docs(gateway): fix default-deny step for namespaced mode#2802
Draft
electricjesus wants to merge 1 commit into
Draft
docs(gateway): fix default-deny step for namespaced mode#2802electricjesus wants to merge 1 commit into
electricjesus wants to merge 1 commit into
Conversation
Gateway API namespaced mode (tigera/operator#4690) moved the data-plane proxies into each Gateway's own namespace, not tigera-gateway. The default-deny step still told users to exclude the tigera-gateway namespace, which no longer covers the proxies. With tigera/operator#4970 the operator allows the proxy's own traffic through the calico-system tier, so users only need to allow the proxy to reach their backends.
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the “Create an ingress gateway” documentation (OSS and Enterprise) to align default-deny guidance with Gateway API namespaced mode, where gateway dataplane proxies run in the Gateway’s namespace rather than tigera-gateway.
Changes:
- Replaces the outdated instruction to exclude
tigera-gatewayfrom global default-deny policies. - Documents that the Operator allows the proxy’s own traffic via
calico-systemtier policy, and that users must allow proxy-to-backend connectivity.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| calico/networking/ingress-gateway/create-ingress-gateway.mdx | Updates default-deny step to reflect namespaced-mode proxy placement and required backend connectivity allowance. |
| calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx | Same documentation correction for the Enterprise docs path and resource naming. |
Comment on lines
+33
to
+37
| you do not need to allow the gateway proxy's own traffic. The Tigera Operator allows it through a | ||
| policy in the `calico-system` tier. You do need to allow the gateway proxy to reach your backend | ||
| workloads. The proxy pods carry the label `gateway.envoyproxy.io/owning-gateway-name`, so you can | ||
| select them in an egress rule. Without that rule, the gateway is reachable but returns `503` because | ||
| the proxy cannot connect to the backend. |
Comment on lines
+33
to
+37
| you do not need to allow the gateway proxy's own traffic. The Tigera Operator allows it through a | ||
| policy in the `calico-system` tier. You do need to allow the gateway proxy to reach your backend | ||
| workloads. The proxy pods carry the label `gateway.envoyproxy.io/owning-gateway-name`, so you can | ||
| select them in an egress rule. Without that rule, the gateway is reachable but returns `503` because | ||
| the proxy cannot connect to the backend. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes the default-deny step in the "Create an ingress gateway" page (OSS and Enterprise) so it matches Gateway API namespaced mode.
Why
Namespaced mode (tigera/operator#4690) moved each Gateway's data-plane proxy into the Gateway's own namespace, not
tigera-gateway. The step still told users to exclude thetigera-gatewaynamespace from their default-deny policy, which no longer covers the proxies. So a user on default-deny would follow the docs and still have a broken gateway.The step now says: the operator allows the proxy's own traffic through the
calico-systemtier (see tigera/operator#4970), and the user only needs to allow the proxy to reach their backends.Notes