From fcee4b88a3882acc0abfedbc4e3702617da7abc9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=BD=97=E6=B3=BD=E8=BD=A9?= <spacewanderlzx@gmail.com>
Date: Wed, 26 Jun 2024 10:47:37 +0800
Subject: [PATCH] strictly validate the usage of SubPolicies (#599)

Signed-off-by: spacewander <spacewanderlzx@gmail.com>
---
 types/apis/v1/validation.go      |  6 ++++++
 types/apis/v1/validation_test.go | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/types/apis/v1/validation.go b/types/apis/v1/validation.go
index 28753096..f71c44d2 100644
--- a/types/apis/v1/validation.go
+++ b/types/apis/v1/validation.go
@@ -127,6 +127,12 @@ func validateHTTPFilterPolicy(policy *HTTPFilterPolicy, strict bool) error {
 		}
 
 		targetGateway = ref.Kind == "Gateway"
+
+		if len(policy.Spec.SubPolicies) > 0 {
+			if ref.Kind != "VirtualService" {
+				return errors.New("subPolicies can not be used with this referred target")
+			}
+		}
 	}
 	// HTTPFilterPolicy in embedded mode can have no targetRef
 
diff --git a/types/apis/v1/validation_test.go b/types/apis/v1/validation_test.go
index 6ceb05ad..cf24327e 100644
--- a/types/apis/v1/validation_test.go
+++ b/types/apis/v1/validation_test.go
@@ -265,6 +265,25 @@ func TestValidateHTTPFilterPolicy(t *testing.T) {
 			},
 			err: "targetRef.SectionName and SubPolicies can not be used together",
 		},
+		{
+			name: "targetRef to Gateway and also use SubPolicies",
+			policy: &HTTPFilterPolicy{
+				Spec: HTTPFilterPolicySpec{
+					TargetRef: &gwapiv1a2.PolicyTargetReferenceWithSectionName{
+						PolicyTargetReference: gwapiv1a2.PolicyTargetReference{
+							Group: "networking.istio.io",
+							Kind:  "Gateway",
+						},
+					},
+					SubPolicies: []HTTPFilterSubPolicy{
+						{
+							SectionName: sectionName,
+						},
+					},
+				},
+			},
+			err: "subPolicies can not be used with this referred target",
+		},
 		{
 			name: "bad configuration",
 			policy: &HTTPFilterPolicy{