strictly validate the usage of SubPolicies (#599)

Signed-off-by: spacewander <[email protected]>
mosn · Jun 26, 2024 · fcee4b8 · fcee4b8
1 parent c2eb98c
commit fcee4b8
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/types/apis/v1/validation.go b/types/apis/v1/validation.go
@@ -127,6 +127,12 @@ func validateHTTPFilterPolicy(policy *HTTPFilterPolicy, strict bool) error {
 		}
 
 		targetGateway = ref.Kind == "Gateway"
+
+		if len(policy.Spec.SubPolicies) > 0 {
+			if ref.Kind != "VirtualService" {
+				return errors.New("subPolicies can not be used with this referred target")
+			}
+		}
 	}
 	// HTTPFilterPolicy in embedded mode can have no targetRef
 

diff --git a/types/apis/v1/validation_test.go b/types/apis/v1/validation_test.go
@@ -265,6 +265,25 @@ func TestValidateHTTPFilterPolicy(t *testing.T) {
 			},
 			err: "targetRef.SectionName and SubPolicies can not be used together",
 		},
+		{
+			name: "targetRef to Gateway and also use SubPolicies",
+			policy: &HTTPFilterPolicy{
+				Spec: HTTPFilterPolicySpec{
+					TargetRef: &gwapiv1a2.PolicyTargetReferenceWithSectionName{
+						PolicyTargetReference: gwapiv1a2.PolicyTargetReference{
+							Group: "networking.istio.io",
+							Kind:  "Gateway",
+						},
+					},
+					SubPolicies: []HTTPFilterSubPolicy{
+						{
+							SectionName: sectionName,
+						},
+					},
+				},
+			},
+			err: "subPolicies can not be used with this referred target",
+		},
 		{
 			name: "bad configuration",
 			policy: &HTTPFilterPolicy{