fix: EEP RG enforcement (envoyproxy#3475)

fix EEP RG enforcement

Signed-off-by: Guy Daich <guy.daich@sap.com>

internal/gatewayapi/envoyextensionpolicy.go

@@ -416,6 +416,7 @@ func (t *Translator) buildExtProc(
 		if err = t.validateExtServiceBackendReference(
 			&extProc.BackendRefs[i].BackendObjectReference,
 			policyNamespacedName.Namespace,
+			egv1a1.KindEnvoyExtensionPolicy,
 			resources); err != nil {
 			return nil, err
 		}

internal/gatewayapi/securitypolicy.go

@@ -790,6 +790,7 @@ func (t *Translator) buildExtAuth(
 	if err = t.validateExtServiceBackendReference(
 		backendRef,
 		policy.Namespace,
+		KindSecurityPolicy,
 		resources); err != nil {
 		return nil, err
 	}

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml

@@ -117,7 +117,7 @@ referenceGrants:
   spec:
     from:
     - group: gateway.envoyproxy.io
-      kind: SecurityPolicy
+      kind: EnvoyExtensionPolicy
       namespace: default
     to:
     - group: ''

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml

@@ -117,7 +117,7 @@ referenceGrants:
   spec:
     from:
     - group: gateway.envoyproxy.io
-      kind: SecurityPolicy
+      kind: EnvoyExtensionPolicy
       namespace: default
     to:
     - group: ''

internal/gatewayapi/validate.go

@@ -936,6 +936,7 @@ func (t *Translator) validateSecretObjectRef(
 func (t *Translator) validateExtServiceBackendReference(
 	backendRef *gwapiv1.BackendObjectReference,
 	ownerNamespace string,
+	policyKind string,
 	resources *Resources,
 ) error {
 	// These are sanity checks, they should never happen because the API server
@@ -985,7 +986,7 @@ func (t *Translator) validateExtServiceBackendReference(
 		if !t.validateCrossNamespaceRef(
 			crossNamespaceFrom{
 				group:     egv1a1.GroupName,
-				kind:      KindSecurityPolicy,
+				kind:      policyKind,
 				namespace: ownerNamespace,
 			},
 			crossNamespaceTo{