api7 · AlinsRan · Jun 18, 2026 · coderabbitai · Jun 18, 2026
diff --git a/internal/adc/translator/grpcroute.go b/internal/adc/translator/grpcroute.go
@@ -192,7 +192,7 @@ func (t *Translator) TranslateGRPCRoute(tctx *provider.TranslateContext, grpcRou
 				continue
 			}
 
-			t.AttachBackendTrafficPolicyToUpstream(backend.BackendRef, tctx.BackendTrafficPolicies, upstream)
+			t.AttachBackendTrafficPolicyToUpstream(backend.BackendRef, tctx.BackendTrafficPolicies, upstream, tctx.Services)
 			upstream.Nodes = upNodes
 
 			var (

diff --git a/internal/adc/translator/httproute.go b/internal/adc/translator/httproute.go
@@ -570,7 +570,7 @@ func (t *Translator) TranslateHTTPRoute(tctx *provider.TranslateContext, httpRou
 				enableWebsocket = ptr.To(true)
 			}
 
-			t.AttachBackendTrafficPolicyToUpstream(backend.BackendRef, tctx.BackendTrafficPolicies, upstream)
+			t.AttachBackendTrafficPolicyToUpstream(backend.BackendRef, tctx.BackendTrafficPolicies, upstream, tctx.Services)
 			upstream.Nodes = upNodes
 			if upstream.Scheme == "" {
 				upstream.Scheme = appProtocolToUpstreamScheme(protocol)

diff --git a/internal/adc/translator/httproute_test.go b/internal/adc/translator/httproute_test.go
@@ -309,3 +309,106 @@ func TestAttachBackendTrafficPolicyHealthCheck(t *testing.T) {
 		})
 	}
 }
+
+func TestAttachBackendTrafficPolicyToUpstreamSectionName(t *testing.T) {
+	const (
+		namespace   = "default"
+		serviceName = "backend"
+		webPort     = int32(80)
+		webName     = "web"
+		adminPort   = int32(9000)
+		adminName   = "admin"
+	)
+
+	serviceKey := types.NamespacedName{Namespace: namespace, Name: serviceName}
+	services := map[types.NamespacedName]*corev1.Service{
+		serviceKey: {
+			ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespace},
+			Spec: corev1.ServiceSpec{
+				Ports: []corev1.ServicePort{
+					{Name: webName, Port: webPort},
+					{Name: adminName, Port: adminPort},
+				},
+			},
+		},
+	}
+
+	newRef := func(port int32) gatewayv1.BackendRef {
+		return gatewayv1.BackendRef{
+			BackendObjectReference: gatewayv1.BackendObjectReference{
+				Name:      gatewayv1.ObjectName(serviceName),
+				Namespace: ptr.To(gatewayv1.Namespace(namespace)),
+				Port:      ptr.To(gatewayv1.PortNumber(port)),
+			},
+		}
+	}
+
+	newPolicy := func(name, sectionName, scheme string) *v1alpha1.BackendTrafficPolicy {
+		targetRef := v1alpha1.BackendPolicyTargetReferenceWithSectionName{
+			LocalPolicyTargetReference: gatewayv1alpha2.LocalPolicyTargetReference{
+				Name: gatewayv1alpha2.ObjectName(serviceName),
+				Kind: gatewayv1alpha2.Kind(internaltypes.KindService),
+			},
+		}
+		if sectionName != "" {
+			targetRef.SectionName = ptr.To(gatewayv1alpha2.SectionName(sectionName))
+		}
+		return &v1alpha1.BackendTrafficPolicy{
+			ObjectMeta: metav1.ObjectMeta{Name: name, Namespace: namespace},
+			Spec: v1alpha1.BackendTrafficPolicySpec{
+				TargetRefs: []v1alpha1.BackendPolicyTargetReferenceWithSectionName{targetRef},
+				Scheme:     scheme,
+			},
+		}
+	}
+
+	tests := []struct {
+		name       string
+		ref        gatewayv1.BackendRef
+		policies   map[types.NamespacedName]*v1alpha1.BackendTrafficPolicy
+		wantScheme string
+	}{
+		{
+			name: "sectionName matches the backend port name",
+			ref:  newRef(webPort),
+			policies: map[types.NamespacedName]*v1alpha1.BackendTrafficPolicy{
+				{Namespace: namespace, Name: "p"}: newPolicy("p", webName, apiv2.SchemeHTTPS),
+			},
+			wantScheme: apiv2.SchemeHTTPS,
+		},
+		{
+			name: "sectionName does not match the backend port name",
+			ref:  newRef(adminPort),
+			policies: map[types.NamespacedName]*v1alpha1.BackendTrafficPolicy{
+				{Namespace: namespace, Name: "p"}: newPolicy("p", webName, apiv2.SchemeHTTPS),
+			},
+			wantScheme: "",
+		},
+		{
+			name: "no sectionName applies to the whole service",
+			ref:  newRef(adminPort),
+			policies: map[types.NamespacedName]*v1alpha1.BackendTrafficPolicy{
+				{Namespace: namespace, Name: "p"}: newPolicy("p", "", apiv2.SchemeHTTPS),
+			},
+			wantScheme: apiv2.SchemeHTTPS,
+		},
+		{
+			name: "port-specific policy takes precedence over whole-service policy",
+			ref:  newRef(adminPort),
+			policies: map[types.NamespacedName]*v1alpha1.BackendTrafficPolicy{
+				{Namespace: namespace, Name: "generic"}:  newPolicy("generic", "", apiv2.SchemeHTTP),
+				{Namespace: namespace, Name: "specific"}: newPolicy("specific", adminName, apiv2.SchemeHTTPS),
+			},
+			wantScheme: apiv2.SchemeHTTPS,
+		},
+	}
+
+	translator := NewTranslator(logr.Discard())
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			upstream := adctypes.NewDefaultUpstream()
+			translator.AttachBackendTrafficPolicyToUpstream(tt.ref, tt.policies, upstream, services)
+			assert.Equal(t, tt.wantScheme, upstream.Scheme)
+		})
+	}
+}
diff --git a/internal/adc/translator/ingress.go b/internal/adc/translator/ingress.go
@@ -187,7 +187,7 @@ func (t *Translator) resolveIngressUpstream(
 		ns = config.ServiceNamespace
 	}
 	backendRef := convertBackendRef(ns, backendService.Name, internaltypes.KindService)
-	t.AttachBackendTrafficPolicyToUpstream(backendRef, tctx.BackendTrafficPolicies, upstream)
+	t.AttachBackendTrafficPolicyToUpstream(backendRef, tctx.BackendTrafficPolicies, upstream, tctx.Services)
 	if config != nil {
 		upConfig := config.Upstream
 		if upConfig.Scheme != "" {

diff --git a/internal/adc/translator/policies.go b/internal/adc/translator/policies.go
@@ -20,6 +20,7 @@ package translator
 import (
 	"encoding/json"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/utils/ptr"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -38,28 +39,60 @@ func convertBackendRef(namespace, name, kind string) gatewayv1.BackendRef {
 	return backendRef
 }
 
-func (t *Translator) AttachBackendTrafficPolicyToUpstream(ref gatewayv1.BackendRef, policies map[types.NamespacedName]*v1alpha1.BackendTrafficPolicy, upstream *adctypes.Upstream) {
+func (t *Translator) AttachBackendTrafficPolicyToUpstream(ref gatewayv1.BackendRef, policies map[types.NamespacedName]*v1alpha1.BackendTrafficPolicy, upstream *adctypes.Upstream, services map[types.NamespacedName]*corev1.Service) {
 	if len(policies) == 0 {
 		return
 	}
-	var policy *v1alpha1.BackendTrafficPolicy
+	// A targetRef with sectionName scopes the policy to a specific Service port
+	// (matched by port name). It takes precedence over a whole-Service targetRef
+	// (no sectionName) that matches the same backend.
+	var genericPolicy, specificPolicy *v1alpha1.BackendTrafficPolicy
 	for _, po := range policies {
 		if ref.Namespace != nil && string(*ref.Namespace) != po.Namespace {
 			continue
 		}
 		for _, targetRef := range po.Spec.TargetRefs {
-			if ref.Name == targetRef.Name {
-				policy = po
-				break
+			if ref.Name != targetRef.Name {
+				continue
+			}
+			if targetRef.SectionName != nil && *targetRef.SectionName != "" {
+				if backendRefMatchesSectionName(ref, po.Namespace, string(*targetRef.SectionName), services) {
+					specificPolicy = po
+				}
+				continue
 			}
+			genericPolicy = po
 		}
 	}
+	policy := specificPolicy
+	if policy == nil {
+		policy = genericPolicy
+	}
 	if policy == nil {
 		return
 	}
 	t.attachBackendTrafficPolicyToUpstream(policy, upstream)
 }
 
+// backendRefMatchesSectionName reports whether the backend ref resolves to the
+// Service port named sectionName. Per the Gateway API policy semantics, when a
+// sectionName is specified but cannot be resolved, the policy must not attach.
+func backendRefMatchesSectionName(ref gatewayv1.BackendRef, namespace, sectionName string, services map[types.NamespacedName]*corev1.Service) bool {
+	if ref.Port == nil {
+		return false
+	}
+	svc, ok := services[types.NamespacedName{Namespace: namespace, Name: string(ref.Name)}]
+	if !ok || svc == nil {
+		return false
+	}
+	for _, port := range svc.Spec.Ports {
+		if port.Port == int32(*ref.Port) {
+			return port.Name == sectionName
+		}
+	}
+	return false
+}
+
 func (t *Translator) attachBackendTrafficPolicyToUpstream(policy *v1alpha1.BackendTrafficPolicy, upstream *adctypes.Upstream) {
 	if policy == nil {
 		return

diff --git a/internal/adc/translator/tcproute.go b/internal/adc/translator/tcproute.go
@@ -69,7 +69,7 @@ func (t *Translator) TranslateTCPRoute(tctx *provider.TranslateContext, tcpRoute
 				continue
 			}
 			// TODO: Confirm BackendTrafficPolicy attachment with e2e test case.
-			t.AttachBackendTrafficPolicyToUpstream(backend, tctx.BackendTrafficPolicies, upstream)
+			t.AttachBackendTrafficPolicyToUpstream(backend, tctx.BackendTrafficPolicies, upstream, tctx.Services)
 			upstream.Nodes = upNodes
 			var (
 				kind string

diff --git a/internal/adc/translator/tlsroute.go b/internal/adc/translator/tlsroute.go
@@ -62,7 +62,7 @@ func (t *Translator) TranslateTLSRoute(tctx *provider.TranslateContext, tlsRoute
 				continue
 			}
 			// TODO: Confirm BackendTrafficPolicy attachment with e2e test case.
-			t.AttachBackendTrafficPolicyToUpstream(backend, tctx.BackendTrafficPolicies, upstream)
+			t.AttachBackendTrafficPolicyToUpstream(backend, tctx.BackendTrafficPolicies, upstream, tctx.Services)
 			upstream.Nodes = upNodes
 			var (
 				kind string

diff --git a/internal/adc/translator/udproute.go b/internal/adc/translator/udproute.go
@@ -58,7 +58,7 @@ func (t *Translator) TranslateUDPRoute(tctx *provider.TranslateContext, udpRoute
 				continue
 			}
 			// TODO: Confirm BackendTrafficPolicy attachment with e2e test case.
-			t.AttachBackendTrafficPolicyToUpstream(backend, tctx.BackendTrafficPolicies, upstream)
+			t.AttachBackendTrafficPolicyToUpstream(backend, tctx.BackendTrafficPolicies, upstream, tctx.Services)
 			upstream.Nodes = upNodes
 			var (
 				kind string