

kube-agentic-networking/api/v0alpha0/accesspolicy_types.go

Line 35 in 9d6bbc1

// +kubebuilder:validation:XValidation:rule="self.all(x, (x.group == 'agentic.networking.x-k8s.io' && x.kind == 'XBackend') || (x.group == 'gateway.networking.k8s.io' && x.kind == 'Gateway'))",message="TargetRef must have group agentic.networking.x-k8s.io and kind XBackend, or group gateway.networking.k8s.io and kind Gateway"

is not included in this PR?

If we decide to keep supporting Backend-targeted AccessPolicy in the reference implementation, we should allow the target to be either Gatway or Backend.

[bowei]

I think given there is no official support for XBackend, we should leave references to it out of the validation. When the support is official, then it makes sense to add it back in.

[LiorLieberman]

Hi Haiyan, as we indicated before, the release is not going to include XBackend in it. Therefore Core support for targeting AccessPolicy is going to be only Gateway. However, we still want to allow room for extensibility for targeting any GVK (one example would be the protoype in this repo which will continue to target v0alpha0 backend) so can not have this validation.

[haiyanmeng]

Should we validate the targetRef in control plane?

[LiorLieberman]

TargetRef validation would be in each control plane, yes. And if invalid status will be posted.

[david-martin]

This is about not mixing targetRefs?
So all can be Gateways, or all can be XBackends, but not a mix of both?

[LiorLieberman]

Correct. To start simple. I think this came out of a conclusion in extAuth discussion where Backend and Gateway could have been confusing to be together. This may not be required though anymore since we are not releasing this with XBackend support. I still think its smart to include (easier to relax this later)

[haiyanmeng]

#220 proposes that the request is allowed if any allow policy allows it.

[LiorLieberman]

While we can let ExternalAuth deny early. Having it allow early has several concerns.

External Auth servers typically handle global context (like JWTs or tokens), but they don't necessarily anything about local boundaries inside the cluster. There may be cases where we still need our downstream policies (like SPIFFE identity matching or MCP method whitelisting) to validate that workload A is actually authorized to communicate with workload B, after external auth callout.

Hope thats clear

[bowei]

Looks like that proposal is still in discussion? v1alpha1 is getting cut with the current behavior -- it is still alpha and can change.

[haiyanmeng]

While we can let ExternalAuth deny early. Having it allow early has several concerns.

This is not what #220 proposes. allow policies means inline policies. I am trying to suggest that we define the rules here to address #237.

[david-martin]

I was going to ask for some clarification on a user/group scenario with multiple rules having to be allowed, but I think this discussion is moreso about rules across different policies?

Also, we don't have support for groups or spiffe wildcards right now? So that wouldn't be relevant here (which is probably a good motivation for CEL/OIDC)

[LiorLieberman]

This is not what #220 proposes. allow policies means inline policies. I am trying to suggest that we define the rules here to address #237.

We currently propose Allow and ExternalAuth. We dont propose deny in this version given the consensus we got with other folks in the group. This rules are just outlining some guidance on how ExternalAuth and Allow should work across different policies (as @david-martin suggested)

David - right - I would really love to see CEL and OIDC support, hopefully you/gui can pick this up soon and we release it as part of 0.2.

(there is someone thats working on CEL right now, hopefully we incorporate this soon)

[haiyanmeng]

pull-kube-agentic-networking-e2e

@LiorLieberman , this seems unexpected. PTAL.

[LiorLieberman]

/retest

[bowei]

I think given there is no official support for XBackend, we should leave references to it out of the validation. When the support is official, then it makes sense to add it back in.

[bowei]

Looks like that proposal is still in discussion? v1alpha1 is getting cut with the current behavior -- it is still alpha and can change.

[LiorLieberman]

@LiorLieberman: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kube-agentic-networking-e2e dee5b7d link true /test pull-kube-agentic-networking-e2e
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

This test is very flaky. This API should not cause this to fail.

I think its is related to @ziyue-101 's last changes with TLS.

[LiorLieberman]

/retest

[bowei]

/lgtm

But you need to get the tests to pass

[david-martin]

Some questions so I can better understand the changes from 0 to 1.
In general though, it looks reasonable to me.

/approve

[david-martin]

This is about not mixing targetRefs?
So all can be Gateways, or all can be XBackends, but not a mix of both?

[david-martin]

Is there a contradiction here?

the request should be delegated to an external auth service if rules match

and

Evaluation logic:
// 1. ExternalAuth runs before all other Allow policies.

[LiorLieberman]

This means that if action: ExternalAuth and any rule (defined under the "rules" field) match - it goes to the externalAuth server for evaluation. If action: Allow and any rule (defined under the "rules" field) match - the evaluation of this is ALLOW.

Regardless of that, Evaluation logic between policies on the same target works in a way that if there is ExternalAuth, it before all other Allow policies. If the ExternalAuth server denies it - request is denied. If it allows it, you still need all other policies to allow it (unless they dont exist).

A concrete example:

action: extAuth
rules:

• match path /foo
  target: Gateway1

---

action: Allow
rules:

• match header bar
  target: Gateway1

If the request is "/foo", ExtAuthServer allows, and header bar is missing -- you still get the request denied.

[david-martin]

by trust domain, do we mean same kubernetes cluster, or same namespace?

[LiorLieberman]

its configurable. Often times it would be a cluster identifier, but its not strictly required.
Here is how it could commonly be: spiffe://<trust_domain>/ns/<namespace>/sa/<serviceaccount>

[david-martin]

I was going to ask for some clarification on a user/group scenario with multiple rules having to be allowed, but I think this discussion is moreso about rules across different policies?

Also, we don't have support for groups or spiffe wildcards right now? So that wouldn't be relevant here (which is probably a good motivation for CEL/OIDC)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: david-martin, LiorLieberman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [LiorLieberman,david-martin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[david-martin]

do we have a tracking issue for this?

[LiorLieberman]

Planning to fast follow after I add ref implementation support for the new field structure (i.e moving the support to support the v1alpha1 from v0alpha0)

[david-martin]

/hold

pending some q's

[ryanzhang-oss]

the k8s CRD convention naming would be something like this

	Spec XAccessPolicySpec `json:"spec"`

I wonder why we have two different naming here?

[LiorLieberman]

Good question. Looks like we have not done this in the Gateway community. I have no strong opinion, but its going to be more nice code wise to not call v1alpha1.XAcessPolicySpec. The X prefix serves primarily the purpose of safe upgrades to standard channel and to explicitly indicate that this is an experimental resource

https://github.com/kubernetes-sigs/gateway-api/blob/main/apisx/v1alpha1/xbackendtrafficpolicy_types.go
https://github.com/kubernetes-sigs/gateway-api/blob/main/apisx/v1alpha1/xmesh_types.go

[ryanzhang-oss]

Shouldn't this be "LocalAuth" when the other Value of Enum is "ExternalAuth"?

[LiorLieberman]

The idea is that actions, will evolve to add Deny in the future as well. We already got some usecases that suggests deny will be needed.

Then you will have 3 actions. (1) this policy is an ALLOW policy, (2) this policy is a delegate to an external server and (3) this policy is a deny policy (if we ends up adding it in future releases)

[ryanzhang-oss]

I am a bit confused. When the AccessPolicyActionType is ExternalAuth, does the external server do both the authentication and autherization? If so, does it mean that the AccessRule field is not needed in that case?

Also, how does the external server do Authentication? What identity does the controller use to talk to the external auth sever?

[ryanzhang-oss]

Does this imply that the rules are basically based on MCP tool name and parameters?

[LiorLieberman]

for now yes. The group discussed to add additional support for "Inline" ways to specify other requests attributes like path, headers, etc.

That said, once CEL support is added you will be able to do more granular things with CEL. You would have AuthorizationRuleTypeCEL (in addition to the AuthorizationRuleTypeInline). See this slide for the general idea

[bowei]

you should put this in a hack/script.py. (follow up PR)

[bowei]

/lgtm

Let's get an initial version in and iterate

[LiorLieberman]

/unhold