Alauda Container Platform

Configure GatewayAPI Policy

TOC

OverviewPrerequisitesPolicy Attachment BasicsPolicy Attachment SummaryCreate Policies in Web ConsoleSecurityPolicyConfiguration Via Web ConsoleAPI Key AuthenticationCORS ConfigurationConfiguration Via YAMLReferenceFeaturesHow It WorksNotesOfficial DocumentationBackendTLSPolicyConfiguration Via Web ConsoleConfiguration Via YAMLReferenceFeaturesNotesOfficial DocumentationClientTrafficPolicyConfiguration Via Web ConsoleConfiguration Via YAMLReferenceFeaturesNotesOfficial DocumentationBackendTrafficPolicyConfiguration Via Web ConsoleConfiguration Via YAMLReferenceFeaturesNotesOfficial DocumentationRelated Tasks

Overview

This document explains how to configure policy resources after Gateway and Route resources are ready. Policies use the Policy Attachment pattern through .spec.targetRefs to attach additional traffic, security, and backend behavior to supported resources.

In the recommended workflow, this document comes after Configure GatewayAPI Route.

Envoy Gateway currently provides four policy types: SecurityPolicy, BackendTLSPolicy, ClientTrafficPolicy, and BackendTrafficPolicy.

Prerequisites

Please ensure that you have completed the following before proceeding:

  1. Read Configure GatewayAPI Gateway and Configure GatewayAPI Route
  2. Created the target resource that the policy will attach to, such as a Gateway, Route, or Service

Policy Attachment Basics

Policies attach to other resources through .spec.targetRefs.

By default, a policy can only attach to resources in the same namespace.

For Gateway targets, sectionName can be used to target a specific listener when the policy type supports it. For Service targets, sectionName refers to the Service port name.

Policy Attachment Summary

Policy TypePurposeWeb Console SupportGatewayHTTPRouteGRPCRouteTCPRouteUDPRouteTLSRouteService
SecurityPolicyAuthentication, authorization, CORS, and other security featuresAPI Key Auth, CORS✅ (listener name / ALL)
BackendTLSPolicyTLS configuration between Envoy and backend servicesSupported✅ (port name / ALL)
ClientTrafficPolicyClient-facing timeout and connection behaviorTimeout settings✅ (listener name / ALL)
BackendTrafficPolicyBackend timeout and connection behaviorTimeout settings✅ (listener name / ALL)

sectionName is used to target a specific listener on a Gateway or a specific port on a Service. When omitted or set to ALL, the policy applies to all listeners or ports.

Create Policies in Web Console

All policy types are created from the same entry:

  1. Navigate to Alauda Container Platform -> Networking -> Gateway -> Policies
  2. Select the required value in the Policy Type dropdown
  3. Click the Create Policy button

The following sections focus only on the fields that are specific to each policy type.

SecurityPolicy

Configuration Via Web Console

Common Fields (shared for all policies):

FieldDescriptionYAML Path
Policy TypeThe type of policy to create.kind
Attach ToThe Gateway API resources this policy applies to. Supports Gateway, HTTPRoute, and GRPCRoute. When attaching to Gateway, you can optionally specify a listener name or select ALL listeners..spec.targetRefs

SecurityPolicy Specific Fields:

FieldDescriptionYAML Path
Authorization TypeThe authentication/authorization method to use. Supports multiple selections: API Key Authentication, CORS Configuration.spec.apiKeyAuth, .spec.cors

API Key Authentication

FieldDescriptionYAML Path
SecretsKubernetes secrets containing the API keys for authentication.spec.apiKeyAuth.credentialRefs
Extract FromSpecifies where to extract the API key from (HTTP headers or query parameters).spec.apiKeyAuth.extractFrom

CORS Configuration

FieldDescriptionYAML Path
Allow OriginsList of allowed origins for CORS requests.spec.cors.allowOrigins
Allow MethodsList of allowed HTTP methods.spec.cors.allowMethods
Allow HeadersList of allowed headers in CORS requests.spec.cors.allowHeaders
Expose HeadersList of headers exposed to client in response.spec.cors.exposeHeaders
Max AgeCache duration for CORS preflight response.spec.cors.maxAge
Allow CredentialsWhether credentials are allowed in CORS requests.spec.cors.allowCredentials

Configuration Via YAML

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: demo-security-policy
  namespace: demo
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: demo
  apiKeyAuth:
    credentialRefs:
      - group: ""
        kind: Secret
        name: demo
        namespace: demo
    extractFrom:
      - headers:
          - authorization
  cors:
    allowOrigins:
      - "https://example.com"
    allowMethods:
      - GET
      - POST
    allowHeaders:
      - "Content-Type"
    exposeHeaders:
      - "X-Custom-Header"
    maxAge: "1h"
    allowCredentials: true

Reference

SecurityPolicy is used to configure authentication, authorization, and other security-related features for your Gateway and Routes. It provides a declarative way to protect your services by validating incoming requests before they reach your backend applications.

            Gateway            Route
               |                 |
               +-- SecurityPolicy-+
Client ---> Envoy Listener --------------------> Backend Service

Features

  • Authentication: Verify the identity of clients using various methods (API Key, JWT, OIDC, Basic Auth)
  • Authorization: Control access to resources based on validated credentials
  • CORS Configuration: Manage Cross-Origin Resource Sharing policies

How It Works

  1. Create a SecurityPolicy with your desired authentication/authorization rules
  2. Attach it to a specific Gateway, HTTPRoute, or GRPCRoute
  3. Envoy Gateway validates incoming requests according to the policy
  4. Valid requests are forwarded to backend services; invalid requests are rejected with appropriate HTTP status codes

Notes

  1. The web console currently supports configuring API Key Authentication and CORS. For other authentication methods and advanced security features, you need to use YAML configuration.
  2. Each Route can only be associated with one SecurityPolicy.
  3. If a SecurityPolicy references a secret with no values, all requests to the attached route will be rejected with 401 Unauthorized.
  4. In the web console, by default, the Extract From field is set to header and the Header Name field is set to authorization.
  5. You can view which policies are attached to a route by navigating to the Route's topology tab in the web console.

Official Documentation

BackendTLSPolicy

Configuration Via Web Console

Common Fields:

FieldDescriptionYAML Path
Policy TypeThe type of policy to create.kind
Attach ToThe Service this policy applies to. You must specify the Service name and port name (sectionName)..spec.targetRefs

BackendTLSPolicy Specific Fields:

FieldDescriptionYAML Path
HostnameRequired. The SNI (Server Name Indication) used when Envoy connects to the backend service.spec.validation.hostname
Subject Alternative NamesOptional. Used for backend HTTPS response validation. If not specified, the hostname value is used as default..spec.validation.subjectAltNames
Validation TypeThe method for validating backend TLS certificates. Options: CACertificateRefs (use custom CA certificates), WellKnownCACertificates (use system CA certificates).spec.validation

CACertificateRefs Configuration:

FieldDescriptionYAML Path
CA Certificate SecretKubernetes secret containing the CA certificate. The secret must have a ca.crt key containing PEM-encoded TLS certificates..spec.validation.cACertificateRefs
NOTE

When creating or selecting a CA certificate secret:

  • The secret type must be suitable for CA certificates
  • The key must be ca.crt
  • You can import a certificate file, which must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----
  • When importing an invalid certificate format, an error message "must contain PEM-encoded TLS certificates" will be displayed
  • When selecting an existing secret without ca.crt key, an error message "must have ca.crt key" will be displayed

Configuration Via YAML

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: BackendTLSPolicy
metadata:
  name: demo-backend-tls-policy
  namespace: demo
spec:
  targetRefs:
    - group: ""
      kind: Service
      name: demo-backend
      namespace: demo
      sectionName: https-port
  validation:
    hostname: backend.example.com
    subjectAltNames:
      - backend.example.com
    cACertificateRefs:
      - group: ""
        kind: Secret
        name: backend-ca
        namespace: demo

Reference

BackendTLSPolicy controls the TLS configuration between Envoy Gateway and backend services. It allows you to configure:

                                Service
                                  |
                                  +-- BackendTLSPolicy
Client ---> Envoy Listener --------------------> Backend Service Port
                                  applies here ^
  • SNI (Server Name Indication): The hostname used when establishing TLS connections to backends
  • Certificate Validation: How to validate backend server certificates
  • CA Certificates: Custom CA certificates for validating backend certificates

Features

  • Configure TLS settings for connections to backend services
  • Support for custom CA certificates or system well-known CA certificates
  • SNI configuration for proper TLS handshake

Notes

  1. The sectionName in targetRefs corresponds to the port name of the Service.
  2. When using WellKnownCACertificates, the system's default CA certificates are used for validation.
  3. The hostname is required and is used as the SNI value when Envoy connects to the backend.

Official Documentation

ClientTrafficPolicy

Configuration Via Web Console

Common Fields:

FieldDescriptionYAML Path
Policy TypeThe type of policy to create.kind
Attach ToThe Gateway this policy applies to. You can optionally specify a listener name or select ALL listeners..spec.targetRefs

Timeout Configuration (Options):

FieldDescriptionYAML Path
TCP Idle TimeoutThe idle timeout for a TCP connection. Idle time is defined as a period in which there are no bytes sent or received on either the upstream or downstream connection. Default: 1 hour..spec.settings.timeout.tcp.idleTimeout
HTTP Request Received TimeoutThe duration Envoy waits for the complete request reception. This timer starts upon request initiation and stops when either the last byte of the request is sent upstream or when the response begins. Default: 1 hour..spec.settings.timeout.http.requestReceivedTimeout
HTTP Idle TimeoutThe idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. Default: unlimited..spec.settings.timeout.http.idleTimeout
HTTP Stream Idle TimeoutThe stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. Default: 5 minutes..spec.settings.timeout.http.streamIdleTimeout

Configuration Via YAML

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  name: demo-client-traffic-policy
  namespace: demo
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: demo
      sectionName: https
  settings:
    timeout:
      tcp:
        idleTimeout: "30m"
      http:
        requestReceivedTimeout: "60s"
        idleTimeout: "5m"
        streamIdleTimeout: "30s"

Reference

ClientTrafficPolicy controls the behavior of connections from clients to Envoy Gateway. It provides fine-grained control over:

            Gateway
               |
               +-- ClientTrafficPolicy
Client ---> Envoy Listener --------------------> Backend Service
          applies on the client-facing side ^
  • TCP Settings: Connection-level timeout and keepalive settings
  • HTTP Settings: Request/response timeouts and HTTP protocol behavior

Features

  • Configure TCP connection idle timeouts
  • Control HTTP request reception timeouts
  • Set HTTP connection idle timeouts
  • Configure HTTP stream idle timeouts

Notes

  1. Timeout values are specified as duration strings (e.g., "30s", "5m", "1h").

Official Documentation

BackendTrafficPolicy

Configuration Via Web Console

Common Fields:

FieldDescriptionYAML Path
Policy TypeThe type of policy to create.kind
Attach ToThe Gateway API resources this policy applies to. Supports Gateway, HTTPRoute, GRPCRoute, TCPRoute, UDPRoute, and TLSRoute. When attaching to Gateway, you can optionally specify a listener name or select ALL listeners. In YAML, this is configured through sectionName in .spec.targetRefs..spec.targetRefs

Timeout Configuration (Options):

FieldDescriptionYAML Path
TCP Connection TimeoutThe timeout for network connection establishment, including TCP and TLS handshakes. Default: 10 seconds..spec.settings.timeout.tcp.connectionTimeout
HTTP Connection Idle TimeoutThe idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. Default: 1 hour..spec.settings.timeout.http.connectionIdleTimeout
HTTP Max Connection DurationThe maximum duration of an HTTP connection. Default: unlimited..spec.settings.timeout.http.maxConnectionDuration
HTTP Request TimeoutThe time until the entire response is received from the upstream. Default: 15 seconds. Supports setting to unlimited..spec.settings.timeout.http.requestTimeout

Configuration Via YAML

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: demo-backend-traffic-policy
  namespace: demo
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: demo
  settings:
    timeout:
      tcp:
        connectionTimeout: "5s"
      http:
        connectionIdleTimeout: "30m"
        maxConnectionDuration: "1h"
        requestTimeout: "30s"

Reference

BackendTrafficPolicy controls the behavior of connections from Envoy Gateway to backend services. It provides fine-grained control over:

            Gateway / Route
                  |
                  +-- BackendTrafficPolicy
Client ---> Envoy Listener --------------------> Backend Service
                                  applies here ^
  • TCP Settings: Connection establishment timeouts
  • HTTP Settings: Connection durations, idle timeouts, and request timeouts

Features

  • Configure TCP connection establishment timeouts
  • Control HTTP connection idle timeouts
  • Set maximum HTTP connection durations
  • Configure HTTP request timeouts

Notes

  1. Timeout values are specified as duration strings (e.g., "30s", "5m", "1h").
  2. The requestTimeout field supports setting to "unlimited" to disable the timeout.

Official Documentation

After policies are attached, continue with Tasks for Envoy Gateway for more operational examples and advanced configuration tasks.