From eb82156e1155b8de06c66bfd3591300935adff51 Mon Sep 17 00:00:00 2001 From: davem-git Date: Wed, 15 Oct 2025 14:56:52 -0500 Subject: [PATCH 1/3] updated release notes Signed-off-by: davem-git --- release-notes/current.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 2a3b289b407..ba9df98d223 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -11,6 +11,7 @@ security updates: | # New features or capabilities added in this release. new features: | + Added support for applying SecurityPolicy Authorization to TCPRoute (client IP / allow-deny list for TCP traffic). Added support for mTLS configuration for ExtensionServer. Added support for RetryPolicy in gRPC ExtAuth callouts via SecurityPolicy backend settings fields. Added support for late response headers in ClientTrafficPolicy. From 6d9431d1dfe3fc49631cbcbccd08f7ecee4a57fe Mon Sep 17 00:00:00 2001 From: davem-git Date: Wed, 15 Oct 2025 15:02:18 -0500 Subject: [PATCH 2/3] updated docs Signed-off-by: davem-git --- .../concepts/gateway_api_extensions/security-policy.md | 8 +++++--- .../en/latest/tasks/security/restrict-ip-access.md | 3 ++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md b/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md index 4eac2fb50e2..42ffbc42e78 100644 --- a/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md +++ b/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md @@ -36,7 +36,9 @@ SecurityPolicy can be attached to Gateway API resources using two targeting mech 1. **Direct Reference (`targetRefs`)**: Explicitly reference specific resources by name and kind. 2. **Label Selection (`targetSelectors`)**: Match resources based on their labels (see [targetSelectors API reference](../../api/extension_types#targetselectors)) -The policy applies to all resources that match either targeting method. You can target various Gateway API resource types including `Gateway`, `HTTPRoute`, and `GRPCRoute`. +The policy applies to all resources that match either targeting method. You can target various Gateway API resource types including `Gateway`, `HTTPRoute`, `GRPCRoute`, and `TCPRoute`. + +Note: TCPRoute support is limited to authorization using client IP allow/deny lists (IP-based authorization). Other SecurityPolicy features such as JWT, API Key, Basic Auth, or OIDC are not applicable to TCPRoute targets. **Important**: A SecurityPolicy can only target resources in the same namespace as the policy itself. @@ -44,8 +46,8 @@ The policy applies to all resources that match either targeting method. You can When multiple SecurityPolicies apply to the same resource, Envoy Gateway resolves conflicts using a precedence hierarchy based on the target resource type and section-level specificity: -1. **Route rule-level policies** (HTTPRoute/GRPCRoute with `sectionName` targeting specific rules) - Highest precedence -2. **Route-level policies** (HTTPRoute, GRPCRoute without `sectionName`) - High precedence +1. **Route rule-level policies** (HTTPRoute, GRPCRoute, or TCPRoute with `sectionName` targeting specific rules) - Highest precedence +2. **Route-level policies** (HTTPRoute, GRPCRoute, or TCPRoute without `sectionName`) - High precedence 3. **Listener-level policies** (Gateway with `sectionName` targeting specific listeners) - Medium precedence 4. **Gateway-level policies** (Gateway without `sectionName`) - Lowest precedence diff --git a/site/content/en/latest/tasks/security/restrict-ip-access.md b/site/content/en/latest/tasks/security/restrict-ip-access.md index ab8965d7966..b0a86dd49cd 100644 --- a/site/content/en/latest/tasks/security/restrict-ip-access.md +++ b/site/content/en/latest/tasks/security/restrict-ip-access.md @@ -6,7 +6,7 @@ This task provides instructions for configuring IP allowlist/denylist on Envoy G checks if an incoming request is from an allowed IP address before routing the request to a backend service. Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure IP allowlist/denylist. -This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource. +This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute], [GRPCRoute][GRPCRoute] or [TCPRoute][TCPRoute] resource. ## Prerequisites @@ -194,3 +194,4 @@ Checkout the [Developer Guide](../../../contributions/develop) to get involved i [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute [GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute +[TCPRoute]: https://gateway-api.sigs.k8s.io/guides/tcp/ From a46b60dbb637f96f22801d749c94728a3741b9d3 Mon Sep 17 00:00:00 2001 From: davem-git Date: Mon, 3 Nov 2025 10:11:11 -0600 Subject: [PATCH 3/3] fixed merge conflict Signed-off-by: davem-git --- release-notes/current.yaml | 31 +------------------------------ 1 file changed, 1 insertion(+), 30 deletions(-) diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 8ef5fec64e8..2bac416b2cf 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -8,36 +8,7 @@ security updates: | # New features or capabilities added in this release. new features: | -<<<<<<< HEAD - Added support for applying SecurityPolicy Authorization to TCPRoute (client IP / allow-deny list for TCP traffic). - Added support for mTLS configuration for ExtensionServer. - Added support for RetryPolicy in gRPC ExtAuth callouts via SecurityPolicy backend settings fields. - Added support for late response headers in ClientTrafficPolicy. - Added max connection/stream duration and max requests per connection to ClientTrafficPolicy. - Added PercentageEnabled to ZoneAware lb config. - Added cacheDuration for remoteJWKS in SecurityPolicy. - Added support for DisableTokenEncryption in OIDC authn to disable encryption of ID and access tokens stored in cookies. - Added support for OCSP stapling in the listener TLS certificates. - Added support for returning 503 responses when no valid backend endpoints exist. - Added support for CSRFTokenTTL in OIDC authn to configure the lifetime of the CSRF token used during the OAuth2 authorization code flow. - Added support for binaryData in ConfigMap referenced by HTTPRouteFilter for direct response. - -||||||| 04177d711 - Added support for mTLS configuration for ExtensionServer. - Added support for RetryPolicy in gRPC ExtAuth callouts via SecurityPolicy backend settings fields. - Added support for late response headers in ClientTrafficPolicy. - Added max connection/stream duration and max requests per connection to ClientTrafficPolicy. - Added PercentageEnabled to ZoneAware lb config. - Added cacheDuration for remoteJWKS in SecurityPolicy. - Added support for DisableTokenEncryption in OIDC authn to disable encryption of ID and access tokens stored in cookies. - Added support for OCSP stapling in the listener TLS certificates. - Added support for returning 503 responses when no valid backend endpoints exist. - Added support for CSRFTokenTTL in OIDC authn to configure the lifetime of the CSRF token used during the OAuth2 authorization code flow. - Added support for binaryData in ConfigMap referenced by HTTPRouteFilter for direct response. - -======= ->>>>>>> 993581905115b49270c7bb577a6a374f80f41552 - + Added support for applying SecurityPolicy Authorization to TCPRoute (client IP / allow-deny list for TCP traffic). bug fixes: | - Fixed Listener port limit typo 65353 -> 65535. # Enhancements that improve performance.