Skip to content

docs: Conceptual documentation for CTP, BTP, SecurityPolicy & Gateway API Extensions #5946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
melsal13 wants to merge 10 commits into from
Closed

docs: Conceptual documentation for CTP, BTP, SecurityPolicy & Gateway API Extensions #5946

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
feb6e3f
added template ctp concepts page to latest
melsal13 May 6, 2025
ed0cdda
Merge branch 'main' into docs-conceptual-ctp
melsal13 May 6, 2025
927d6e4
draft of conceptual ctp
melsal13 May 6, 2025
cee9539
updated branch with changes from main
melsal13 May 7, 2025
0da3182
created draft of gateway extensions doc
melsal13 May 7, 2025
d0d97eb
added doc for security policy and fixed broken links
melsal13 May 7, 2025
3ecba6a
fixed more broken links
melsal13 May 7, 2025
c3969ac
Merge branch 'main' into docs-con-ctp-btp
melsal13 May 7, 2025
8bbf17a
Merge branch 'main' into docs-con-ctp-btp
melsal13 May 8, 2025
6e429ca
added examples for sp, ctp and btp conceptual docs
melsal13 May 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions site/content/en/latest/concepts/backend-traffic-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
---
title: "BackendTrafficPolicy"
---
## Before you Begin
- [Gateway API Extensions](gateway-api-extensions.md)

## Overview
`BackendTrafficPolicy` is an extension to the Kubernetes Gateway API that controls how Envoy Gateway communicates with your backend services. It can configure connection behavior, resilience mechanisms, and performance optimizations without requiring changes to your applications.

Think of it as a traffic controller that sits between your gateway and backend services. It can detect problems, prevent failures from spreading, and optimize request handling to improve system stability.

## Use Cases

`BackendTrafficPolicy` is particularly useful in scenarios where you need to:

1. **Protect your services:**
Limit connections and reject excess traffic when necessary

2. **Build resilient systems:**
Detect failing services and redirect traffic

3. **Improve performance:**
Optimize how requests are distributed and responses are handled

4. **Test system behavior:**
Inject faults and validate your recovery mechanisms

## BackendTrafficPolicy in Envoy Gateway

`BackendTrafficPolicy` is part of the Envoy Gateway API suite, which extends the Kubernetes Gateway API with additional capabilities. It's implemented as a Custom Resource Definition (CRD) that you can use to configure how Envoy Gateway manages traffic to your backend services. You can attach it to Gateway API resources in two ways:

1. Using `targetRefs` to directly reference specific Gateway resources
2. Using `targetSelectors` to match Gateway resources based on labels

The policy applies to all resources that match either targeting method. When multiple policies target the same resource, the most specific configuration wins.

For example, consider these two policies:

```yaml
# Policy 1: Applies to all routes in the gateway
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
name: gateway-policy
spec:
targetRefs:
- kind: Gateway
name: my-gateway
circuitBreaker:
maxConnections: 100

---
# Policy 2: Applies to a specific route
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
name: route-policy
spec:
targetRefs:
- kind: HTTPRoute
name: my-route
circuitBreaker:
maxConnections: 50
```

In this example `my-route` and `my-gateway` would both affect the route. However, since Policy 2 targets the route directly while Policy 1 targets the gateway, Policy 2's configuration (`maxConnections: 50`) will take precedence for that specific route.

Lastly, it's important to note that even when you apply a policy to a Gateway, the policy's effects are tracked separately for each backend service referenced in your routes. For example, if you set up circuit breaking on a Gateway with multiple backend services, each backend service will have its own independent circuit breaker counter. This ensures that issues with one backend service don't affect the others.

## Related Resources

- [Circuit Breakers](../tasks/traffic/circuit-breaker)
- [Failover](../tasks/traffic/failover)
- [Fault Injection](../tasks/traffic/fault-injection)
- [Global Rate Limit](../tasks/traffic/global-rate-limit)
- [Local Rate Limit](../tasks/traffic/local-rate-limit)
- [Load Balancing](../tasks/traffic/load-balancing)
- [Response Compression](../tasks/traffic/response-compression)
- [Response Override](../tasks/traffic/response-override)
- [BackendTrafficPolicy API Reference](../api/extension_types#backendtrafficpolicy)
86 changes: 86 additions & 0 deletions site/content/en/latest/concepts/client-traffic-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
---
title: "ClientTrafficPolicy"
---
## Before you Begin
- [Gateway API Extensions](gateway-api-extensions.md)

## Overview

`ClientTrafficPolicy` is an extension to the Kubernetes Gateway API that allows system administrators to configure how the Envoy Proxy server behaves with downstream clients. It is a policy attachment resource that can be applied to Gateway resources and holds settings for configuring the behavior of the connection between the downstream client and Envoy Proxy listener.

Think of `ClientTrafficPolicy` as a set of rules for your Gateway's entry points - it lets you configure specific behaviors for each listener in your Gateway, with more specific rules taking precedence over general ones.

## Use Cases

`ClientTrafficPolicy` is particularly useful in scenarios where you need to:

1. **Enforce TLS Security**
Configure TLS termination, mutual TLS (mTLS), and certificate validation at the edge.

2. **Manage Client Connections**
Control TCP keepalive behavior and connection timeouts for optimal resource usage.

3. **Handle Client Identity**
Configure trusted proxy chains to correctly resolve client IPs for logging and access control.

4. **Normalize Request Paths**
Sanitize incoming request paths to ensure compatibility with backend routing rules.

5. **Tune HTTP Protocols**
Configure HTTP/1, HTTP/2, and HTTP/3 settings for compatibility and performance.

6. **Monitor Listener Health**
Set up health checks for integration with load balancers and failover mechanisms.

## ClientTrafficPolicy in Envoy Gateway

`ClientTrafficPolicy` is part of the Envoy Gateway API suite, which extends the Kubernetes Gateway API with additional capabilities. It's implemented as a Custom Resource Definition (CRD) that you can use to configure how Envoy Gateway manages incoming client traffic. You can attach it to Gateway API resources in two ways:

1. Using `targetRefs` to directly reference specific Gateway resources
2. Using `targetSelectors` to match Gateway resources based on labels

The policy applies to all Gateway resources that match either targeting method. When multiple policies target the same resource, the most specific configuration wins.

For example, consider these policies targeting the same Gateway Listener:

```yaml
# Policy A: Targets a specific listener in the gateway
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
name: listener-specific-policy
spec:
targetRefs:
- kind: Gateway
name: my-gateway
sectionName: https-listener # Targets specific listener
timeout:
http:
idleTimeout: 30s

---
# Policy B: Targets the entire gateway
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
name: gateway-wide-policy
spec:
targetRefs:
- kind: Gateway
name: my-gateway # Targets all listeners
timeout:
http:
idleTimeout: 60s
```

In this case:
- Policy A will be applied/attached to the specific Listener defined in the `targetRef.SectionName`
- Policy B will be applied to the remaining Listeners within the Gateway. Policy B will have an additional status condition Overridden=True.

## Related Resources

- [Connection Limit](../tasks/traffic/connection-limit)
- [HTTP Request Headers](../tasks/traffic/http-request-headers)
- [HTTP/3](../tasks/traffic/http3)
- [Mutual TLS: External Clients to the Gateway](../tasks/security/mutual-tls.md)
- [ClientTrafficPolicy API Reference](../api/extension_types#clienttrafficpolicy)
39 changes: 39 additions & 0 deletions site/content/en/latest/concepts/gateway-api-extensions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
title: "Gateway API Extensions"
---
## Before you Begin
- [The Gateway API](https://gateway-api.sigs.k8s.io/)

## Overview

Gateway Extensions are mechanisms that allow implementation-specific features to be added to the Kubernetes Gateway API without modifying its core specification. They enable Gateway API implementations like Envoy Gateway to expose their unique capabilities while maintaining compatibility with the standard API. Extensions follow defined patterns that preserve the role-oriented design of Gateway API while allowing for customization to address specific use cases not covered by the core API.
Copy link
Contributor

@arkodg arkodg May 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we have a dedicated page for Gateway API Extensions or add it under https://gateway.envoyproxy.io/docs/concepts/concepts_overview/#envoy-gateway-eg-api-resources
cc @missBerg ?


## Use Cases

1. **Advanced Traffic Management:**
Implementing sophisticated load balancing algorithms, circuit breaking, or retries not defined in the core API
2. **Enhanced Security Controls:**
Adding implementation-specific TLS configurations, authentication mechanisms, or access control rules
3. **Observability Integration:**
Connecting Gateway resources to monitoring systems, logging pipelines, or tracing frameworks
4. **Custom Protocol Support:**
Extending beyond HTTP/TCP/UDP with specialized protocol handling
5. **Rate Limiting and Compression:**
Implementing traffic policing specific to the implementation's capabilities

## Gateway API Extensions in Envoy Gateway

The Envoy Gateway API is a set of Gateway API extensions that enable advanced traffic management capabilities in Envoy Gateway. These extensions build on top of the Kubernetes Gateway API by introducing custom resources that expose powerful features of Envoy Proxy in a Kubernetes-native way.

Envoy Gateway uses a policy attachment model, where custom policies are applied to standard Gateway API resources (like HTTPRoute or Gateway) without modifying the core API. This approach provides separation of concerns and makes it easier to manage configurations across teams.

{{% alert title="Current Extensions" color="info" %}}
Currently supported extensions include [`ClientTrafficPolicy`](../api/extension_types#clienttrafficpolicy), [`BackendTrafficPolicy`](../api/extension_types#backendtrafficpolicy), [`SecurityPolicy`](../api/extension_types#securitypolicy), [`EnvoyExtensionPolicy`](../api/extension_types#envoyextensionpolicy), [`EnvoyProxy`](../api/extension_types#envoyproxy), [`HTTPRouteFilter`](../api/extension_types#httproutefilter), and [`Backend`](../api/extension_types#backend).
{{% /alert %}}

Copy link
Contributor

@arkodg arkodg May 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we explicitly name each extension with a 1 liner and add a hyperlink so they link out to concepts and API reference ?

lets add

  • EnvoyExtensionPolicy
  • EnvoyProxy
  • HTTPRouteFIlter
  • Backend

here, and we can add a Concepts page for it later

Copy link
Contributor Author

@melsal13 melsal13 May 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a one liner as a note. All link to their respective api refs.

As I create more conceptual docs, I'll link them in the related resources section
Screenshot 2025-05-08 at 12 07 25 PM

Copy link
Contributor

@arkodg arkodg May 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed mentioning EnvoyPatchPolicy 🙈

These extensions are processed through Envoy Gateway's control plane, which translates them into xDS configurations that are applied to Envoy Proxy instances. This layered architecture allows for consistent, scalable, and production-grade traffic control without needing to manage raw Envoy configuration directly.

## Related Resources
- [ClientTrafficPolicy](client-traffic-policy.md)
- [BackendTrafficPolicy](backend-traffic-policy.md)
- [SecurityPolicy](security-policy.md)
79 changes: 79 additions & 0 deletions site/content/en/latest/concepts/security-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
---
title: "SecurityPolicy"
---

## Before you Begin
- [Gateway API Extensions](gateway-api-extensions.md)

## Overview

`SecurityPolicy` is an Envoy Gateway extension to the Kubernetes Gateway API that allows you to define authentication and authorization requirements for traffic entering your gateway. It acts as a security layer that ensures only properly authenticated and authorized requests are allowed through to your backend services.

`SecurityPolicy` is designed for users who want to enforce access controls at the edge of their infrastructure in a declarative, Kubernetes-native way—without needing to manually configure complex proxy rules.

## Use Cases

1. **Authentication Methods:**
- Authenticate clients using JWT, OIDC, API keys, or Basic Auth

2. **Authorization Controls:**
- Define and enforce authorization rules based on user roles and permissions
- Integrate with external authorization services for real-time policy decisions

3. **Cross-Origin Security:**
- Configure CORS to allow or restrict cross-origin requests for APIs

## SecurityPolicy in Envoy Gateway

`SecurityPolicy` is implemented as a Kubernetes Custom Resource Definition (CRD) and follows the policy attachment model. You can attach it to Gateway API resources in two ways:

1. Using `targetRefs` to directly reference specific Gateway resources
2. Using `targetSelectors` to match Gateway resources based on labels

The policy applies to all resources that match either targeting method. When multiple policies target the same resource, the most specific configuration wins.

For example, consider these policies targeting the same Gateway Listener:

```yaml
# Policy A: Applies to a specific listener
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: listener-policy
namespace: default
spec:
targetRefs:
- kind: Gateway
name: my-gateway
sectionName: https # Applies only to "https" listener
cors:
allowOrigins:
- exact: https://example.com
---
# Policy B: Applies to the entire gateway
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: gateway-policy
namespace: default
spec:
targetRefs:
- kind: Gateway
name: my-gateway # Applies to all listeners
cors:
allowOrigins:
- exact: https://default.com
```

In the example, policy A takes effect only on the https listener while policy B applies to the rest of the listeners in the gateway. The system will show Overridden=True for Policy B on the https listener, since Policy A is more specific.

## Related Resources
- [API Key Authentication](../tasks/security/apikey-auth.md)
- [Basic Authentication](../tasks/security/basic-auth.md)
- [CORS](../tasks/security/cors.md)
- [External Authorization](../tasks/security/ext-auth.md)
- [IP Allowlist/Denylist](../tasks/security/restrict-ip-access.md)
- [JWT Authentication](../tasks/security/jwt-authentication.md)
- [JWT Claim Based Authorization](../tasks/security/jwt-claim-authorization.md)
- [OIDC Authorization](../tasks/security/oidc.md)
- [SecurityPolicy API Reference](../api/extension_types#securitypolicy)
80 changes: 80 additions & 0 deletions site/content/en/v1.3/concepts/backend-traffic-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
---
title: "BackendTrafficPolicy"
---
## Before you Begin
- [Gateway API Extensions](gateway-api-extensions.md)

## Overview
`BackendTrafficPolicy` is an extension to the Kubernetes Gateway API that controls how Envoy Gateway communicates with your backend services. It can configure connection behavior, resilience mechanisms, and performance optimizations without requiring changes to your applications.

Think of it as a traffic controller that sits between your gateway and backend services. It can detect problems, prevent failures from spreading, and optimize request handling to improve system stability.

## Use Cases

`BackendTrafficPolicy` is particularly useful in scenarios where you need to:

1. **Protect your services:**
Limit connections and reject excess traffic when necessary

2. **Build resilient systems:**
Detect failing services and redirect traffic

3. **Improve performance:**
Optimize how requests are distributed and responses are handled

4. **Test system behavior:**
Inject faults and validate your recovery mechanisms

## BackendTrafficPolicy in Envoy Gateway

`BackendTrafficPolicy` is part of the Envoy Gateway API suite, which extends the Kubernetes Gateway API with additional capabilities. It's implemented as a Custom Resource Definition (CRD) that you can use to configure how Envoy Gateway manages traffic to your backend services. You can attach it to Gateway API resources in two ways:

1. Using `targetRefs` to directly reference specific Gateway resources
2. Using `targetSelectors` to match Gateway resources based on labels

The policy applies to all resources that match either targeting method. When multiple policies target the same resource, the most specific configuration wins.

For example, consider these two policies:

```yaml
# Policy 1: Applies to all routes in the gateway
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
name: gateway-policy
spec:
targetRefs:
- kind: Gateway
name: my-gateway
circuitBreaker:
maxConnections: 100

---
# Policy 2: Applies to a specific route
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
name: route-policy
spec:
targetRefs:
- kind: HTTPRoute
name: my-route
circuitBreaker:
maxConnections: 50
```

In this example `my-route` and `my-gateway` would both affect the route. However, since Policy 2 targets the route directly while Policy 1 targets the gateway, Policy 2's configuration (`maxConnections: 50`) will take precedence for that specific route.

Lastly, it's important to note that even when you apply a policy to a Gateway, the policy's effects are tracked separately for each backend service referenced in your routes. For example, if you set up circuit breaking on a Gateway with multiple backend services, each backend service will have its own independent circuit breaker counter. This ensures that issues with one backend service don't affect the others.

## Related Resources

- [Circuit Breakers](../tasks/traffic/circuit-breaker)
- [Failover](../tasks/traffic/failover)
- [Fault Injection](../tasks/traffic/fault-injection)
- [Global Rate Limit](../tasks/traffic/global-rate-limit)
- [Local Rate Limit](../tasks/traffic/local-rate-limit)
- [Load Balancing](../tasks/traffic/load-balancing)
- [Response Compression](../tasks/traffic/response-compression)
- [Response Override](../tasks/traffic/response-override)
- [BackendTrafficPolicy API Reference](../api/extension_types#backendtrafficpolicy)
Loading
Loading