Core API: ReferenceGrant

[kate-osborn]

As cluster operator and/or application admin, I want to be able to use ReferenceGrant to selectively enable cross-namespace references so that I can ensure secure and controlled access to cross-namespace resources. Specifically, I want to use ReferenceGrants to allow Gateways to reference Secrets and Routes to reference Backend (Services).

Acceptance Criteria

• The ReferenceGrant should permit Gateways to reference Secrets across namespace boundaries.
• The ReferenceGrant should permit Routes to reference Backends (Services) across namespace boundaries.
• Cross-namespace references without a grant should not be permitted.
• Each ReferenceGrant should represent a unique trust relationship, allowing me to add or remove grants to manage access to cross-namespace resources.
• When a ReferenceGrant is removed, the access that the grant allowed should be automatically revoked.
• When a ReferenceGrant is changed, the access that the grant allowed should be automatically recalculated and applied accordingly.
• If a cross-namespace reference is made without an applicable ReferenceGrant, do NOT expose information about the existence of a resource in another namespace. NKG should only report that the ReferenceGrant does not exist to allow this reference. Do not give hints about whether or not the referenced resource exists.
• Update the documentation
  • Update the compatibility doc
  • Add an example for both Gateway -> Secret and Route -> Backend cross-namespace routing
• Make sure all relevant conformance tests would pass

https://gateway-api.sigs.k8s.io/api-types/referencegrant/ https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferenceGrant

Aha! Link: https://nginx.aha.io/features/NKG-61

[mpstefan]

Removed refined tag, as we will definitely need to talk about this one before we start. See #615

[mpstefan]

Splitting into #694 and #695