Alauda Container Platform

Configure GatewayAPI Policy

Policies are Kubernetes Custom Resources that extend Gateway and Route resources with advanced capabilities. They use the Policy Attachment pattern via .spec.targetRefs to attach to Gateway API resources (Gateway, HTTPRoute, GRPCRoute), enabling flexible configuration and policy inheritance.

Envoy Gateway currently provides three policy types:

Policy NamePurposeCan Attach ToWeb Console Support
SecurityPolicyAuthentication, authorization, and security features including API Key auth, JWT auth, OIDC auth, CORS configuration, and Basic authGateway, HTTPRoute, GRPCRouteAPI Key Auth only
BackendTrafficPolicyBackend traffic configuration including load balancing strategies, circuit breaking, health checks, retry policies, and timeout settingsGateway, HTTPRoute, GRPCRouteNot supported
ClientTrafficPolicyClient-facing traffic configuration including rate limiting, connection limits, TCP keepalive, HTTP/2 settings, and client IP detectionGatewayNot supported

Only SecurityPolicy is supported through the Web console.

TOC

Prerequisites

Please ensure that you have:

  1. Installed Envoy Gateway Operator
  2. Created a Gateway
  3. Created a Route

SecurityPolicy

Configuration Via Web Console

  1. Navigate to Alauda Container Platform -> Networking -> Gateway -> Policies
  2. Select SecurityPolicy in the Policy Type dropdown
  3. Click the Create Policy button

Common Fields (shared for all policies):

FieldDescriptionYAML Path
Policy TypeThe type of policy to create.kind
Publish ToThe Gateway API resources this policy applies to (only for HTTPRoute now).spec.targetRefs

SecurityPolicy Specific Fields:

FieldDescriptionYAML Path
Authorization TypeThe authentication method to use (currently supports API Key Authentication).spec.apiKeyAuth
SecretsKubernetes secrets containing the API keys for authentication.spec.apiKeyAuth.credentialRefs
Extract FromSpecifies where to extract the API key from (HTTP headers or query parameters).spec.apiKeyAuth.extractFrom

Configuration Via YAML

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: demo-security-policy
  namespace: demo
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: demo
  apiKeyAuth:
    credentialRefs:
      - group: ""
        kind: Secret
        name: demo
        namespace: demo
    extractFrom:
      - headers:
          - authorization

Introduction

SecurityPolicy is used to configure authentication, authorization, and other security-related features for your Gateway and Routes. It provides a declarative way to protect your services by validating incoming requests before they reach your backend applications.

Features

  • Authentication: Verify the identity of clients using various methods (API Key, JWT, OIDC, Basic Auth)
  • Authorization: Control access to resources based on validated credentials
  • CORS Configuration: Manage Cross-Origin Resource Sharing policies

How It Works:

  1. Create a SecurityPolicy with your desired authentication/authorization rules
  2. Attach it to a specific HTTPRoute/GRPCRoute
  3. Envoy Gateway validates incoming requests according to the policy
  4. Valid requests are forwarded to backend services; invalid requests are rejected with appropriate HTTP status codes

Notes

  1. The web console currently supports configuring API Key Authentication only. For other authentication methods and advanced security features, you need to use YAML configuration.
  2. Each Route can only be associated with one SecurityPolicy.
  3. If a SecurityPolicy references a secret with no values, all requests to the attached route will be rejected with 401 Unauthorized.
  4. In the web console, by default, the Extract From field is set to header and the Header Name field is set to authorization.
  5. You can view which policies are attached to a route by navigating to the Route's topology tab in the web console.

Official Documentation: