Status on policies contains a slice of Ancestors, which has a max size of 16. If the slice is full, we consider the policy unimplementable but we do not signal this to the user in any way. We effectively ignore the policy.

The spec says

If this slice is full, implementations MUST NOT add further entries.
Instead they MUST consider the policy unimplementable and signal that
on any related resources such as the ancestor that would be referenced
here. For example, if this list was full on BackendTLSPolicy, no
additional Gateways would be able to reference the Service targeted by
the BackendTLSPolicy.

We need to figure out a way to signal this on the ancestor resource. One way to do this would be to add a condition to the ancestor. But this may overflow the ancestor's conditions.

Bugs found:

• BackendTLSPolicy will fully be rejected when ancestors overflow
• NGF policy applying will fully apply the policy to a service rather than partially apply when ancestors slice is full

Acceptance

• BackendTLSPolicy should apply to services until the ancestors slice is full
• Sort attachments properly to that old attachments are prioritized
• Update NGF to honor policy service attachment when ancestor is not accepted and only rejected it for the ancestor
• When a policy cannot be applied by the above condition, an attempt should be made to signal on the ancestor that the policy was not applied.
• After the attempt to update status is made, a message is logged that the policy was not applied and why. Log message should also include:
  • The name of the ancestor
  • The name of the policy that was not applied