Docs: tcp security policy #7247
Merged
+8
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: davem-git <[email protected]>
Signed-off-by: davem-git <[email protected]>
…curity-policy-docs
davem-git
force-pushed
the
feat-tcp-security-policy-docs
branch
from
5368b3c to
00bdc39
Compare
…curity-policy-docs
…curity-policy-docs
Member
|
@davem-git can you fix the conflict? |
Signed-off-by: davem-git <[email protected]>
Signed-off-by: davem-git <[email protected]>
Contributor
Author
|
@zirain i think i fixed it. seems like its empty so i added my one line to it |
zirain
approved these changes
Nov 4, 2025
rudrakhp
pushed a commit
that referenced
this pull request
Nov 10, 2025
* updated release notes Signed-off-by: davem-git <[email protected]> * updated docs Signed-off-by: davem-git <[email protected]> * fixed merge conflict Signed-off-by: davem-git <[email protected]> --------- Signed-off-by: davem-git <[email protected]>
arkodg
added a commit
that referenced
this pull request
Nov 10, 2025
* chore(examples): fix extensionserver build (#7398) Signed-off-by: Maxime Brunet <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: add missing endpoints in the crl test (#7402) fix test for #7199 Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore(make): exit on failure (#7387) Signed-off-by: Maxime Brunet <[email protected]> Co-authored-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: port typo (#7397) Signed-off-by: cong <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump busybox from `2f590fc` to `e3652a0` in /tools/docker/envoy-gateway (#7409) build(deps): bump busybox in /tools/docker/envoy-gateway Bumps busybox from `2f590fc` to `e3652a0`. --- updated-dependencies: - dependency-name: busybox dependency-version: e3652a00a2fabd16ce889f0aa32c38eec347b997e73bd09e69c962ec7f8732ee dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: validate EnvoyGateway configuration before reload (#7412) Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump the actions group across 1 directory with 2 updates (#7410) Bumps the actions group with 2 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action) and [google/osv-scanner-action](https://github.com/google/osv-scanner-action). Updates `github/codeql-action` from 4.31.0 to 4.31.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@4e94bd1...0499de3) Updates `google/osv-scanner-action` from 2.2.3 to 2.2.4 - [Release notes](https://github.com/google/osv-scanner-action/releases) - [Commits](google/osv-scanner-action@e92b5d0...9bb6957) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: google/osv-scanner-action dependency-version: 2.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: missing onInvalidMessage for ClientTrafficPolicy (#7417) Signed-off-by: i.makarychev <[email protected]> Signed-off-by: i.makarychev <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: add missing filters in the filter order configuration (#7404) * add missing filters in the filter order configuration Signed-off-by: Huabing Zhao <[email protected]> * fix wrong filter name Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * test: tcp security policy e2e (#7226) * feat(securitypolicy): Added e2e tests for tcp security policies Signed-off-by: davem-git <[email protected]> * removed commented out line Signed-off-by: davem-git <[email protected]> --------- Signed-off-by: davem-git <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * Docs: tcp security policy (#7247) * updated release notes Signed-off-by: davem-git <[email protected]> * updated docs Signed-off-by: davem-git <[email protected]> * fixed merge conflict Signed-off-by: davem-git <[email protected]> --------- Signed-off-by: davem-git <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * feat: support both local and global ratelimit simultaneously (#7334) * update rate limit type Signed-off-by: kkk777-7 <[email protected]> * feat: support both type rate limit Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * feat: support separated path match in ratelimit path (#7413) * update: path match ratelimit e2e Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: handle optional next update for CRL (#7422) fix: handle optional next update for crl Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: missing jwt provider when jwt is configured on multiple listeners sharing the same port (#7337) * fix jwt provider missing when jwt is configured at multiple ir listeners Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: only insert proxy service once it exists (#7424) * maybe this is the fix? Signed-off-by: jukie <[email protected]> * fixes Signed-off-by: jukie <[email protected]> * cleanup Signed-off-by: jukie <[email protected]> * consolidate Signed-off-by: jukie <[email protected]> * fix Signed-off-by: jukie <[email protected]> --------- Signed-off-by: jukie <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix error when updating invalid gateway status (#7415) * fix error when updating invalid gateway status Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: avoid calling the issuer's well-known endpoint for every routes (#7394) * fix: avoid calling the issuer's well-known endpoint for every routes with Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: memory leak (#7429) Fix memory leak. Two watchable.Maps were never closed when shutting down the provider: - GatewayClassStatuses.Close() - missing in GatewayAPIStatuses.Close() - BackendTrafficPolicyStatuses.Close() - missing in PolicyStatuses.Close() Each unclosed map leaked 3 goroutines: 1. Internal watchable.Map.coalesce goroutine 2. HandleSubscription goroutine blocked on channel read 3. Error handler goroutine blocked on channel read Signed-off-by: Gonzalo Serrano <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * perf: move snapshot update above status update in xds layer (#7423) Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: cleanup logging when inserting proxy service cluster (#7431) cleanup Signed-off-by: jukie <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * upgrade gofumpt (#7420) Signed-off-by: fabian4 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * feat(translator): relax backend restrictions for localhost when running standalone with Host infrastructure (#7427) Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: improve api docs for http10.useDefaultHost (#7435) * imporove api docs for useDefaultHost Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * ci: disable lint.dependabot (#7445) Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: bump github.com/containerd/containerd (#7448) Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * perf: do not set last transition time for status in watcher layer (#7268) Signed-off-by: Rudrakh Panigrahi <[email protected]> * docs: fix gwapi docs (#7408) * docs: fix gwapi docs Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: renable lint.dependabot (#7454) Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: remove last transition time comparison as no longer set (#7451) chore: remove last transition time comparision as no longer set Signed-off-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: merged policy status (#7376) Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: header modifier doesn't permit multiple values with commas (#7436) * revert: separate headers with commas Signed-off-by: kkk777-7 <[email protected]> * add e2e Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix auto http config with proxy protocol (#7439) * don't set TypedExtensionProtocolOptions when ProxyProtocol enabled Signed-off-by: zirain <[email protected]> * update test Signed-off-by: zirain <[email protected]> * enable auto ALPN for proxy protocol Signed-off-by: zirain <[email protected]> * add e2e Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump sigs.k8s.io/controller-runtime from 0.22.3 to 0.22.4 in /examples/extension-server (#7470) build(deps): bump sigs.k8s.io/controller-runtime Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.22.3 to 0.22.4. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.22.3...v0.22.4) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.22.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2 in the actions group across 1 directory (#7461) build(deps): bump softprops/action-gh-release Bumps the actions group with 1 update in the / directory: [softprops/action-gh-release](https://github.com/softprops/action-gh-release). Updates `softprops/action-gh-release` from 2.4.1 to 2.4.2 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@6da8fa9...5be0e66) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.35.0 to 1.36.0 in /examples/grpc-ext-proc (#7471) build(deps): bump github.com/envoyproxy/go-control-plane/envoy Bumps [github.com/envoyproxy/go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane) from 1.35.0 to 1.36.0. - [Release notes](https://github.com/envoyproxy/go-control-plane/releases) - [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md) - [Commits](envoyproxy/go-control-plane@envoy/v1.35.0...envoy/v1.36.0) --- updated-dependencies: - dependency-name: github.com/envoyproxy/go-control-plane/envoy dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.35.0 to 1.36.0 in /examples/envoy-ext-auth (#7467) build(deps): bump github.com/envoyproxy/go-control-plane/envoy Bumps [github.com/envoyproxy/go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane) from 1.35.0 to 1.36.0. - [Release notes](https://github.com/envoyproxy/go-control-plane/releases) - [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md) - [Commits](envoyproxy/go-control-plane@envoy/v1.35.0...envoy/v1.36.0) --- updated-dependencies: - dependency-name: github.com/envoyproxy/go-control-plane/envoy dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.35.1-0.20251029084203-42a4a9261f66 to 1.36.0 in /examples/extension-server (#7468) build(deps): bump github.com/envoyproxy/go-control-plane/envoy Bumps [github.com/envoyproxy/go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane) from 1.35.1-0.20251029084203-42a4a9261f66 to 1.36.0. - [Release notes](https://github.com/envoyproxy/go-control-plane/releases) - [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md) - [Commits](https://github.com/envoyproxy/go-control-plane/commits/envoy/v1.36.0) --- updated-dependencies: - dependency-name: github.com/envoyproxy/go-control-plane/envoy dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * [release/v1.6] v1.6.0 release docs (#7475) Signed-off-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: Maxime Brunet <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: cong <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: i.makarychev <[email protected]> Signed-off-by: i.makarychev <[email protected]> Signed-off-by: davem-git <[email protected]> Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: jukie <[email protected]> Signed-off-by: Gonzalo Serrano <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: fabian4 <[email protected]> Co-authored-by: Maxime Brunet <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: 聪 <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Inode1 <[email protected]> Co-authored-by: davem-git <[email protected]> Co-authored-by: Kota Kimura <[email protected]> Co-authored-by: Isaac <[email protected]> Co-authored-by: Gonzalo Serrano <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> Co-authored-by: Fabian Bao <[email protected]> Co-authored-by: Ignasi Barrera <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
docs: updated docs for tcp security policies
What this PR does / why we need it:
This PR adds docs to the tcp security policy feature
Which issue(s) this PR fixes:
Fixes # #4908
Release Notes: Yes/No
Yes
Part 4 of PR's for tcp security policies
feat(securitypolicy): Update API to support tcp security policy #7168feat(securitypolicy): Update GatewayAPI to support tcp security policy #7171support TCPRoute Authz in xDS translator #7184