Skip to content

fix(gatewayapi): split envoy-gateway NetworkPolicy ingress by IP family#4894

Closed
electricjesus wants to merge 1 commit into
tigera:masterfrom
electricjesus:seth/gatewayapi-np-dualstack-fix
Closed

fix(gatewayapi): split envoy-gateway NetworkPolicy ingress by IP family#4894
electricjesus wants to merge 1 commit into
tigera:masterfrom
electricjesus:seth/gatewayapi-np-dualstack-fix

Conversation

@electricjesus

@electricjesus electricjesus commented Jun 4, 2026

Copy link
Copy Markdown
Member

Description

Bug fix. The calico-system.envoy-gateway NetworkPolicy ingress allow put both 0.0.0.0/0 and ::/0 in a single rule's Source.Nets, which Calico rejects ("rule contains both IPv4 and IPv6 CIDRs"), so the policy fails to apply on dual-stack and IPv6 clusters. Split the allow into one rule per address family.

Split out of #4821 — standalone fix, no WAF dependency.

Tested: go test ./pkg/render/gatewayapi/... — asserts the ingress is rendered as two per-family rules.

Release Note

Fixed the envoy-gateway NetworkPolicy failing to apply on dual-stack and IPv6 clusters: the ingress allow mixed IPv4 and IPv6 CIDRs in a single rule, which Calico rejects. The rule is now split per IP family.

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • release-note-required
    • docs-not-required

@electricjesus
fix(gatewayapi): split envoy-gateway NetworkPolicy ingress by IP family
4689beb 
The calico-system.envoy-gateway ingress allow put both 0.0.0.0/0 and ::/0 in
a single rule's Source.Nets, which Calico rejects ("rule contains both IPv4
and IPv6 CIDRs") — the whole NetworkPolicy fails to apply and the gatewayapi
reconcile aborts before rendering the rest. Split the allow-from-anywhere into
two rules, one per address family (dual-stack and IPv6-only both need ::/0).
@electricjesus electricjesus requested a review from a team as a code owner June 4, 2026 21:22
@marvin-tigera marvin-tigera added this to the v1.43.0 milestone Jun 4, 2026
@electricjesus electricjesus mentioned this pull request Jun 4, 2026
Merged
4 tasks
@electricjesus

electricjesus commented Jun 5, 2026

Copy link
Copy Markdown
Member Author

Superseded by #4887 (identical NP ingress split, merged). Closing as dupe — test coverage for the per-family split to follow separately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.43.0

Development

Successfully merging this pull request may close these issues.

2 participants

@electricjesus @marvin-tigera