Installation of Gateway API throws 'Forbidden: estimated rule cost exceeds budget ...' error

[rbonatuvic]

What happened:
Attempting to install Standard Channel of Gateway API as per, https://gateway-api.sigs.k8s.io/guides/#install-standard-channel, with command kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
Note: I also cloned/checkout the tag version v1.1.0 and ran this command, kubectl apply -f config/crd/standard/gateway.networking.k8s.io_httproutes.yaml
Either way, the following error occurred:
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io created Error from server (Invalid): error when creating "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml": CustomResourceDefinition.apiextensions.k8s.io "grpcroutes.gateway.networking.k8s.io" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[parentRefs].x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared), spec.validation.openAPIV3Schema.properties[spec].properties[parentRefs].x-kubernetes-validations[0].rule: Forbidden: contributed to estimated rule cost total exceeding cost limit for entire OpenAPIv3 schema, spec.validation.openAPIV3Schema: Forbidden: x-kubernetes-validations estimated rule cost total for entire OpenAPIv3 schema exceeds budget by factor of more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)] Error from server (Invalid): error when creating "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml": CustomResourceDefinition.apiextensions.k8s.io "httproutes.gateway.networking.k8s.io" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[parentRefs].x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared), spec.validation.openAPIV3Schema.properties[spec].properties[parentRefs].x-kubernetes-validations[0].rule: Forbidden: contributed to estimated rule cost total exceeding cost limit for entire OpenAPIv3 schema, spec.validation.openAPIV3Schema: Forbidden: x-kubernetes-validations estimated rule cost total for entire OpenAPIv3 schema exceeds budget by factor of more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)]

Ubuntu 22 04
$ kubectl version --short
Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.
Client Version: v1.25.2
Kustomize Version: v4.5.7
Server Version: v1.25.0
$ minikube version
minikube version: v1.27.0
commit: 4243041b7a72319b9be7842a7d34b6767bbdac2b

What you expected to happen:
Components of Gateway should have been installed and a message should have been displayed like:
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created

How to reproduce it (as minimally and precisely as possible):

1. minikube delete --purge
2. minikube start
3. kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml

Anything else we need to know?:

[howardjohn]

Not sure this is the case but the minimum supported version is the last 5 k8s versions, which would be 1.26 (very soon 1.27, like in a few days): https://gateway-api.sigs.k8s.io/concepts/versioning/#supported-versions. Which is likely the cause.

[youngnick]

Yes, the CEL expression limits have been changing per-release, and since we use CEL heavily now, this is one of the biggest contributors to version incompatiblity.

Thanks for logging this issue @rbonatuvic, but it looks like we'll need you to bump your cluster version to use this version of Gateway API.

[rbonatuvic]

Upgraded, and it installs as expected. Thanks

[robscott]

Thanks for reporting this @rbonatuvic! Glad that the upgrade worked for you. This is also somewhat related to #3206 where we're working to improve the set of k8s versions we're testing against. Will close this one out, feel free to reopen if I missed anything.