Skip to content

feat(gatewayapi): add Gateway API RBAC for L7 log collector (#4282) #4312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
electricjesus wants to merge 2 commits into
base: release-v1.41
Choose a base branch
from
Open

feat(gatewayapi): add Gateway API RBAC for L7 log collector (#4282) #4312

electricjesus wants to merge 2 commits into from

Conversation

@electricjesus
Copy link
Member

@electricjesus electricjesus commented Dec 17, 2025
edited
Loading

pick of #4282 and #4309

Commit 1 (#4282):

Extends the waf-http-filter ClusterRole to include Gateway API permissions needed by the l7-log-collector sidecar for log enrichment.

The L7 Log Collector watches Gateway API resources (Gateways, HTTPRoutes, GRPCRoutes) and core resources (Pods, Services) to enrich access logs with Gateway context information.

This approach reuses the existing ServiceAccount shared by WAF and l7-log-collector containers in the EnvoyProxy deployment.

Commit 2 (#4309):

Update the CRDs using the makefile

Closes https://tigera.atlassian.net/browse/EV-6273

Release Note

TBD

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@electricjesus
feat(gatewayapi): add Gateway API RBAC for L7 log collector (tigera#4282
a6cc342 
)

Extends the waf-http-filter ClusterRole to include Gateway API permissions needed by the l7-log-collector sidecar for log enrichment.

The L7 Log Collector watches Gateway API resources (Gateways, HTTPRoutes, GRPCRoutes) and core resources (Pods, Services) to enrich access logs with Gateway context information.

This approach reuses the existing ServiceAccount shared by WAF and l7-log-collector containers in the EnvoyProxy deployment.
@electricjesus electricjesus requested a review from a team as a code owner December 17, 2025 20:56
@marvin-tigera marvin-tigera added this to the v1.41.0 milestone Dec 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs-pr-required release-note-not-required

Projects

None yet

Milestone

v1.41.0

Development

Successfully merging this pull request may close these issues.

3 participants

@electricjesus @marvin-tigera @rene-dekker