envoyproxy · davem-git · Oct 15, 2025 · Oct 15, 2025 · Oct 22, 2025 · Oct 23, 2025
@@ -14,6 +14,7 @@ security updates: |
 
 # New features or capabilities added in this release.
 new features: |
+  Added support for applying SecurityPolicy Authorization to TCPRoute (client IP / allow-deny list for TCP traffic).
   Added support for mTLS configuration for ExtensionServer.
   Added support for RetryPolicy in gRPC ExtAuth callouts via SecurityPolicy backend settings fields.
   Added support for late response headers in ClientTrafficPolicy.

@@ -36,16 +36,18 @@ SecurityPolicy can be attached to Gateway API resources using two targeting mech
 1. **Direct Reference (`targetRefs`)**: Explicitly reference specific resources by name and kind.
 2. **Label Selection (`targetSelectors`)**: Match resources based on their labels (see [targetSelectors API reference](../../api/extension_types#targetselectors))
 
-The policy applies to all resources that match either targeting method. You can target various Gateway API resource types including `Gateway`, `HTTPRoute`, and `GRPCRoute`.
+The policy applies to all resources that match either targeting method. You can target various Gateway API resource types including `Gateway`, `HTTPRoute`, `GRPCRoute`, and `TCPRoute`.
+
+Note: TCPRoute support is limited to authorization using client IP allow/deny lists (IP-based authorization). Other SecurityPolicy features such as JWT, API Key, Basic Auth, or OIDC are not applicable to TCPRoute targets.
 
 **Important**: A SecurityPolicy can only target resources in the same namespace as the policy itself.
 
 ### Precedence
 
 When multiple SecurityPolicies apply to the same resource, Envoy Gateway resolves conflicts using a precedence hierarchy based on the target resource type and section-level specificity:
 
-1. **Route rule-level policies** (HTTPRoute/GRPCRoute with `sectionName` targeting specific rules) - Highest precedence
-2. **Route-level policies** (HTTPRoute, GRPCRoute without `sectionName`) - High precedence  
+1. **Route rule-level policies** (HTTPRoute, GRPCRoute, or TCPRoute with `sectionName` targeting specific rules) - Highest precedence
+2. **Route-level policies** (HTTPRoute, GRPCRoute, or TCPRoute without `sectionName`) - High precedence  
 3. **Listener-level policies** (Gateway with `sectionName` targeting specific listeners) - Medium precedence
 4. **Gateway-level policies** (Gateway without `sectionName`) - Lowest precedence
 

@@ -6,7 +6,7 @@ This task provides instructions for configuring IP allowlist/denylist on Envoy G
 checks if an incoming request is from an allowed IP address before routing the request to a backend service.
 
 Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure IP allowlist/denylist.
-This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource.
+This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute], [GRPCRoute][GRPCRoute] or [TCPRoute][TCPRoute] resource.
 
 ## Prerequisites
 
@@ -194,3 +194,4 @@ Checkout the [Developer Guide](../../../contributions/develop) to get involved i
 [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway
 [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute
 [GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute
+[TCPRoute]: https://gateway-api.sigs.k8s.io/guides/tcp/