intent reconciler: resource name collisions across namespaces (MetalLB pools, Calico IPPools) #260
Description
Problem
The intent reconciler derives MetalLB IPAddressPool names from Inbound.Name only, and Calico IPPool names from Outbound.Name only. This means identically-named Inbound/Outbound resources in different namespaces will collide on the same pool name since MetalLB/Calico pools are cluster-scoped.
Additionally, Destination label matching is cluster-wide — a Destination in namespace A could unintentionally match pods in namespace B.
Impact
HIGH — Namespace collision can cause incorrect IP assignment or routing in multi-tenant clusters.
Affected Files
controllers/intent/intent_controller.go— pool name derivation logiccontrollers/platform/metallb_controller.go— IPAddressPool creationcontrollers/platform/coil_controller.go— Calico IPPool creation
Suggested Fix
Include namespace in derived resource names: {namespace}-{name} for MetalLB pools and Calico IPPools. For Destinations, add namespace-aware label selectors.
Found During
Review Round 3 of PR #249. Pre-existing design issue in intent-based-crds feature.