Problem
Gateways created with a spec.gatewayClassName that no controller manages are silently accepted by the API server and left in Unknown/Pending indefinitely. The NSO's filtered watch cache never picks them up, so they produce no errors — just a permanent stall.
Discovered during incident datum-cloud/engineering#258, where a gateway was stuck for 30+ hours with no actionable signal.
Proposed Fix
Add a validating admission webhook that rejects Gateway creation (and updates) if the specified gatewayClassName is not one the NSO manages. The failure should return a clear error message indicating the valid class names.
Impact
Without this, any user who selects an unmanaged GatewayClass gets a silent permanent failure that's very difficult to diagnose.
Problem
Gateways created with a
spec.gatewayClassNamethat no controller manages are silently accepted by the API server and left inUnknown/Pendingindefinitely. The NSO's filtered watch cache never picks them up, so they produce no errors — just a permanent stall.Discovered during incident datum-cloud/engineering#258, where a gateway was stuck for 30+ hours with no actionable signal.
Proposed Fix
Add a validating admission webhook that rejects Gateway creation (and updates) if the specified
gatewayClassNameis not one the NSO manages. The failure should return a clear error message indicating the valid class names.Impact
Without this, any user who selects an unmanaged GatewayClass gets a silent permanent failure that's very difficult to diagnose.