Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support targetRef with AI RoutePolicy #10649

Open
npolshakova opened this issue Feb 18, 2025 · 1 comment
Open

Support targetRef with AI RoutePolicy #10649

npolshakova opened this issue Feb 18, 2025 · 1 comment
Milestone
kgw 2nd cut

Comments

@npolshakova
Copy link
Contributor

npolshakova commented Feb 18, 2025
edited
Loading

We want to support configuring RoutePolicy with targetRef for AI Options:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: route-to-upstream
  namespace: gwtest
spec:
  parentRefs:
    - name: http-gw-for-test
  hostnames:
    - "www.example.com"
  rules:
    - matches:
        - path:
            type: Exact
            value: /v1/chat/completions
    - backendRefs:
        - name: vertexai
          kind: Upstream
          group: gateway.kgateway.dev
---
apiVersion: gateway.kgateway.dev/v1alpha1
kind: RoutePolicy
metadata:
  name: route-test
  namespace: gwtest
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: vertexai
  ai:
    promptGuard:
      request:
        customResponse:
          message: "Rejected due to inappropriate content"
          statusCode: 400
        regex:
          matches:
            - "credit card"

However, if one of the route rules doesn't have an AI Upstream, the targetRef should error:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: route-to-upstream
  namespace: gwtest
spec:
  parentRefs:
    - name: http-gw-for-test
  hostnames:
    - "www.example.com"
  rules:
    - matches:
        - path:
            type: Exact
            value: /hello
    - backendRefs:
        - name: not-an-ai-service # this can't have AI RoutePolicy applied
          kind: Service
    - matches:
        - path:
            type: Exact
            value: /v1/chat/completions
    - backendRefs:
        - name: vertexai
          kind: Upstream
          group: gateway.kgateway.dev
---
apiVersion: gateway.kgateway.dev/v1alpha1
kind: RoutePolicy
metadata:
  name: route-test
  namespace: gwtest
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: vertexai
  ai:
    promptGuard:
      request:
        customResponse:
          message: "Rejected due to inappropriate content"
          statusCode: 400
        regex:
          matches:
            - "credit card"

In this case, we need:

  • Check the Upstream is an AI Upstream before running the ApplyRoute plugin (

    kgateway/internal/kgateway/extensions2/plugins/routepolicy/route_policy_plugin.go

    Line 106 in b85f004

    func (p *routePolicyPluginGwPass) ApplyForRoute(ctx context.Context, pCtx *ir.RouteContext, outputRoute *envoy_config_route_v3.Route) error {
    ). Report an error if there is a mismatch, don't translate policy. The ApplyRoute does not have access to the Upstream, so it's trickier to validate the route is referencing an AI Upstream
@npolshakova
Copy link
Contributor Author

npolshakova commented Feb 19, 2025
edited
Loading

@lgadban Here's the issue write up for the targetRef problem!

@lgadban lgadban added this to the kgw 2nd cut milestone Feb 19, 2025
@lgadban lgadban mentioned this issue Feb 19, 2025
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Kgateway Planning
Status: Backlog
Milestone
kgw 2nd cut
Development

No branches or pull requests
2 participants
@lgadban @npolshakova