envoyproxy · arkodg · Jul 9, 2025 · Jun 19, 2025 · cnvergence · Jul 9, 2025
@@ -158,12 +158,27 @@ type EnvoyProxySpec struct {
 	// +optional
 	PreserveRouteOrder *bool `json:"preserveRouteOrder,omitempty"`
 
-	// DisableLuaValidation disables the Lua script validation for Lua EnvoyExtensionPolicies
-	// +kubebuilder:default=false
+	// LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+	// Default: Strict
 	// +optional
-	DisableLuaValidation *bool `json:"disableLuaValidation,omitempty"`
+	LuaValidation *LuaValidation `json:"luaValidation,omitempty"`
 }
 
+// +kubebuilder:validation:Enum=Strict;Disabled
+type LuaValidation string
+
+const (
+	// LuaValidationStrict is the default level and checks for issues during script execution.
+	// Recommended if your scripts only use the standard Envoy Lua stream handle API.
+	// For supported APIs, see: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api
+	LuaValidationStrict LuaValidation = "Strict"
+
+	// LuaValidationDisabled disables all validation of Lua scripts.
+	// Scripts will be accepted and executed without any validation checks.
+	// This is not recommended unless your scripts import libraries that are not supported by Lua runtime validation.
+	LuaValidationDisabled LuaValidation = "Disabled"
+)
+
 // RoutingType defines the type of routing of this Envoy proxy.
 type RoutingType string
 

@@ -270,11 +270,6 @@ spec:
                   the number of cpuset threads on the platform.
                 format: int32
                 type: integer
-              disableLuaValidation:
-                default: false
-                description: DisableLuaValidation disables the Lua script validation
-                  for Lua EnvoyExtensionPolicies
-                type: boolean
               extraArgs:
                 description: |-
                   ExtraArgs defines additional command line options that are provided to Envoy.
@@ -442,6 +437,14 @@ spec:
                       and the log level is the value. If unspecified, defaults to "default: warn".
                     type: object
                 type: object
+              luaValidation:
+                description: |-
+                  LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+                  Default: Strict
+                enum:
+                - Strict
+                - Disabled
+                type: string
               mergeGateways:
                 description: |-
                   MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.

@@ -269,11 +269,6 @@ spec:
                   the number of cpuset threads on the platform.
                 format: int32
                 type: integer
-              disableLuaValidation:
-                default: false
-                description: DisableLuaValidation disables the Lua script validation
-                  for Lua EnvoyExtensionPolicies
-                type: boolean
               extraArgs:
                 description: |-
                   ExtraArgs defines additional command line options that are provided to Envoy.
@@ -441,6 +436,14 @@ spec:
                       and the log level is the value. If unspecified, defaults to "default: warn".
                     type: object
                 type: object
+              luaValidation:
+                description: |-
+                  LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+                  Default: Strict
+                enum:
+                - Strict
+                - Disabled
+                type: string
               mergeGateways:
                 description: |-
                   MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.

@@ -19,7 +19,6 @@ envoyProxyForGatewayClass:
             socket_address:
               address: 127.0.0.1
               port_value: 19000
-    disableLuaValidation: false
     logging:
       level:
         default: warn

@@ -6,7 +6,6 @@ envoyProxyForGatewayClass:
     name: example
     namespace: default
   spec:
-    disableLuaValidation: false
     logging:
       level:
         default: warn

@@ -452,7 +452,8 @@ func (t *Translator) buildLua(
 	if err != nil {
 		return nil, err
 	}
-	if envoyProxy != nil && envoyProxy.Spec.DisableLuaValidation != nil && *envoyProxy.Spec.DisableLuaValidation {
+	if envoyProxy != nil && envoyProxy.Spec.LuaValidation != nil &&
+		*envoyProxy.Spec.LuaValidation == egv1a1.LuaValidationDisabled {
 		return &ir.Lua{
 			Name: name,
 			Code: luaCode,

@@ -169,7 +169,6 @@ envoyProxyForGatewayClass:
     name: example
     namespace: default
   spec:
-    disableLuaValidation: false
     logging:
       level:
         default: warn

@@ -5,7 +5,7 @@ envoyProxyForGatewayClass:
     namespace: envoy-gateway-system
     name: test
   spec:
-    disableLuaValidation: true
+    luaValidation: Disabled
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway

@@ -120,8 +120,8 @@ infraIR:
           name: test
           namespace: envoy-gateway-system
         spec:
-          disableLuaValidation: true
           logging: {}
+          luaValidation: Disabled
         status: {}
       listeners:
       - address: null

@@ -32,8 +32,7 @@ new features: |
   Added support for specifying deployment annotations through the helm chart.
   Added support for customizing the name of the ServiceAccount used by the Proxy.
   Added support for custom backendRefs via extension server using PostClusterModify hook.
-
-
+  Introduce validation strictness levels for Lua scripts in EnvoyExtensionPolicies.
 bug fixes: |
   Handle integer zone annotation values
   Fixed issue where WASM cache init failure caused routes with WASM-less EnvoyExtensionPolicies to have 500 direct responses.

@@ -1635,7 +1635,7 @@ _Appears in:_
 | `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ |  false  |  | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.<br />These settings are applied on backends for which TLS policies are specified. |
 | `ipFamily` | _[IPFamily](#ipfamily)_ |  false  |  | IPFamily specifies the IP family for the EnvoyProxy fleet.<br />This setting only affects the Gateway listener port and does not impact<br />other aspects of the Envoy proxy configuration.<br />If not specified, the system will operate as follows:<br />- It defaults to IPv4 only.<br />- IPv6 and dual-stack environments are not supported in this default configuration.<br />Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. |
 | `preserveRouteOrder` | _boolean_ |  false  |  | PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API<br />specification (https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule)<br />or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.<br />Default: False |
-| `disableLuaValidation` | _boolean_ |  false  | false | DisableLuaValidation disables the Lua script validation for Lua EnvoyExtensionPolicies |
+| `luaValidation` | _[LuaValidation](#luavalidation)_ |  false  |  | LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies<br />Default: Strict |
 
 
 #### EnvoyProxyStatus
@@ -3154,6 +3154,21 @@ _Appears in:_
 | `valueRef` | _[LocalObjectReference](#localobjectreference)_ |  false  |  | ValueRef has the source code specified as a local object reference.<br />Only a reference to ConfigMap is supported.<br />The value of key `lua` in the ConfigMap will be used.<br />If the key is not found, the first value in the ConfigMap will be used. |
 
 
+#### LuaValidation
+
+_Underlying type:_ _string_
+
+
+
+_Appears in:_
+- [EnvoyProxySpec](#envoyproxyspec)
+
+| Value | Description |
+| ----- | ----------- |
+| `Strict` | LuaValidationStrict is the default level and checks for issues during script execution.<br />Recommended if your scripts only use the standard Envoy Lua stream handle API.<br />For supported APIs, see: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api<br /> | 
+| `Disabled` | LuaValidationDisabled disables all validation of Lua scripts.<br />Scripts will be accepted and executed without any validation checks.<br />This is not recommended unless your scripts import libraries that are not supported by Lua runtime validation.<br /> | 
+
+
 #### LuaValueType
 
 _Underlying type:_ _string_

@@ -24078,11 +24078,6 @@ spec:
                   the number of cpuset threads on the platform.
                 format: int32
                 type: integer
-              disableLuaValidation:
-                default: false
-                description: DisableLuaValidation disables the Lua script validation
-                  for Lua EnvoyExtensionPolicies
-                type: boolean
               extraArgs:
                 description: |-
                   ExtraArgs defines additional command line options that are provided to Envoy.
@@ -24250,6 +24245,14 @@ spec:
                       and the log level is the value. If unspecified, defaults to "default: warn".
                     type: object
                 type: object
+              luaValidation:
+                description: |-
+                  LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+                  Default: Strict
+                enum:
+                - Strict
+                - Disabled
+                type: string
               mergeGateways:
                 description: |-
                   MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.

@@ -6766,11 +6766,6 @@ spec:
                   the number of cpuset threads on the platform.
                 format: int32
                 type: integer
-              disableLuaValidation:
-                default: false
-                description: DisableLuaValidation disables the Lua script validation
-                  for Lua EnvoyExtensionPolicies
-                type: boolean
               extraArgs:
                 description: |-
                   ExtraArgs defines additional command line options that are provided to Envoy.
@@ -6938,6 +6933,14 @@ spec:
                       and the log level is the value. If unspecified, defaults to "default: warn".
                     type: object
                 type: object
+              luaValidation:
+                description: |-
+                  LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+                  Default: Strict
+                enum:
+                - Strict
+                - Disabled
+                type: string
               mergeGateways:
                 description: |-
                   MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.