Configure Gateway API resources across namespaces
Set allowedRoutes: All on your Gateway resource and create a ReferenceGrant that allows HTTPRoute instances from a specific namespace to access Services in the current namespace.
Prerequisites
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'Copied to clipboard!
Create namespaces and allow references
-
Create separate namespaces to hold the
HTTPRouteand target Service:kubectl create namespace test-source kubectl create namespace test-destinationCopied to clipboard! -
Create a
ReferenceGrantresource in the destination namespace:echo 'kind: ReferenceGrant apiVersion: gateway.networking.k8s.io/v1beta1 metadata: name: test-grant namespace: test-destination spec: from: - group: gateway.networking.k8s.io kind: HTTPRoute namespace: test-source to: - group: "" kind: Service ' | kubectl apply -f -Copied to clipboard!
ReferenceGrants allow namespaces to opt in to references from other resources. They reside in the namespace of the target resource and list resources and namespaces that can talk to specific resources in the ReferenceGrant’s namespace.
In this case, the example configuration allows HTTPRoutes in the test-source namespace to reference Services in the test-destination namespace.
Using a Gateway resource in a different namespace
Gateway resources may also allow references from resources (HTTPRoute,
TCPRoute, etc.) in other namespaces. However, these references do not use
ReferenceGrants, as they are defined per listener in the Gateway resource, not for the entire Gateway.
A listener’s allowedRoutes field
lets you define which routing resources can bind to that listener.
The default Gateway in this guide only allows Routes from its same namespace
(kong). You’ll need to expand its scope to allow Routes from the
test-source namespace:
kubectl patch -n kong --type=json gateways.gateway.networking.k8s.io kong -p='[{"op":"replace","path": "/spec/listeners/0/allowedRoutes/namespaces/from","value":"All"}]'
This results in a Gateway resource with the following configuration:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: kong
namespace: kong
spec:
gatewayClassName: kong
listeners:
- name: proxy
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: All
Listeners can allow Routes in their own namespace (from: Same), all namespaces (from: All), or a
labeled set of namespaces (from: Selector).
Deploy a Service and HTTPRoute
-
Deploy an echo Service to the
test-destinationresource.kubectl apply -f https://developer.konghq.com/manifests/kic/echo-service.yaml -n test-destinationCopied to clipboard! -
Deploy an HTTPRoute that sends traffic to the Service:
echo 'apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: echo namespace: test-source annotations: konghq.com/strip-path: "true" spec: parentRefs: - name: kong namespace: kong rules: - matches: - path: type: PathPrefix value: /echo backendRefs: - name: echo kind: Service port: 1027 namespace: test-destination ' | kubectl apply -f -Copied to clipboard!Note the
namespacefields in both the parent and backend references. By default, entries here attempt to use the same namespace as the HTTPRoute if you don’t specify a namespace. -
Validate the configuration by sending requests through the Route:
curl -s "$PROXY_IP/echo"Copied to clipboard!The results should look like this:
Welcome, you are connected to node kind-control-plane. Running on Pod echo-965f7cf84-z9jv2. In namespace test-destination. With IP address 10.244.0.6.
Cleanup
Uninstall KIC from your cluster
helm uninstall kong -n kong