BackendTrafficPolicy does not validate maximum value of requestBuffer.limit #7677
Description
Description
BackendTrafficPolicy does not document or validate the maximum value of spec.requestBuffer.limit.
Values above 4096Mi pass CRD validation but cause xds-translator in the controller to log errors like limit value 5000Mi is out of range, must be between 0 and 4294967295.
Also:
Repro steps
Add a BackendTrafficPolicy like:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
name: buffer-test
namespace: envoy-gateway-system
spec:
mergeType: StrategicMerge
requestBuffer:
limit: 5000Mi
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: egThis will pass CRD validation with Policy has been accepted:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"gateway.envoyproxy.io/v1alpha1","kind":"BackendTrafficPolicy","metadata":{"annotations":{},"name":"buffer-test","namespace":"envoy-gateway-system"},"spec":{"mergeType":"StrategicMerge","requestBuffer":{"limit":"5000Mi"},"targetRef":{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"eg"}}}
creationTimestamp: "2025-12-05T10:46:38Z"
generation: 2
name: buffer-test
namespace: envoy-gateway-system
resourceVersion: "5971"
uid: f051b54e-1d1e-4c12-b54f-65baedac5aa4
spec:
mergeType: StrategicMerge
requestBuffer:
limit: 5000Mi
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: eg
status:
ancestors:
- ancestorRef:
group: gateway.networking.k8s.io
kind: Gateway
name: eg
namespace: envoy-gateway-system
conditions:
- lastTransitionTime: "2025-12-05T10:46:54Z"
message: Policy has been accepted.
observedGeneration: 2
reason: Accepted
status: "True"
type: Accepted
controllerName: gateway.envoyproxy.io/gatewayclass-controllerBut the Envoy Gateway controller will start to log {"runner": "xds", "error": "limit value 5000Mi is out of range, must be between 0 and 4294967295"}.
Environment
Envoy Gateway: v1.5.5
Envoy image: envoy:distroless-v1.35.6
Logs
2025-12-05T10:46:54.740Z INFO provider kubernetes/controller.go:305 reconciling gateways {"runner": "provider"}
2025-12-05T10:46:54.741Z INFO provider kubernetes/controller.go:1090 processing OIDC HMAC Secret {"runner": "provider", "namespace": "envoy-gateway-system", "name": "envoy-oidc-hmac"}
2025-12-05T10:46:54.742Z INFO provider kubernetes/controller.go:1112 processing Envoy TLS Secret {"runner": "provider", "namespace": "envoy-gateway-system", "name": "envoy"}
2025-12-05T10:46:54.742Z INFO provider kubernetes/controller.go:1455 processing Gateway {"runner": "provider", "namespace": "envoy-gateway-system", "name": "eg"}
2025-12-05T10:46:54.742Z ERROR provider kubernetes/controller.go:1470 failed to process TLS SecretRef for gateway {"runner": "provider", "gateway": {"kind":"Gateway","apiVersion":"gateway.networking.k8s.io/v1","metadata":{"name":"eg","namespace":"envoy-gateway-system","uid":"8896404c-21de-4a4e-b508-4207e989de5b","resourceVersion":"5929","generation":1,"creationTimestamp":"2025-12-05T10:20:09Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"gateway.networking.k8s.io/v1\",\"kind\":\"Gateway\",\"metadata\":{\"annotations\":{},\"name\":\"eg\",\"namespace\":\"envoy-gateway-system\"},\"spec\":{\"gatewayClassName\":\"eg\",\"infrastructure\":{\"parametersRef\":{\"group\":\"gateway.envoyproxy.io\",\"kind\":\"EnvoyProxy\",\"name\":\"custom-proxy-config\"}},\"listeners\":[{\"allowedRoutes\":{\"namespaces\":{\"from\":\"Same\"}},\"name\":\"http\",\"port\":80,\"protocol\":\"HTTP\"},{\"allowedRoutes\":{\"kinds\":[{\"group\":\"gateway.networking.k8s.io\",\"kind\":\"HTTPRoute\"}],\"namespaces\":{\"from\":\"All\"}},\"hostname\":\"*.kognic.io\",\"name\":\"https\",\"port\":443,\"protocol\":\"HTTPS\",\"tls\":{\"certificateRefs\":[{\"group\":\"\",\"kind\":\"Secret\",\"name\":\"kognic-io\",\"namespace\":\"envoy-gateway-system\"}],\"mode\":\"Terminate\"}}]}}\n"},"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2025-12-05T10:20:09Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{".":{},"f:gatewayClassName":{},"f:infrastructure":{".":{},"f:parametersRef":{".":{},"f:group":{},"f:kind":{},"f:name":{}}},"f:listeners":{".":{},"k:{\"name\":\"http\"}":{".":{},"f:allowedRoutes":{".":{},"f:namespaces":{".":{},"f:from":{}}},"f:name":{},"f:port":{},"f:protocol":{}},"k:{\"name\":\"https\"}":{".":{},"f:allowedRoutes":{".":{},"f:kinds":{},"f:namespaces":{".":{},"f:from":{}}},"f:hostname":{},"f:name":{},"f:port":{},"f:protocol":{},"f:tls":{".":{},"f:certificateRefs":{},"f:mode":{}}}}}}},{"manager":"envoy-gateway","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2025-12-05T10:46:38Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:conditions":{"k:{\"type\":\"Accepted\"}":{"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{}},"k:{\"type\":\"Programmed\"}":{"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{}}},"f:listeners":{".":{},"k:{\"name\":\"http\"}":{".":{},"f:attachedRoutes":{},"f:conditions":{".":{},"k:{\"type\":\"Accepted\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Programmed\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"ResolvedRefs\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:name":{},"f:supportedKinds":{}},"k:{\"name\":\"https\"}":{".":{},"f:attachedRoutes":{},"f:conditions":{".":{},"k:{\"type\":\"Programmed\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"ResolvedRefs\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:name":{},"f:supportedKinds":{}}}}},"subresource":"status"}]},"spec":{"gatewayClassName":"eg","listeners":[{"name":"http","port":80,"protocol":"HTTP","allowedRoutes":{"namespaces":{"from":"Same"}}},{"name":"https","hostname":"*.kognic.io","port":443,"protocol":"HTTPS","tls":{"mode":"Terminate","certificateRefs":[{"group":"","kind":"Secret","name":"kognic-io","namespace":"envoy-gateway-system"}]},"allowedRoutes":{"namespaces":{"from":"All"},"kinds":[{"group":"gateway.networking.k8s.io","kind":"HTTPRoute"}]}}],"infrastructure":{"parametersRef":{"group":"gateway.envoyproxy.io","kind":"EnvoyProxy","name":"custom-proxy-config"}}},"status":{"conditions":[{"type":"Accepted","status":"True","observedGeneration":1,"lastTransitionTime":"2025-12-05T10:46:38Z","reason":"Accepted","message":"The Gateway has been scheduled by Envoy Gateway"},{"type":"Programmed","status":"False","observedGeneration":1,"lastTransitionTime":"2025-12-05T10:46:38Z","reason":"AddressNotAssigned","message":"No addresses have been assigned to the Gateway"}],"listeners":[{"name":"http","supportedKinds":[{"group":"gateway.networking.k8s.io","kind":"HTTPRoute"},{"group":"gateway.networking.k8s.io","kind":"GRPCRoute"}],"attachedRoutes":1,"conditions":[{"type":"Programmed","status":"True","observedGeneration":1,"lastTransitionTime":"2025-12-05T10:46:38Z","reason":"Programmed","message":"Sending translated listener configuration to the data plane"},{"type":"Accepted","status":"True","observedGeneration":1,"lastTransitionTime":"2025-12-05T10:46:38Z","reason":"Accepted","message":"Listener has been successfully translated"},{"type":"ResolvedRefs","status":"True","observedGeneration":1,"lastTransitionTime":"2025-12-05T10:46:38Z","reason":"ResolvedRefs","message":"Listener references have been resolved"}]},{"name":"https","supportedKinds":[{"group":"gateway.networking.k8s.io","kind":"HTTPRoute"}],"attachedRoutes":0,"conditions":[{"type":"ResolvedRefs","status":"False","observedGeneration":1,"lastTransitionTime":"2025-12-05T10:46:38Z","reason":"InvalidCertificateRef","message":"Secret envoy-gateway-system/kognic-io does not exist."},{"type":"Programmed","status":"False","observedGeneration":1,"lastTransitionTime":"2025-12-05T10:46:38Z","reason":"Invalid","message":"Listener is invalid, see other Conditions for details."}]}]}}, "secretRef": {"group":"","kind":"Secret","name":"kognic-io","namespace":"envoy-gateway-system"}, "error": "unable to find the Secret envoy-gateway-system/kognic-io: Secret \"kognic-io\" not found"}
2025-12-05T10:46:54.743Z INFO provider kubernetes/routes.go:248 processing HTTPRoute {"runner": "provider", "namespace": "envoy-gateway-system", "name": "tls-redirect"}
2025-12-05T10:46:54.743Z INFO provider kubernetes/controller.go:2471 processing EnvoyProxy {"runner": "provider", "namespace": "envoy-gateway-system", "name": "custom-proxy-config"}
2025-12-05T10:46:54.744Z INFO provider kubernetes/controller.go:641 processing Backend {"runner": "provider", "kind": "Service", "namespace": "envoy-gateway-system", "name": "envoy-envoy-gateway-system-eg-5391c79d"}
2025-12-05T10:46:54.744Z INFO provider kubernetes/controller.go:659 added Service to resource tree {"runner": "provider", "kind": "Service", "namespace": "envoy-gateway-system", "name": "envoy-envoy-gateway-system-eg-5391c79d"}
2025-12-05T10:46:54.745Z INFO provider kubernetes/controller.go:784 added EndpointSlice to resource tree {"runner": "provider", "kind": "Service", "namespace": "envoy-gateway-system", "name": "envoy-envoy-gateway-system-eg-5391c79d", "namespace": "envoy-gateway-system", "name": "envoy-envoy-gateway-system-eg-5391c79d-qm8st"}
2025-12-05T10:46:54.746Z INFO provider kubernetes/controller.go:573 reconciled gateways successfully {"runner": "provider"}
2025-12-05T10:46:54.746Z INFO gateway-api runner/runner.go:134 received an update {"runner": "gateway-api"}
2025-12-05T10:46:54.747Z INFO provider kubernetes/status_updater.go:143 received a status update {"runner": "provider", "namespace": "envoy-gateway-system", "name": "policy", "kind": "ClientTrafficPolicy"}
2025-12-05T10:46:54.747Z INFO xds runner/runner.go:203 received an update {"runner": "xds"}
2025-12-05T10:46:54.747Z INFO provider kubernetes/status_updater.go:108 status unchanged, bypassing update {"runner": "provider", "name": "policy", "namespace": "envoy-gateway-system", "kind": "ClientTrafficPolicy"}
2025-12-05T10:46:54.748Z INFO provider kubernetes/status_updater.go:143 received a status update {"runner": "provider", "namespace": "envoy-gateway-system", "name": "eg", "kind": "Gateway"}
2025-12-05T10:46:54.748Z INFO infrastructure runner/runner.go:109 received an update {"runner": "infrastructure"}
2025-12-05T10:46:54.749Z ERROR xds runner/runner.go:245 failed to translate xds ir {"runner": "xds", "error": "limit value 5000Mi is out of range, must be between 0 and 4294967295"}
2025-12-05T10:46:54.750Z ERROR watchable message/watchutil.go:86 observed an error {"runner": "xds", "error": "limit value 5000Mi is out of range, must be between 0 and 4294967295"}
2025-12-05T10:46:54.761Z INFO provider kubernetes/status_updater.go:143 received a status update {"runner": "provider", "namespace": "envoy-gateway-system", "name": "buffer-test", "kind": "BackendTrafficPolicy"}
2025-12-05T10:46:54.769Z INFO provider kubernetes/status_updater.go:143 received a status update {"runner": "provider", "namespace": "envoy-gateway-system", "name": "tls-redirect", "kind": "HTTPRoute"}
2025-12-05T10:46:54.769Z INFO provider kubernetes/status_updater.go:108 status unchanged, bypassing update {"runner": "provider", "name": "tls-redirect", "namespace": "envoy-gateway-system", "kind": "HTTPRoute"}