docs: adding conceptual pages for high priority concepts #7323
Conversation
Signed-off-by: EkLine <ekline-ai@ekline.io>
Signed-off-by: EkLine AI <ekline-ai@ekline.io>
Signed-off-by: EkLine AI <ekline-ai@ekline.io>
Signed-off-by: EkLine AI <ekline-ai@ekline.io>
| API security is implemented through Kubernetes-native policies and Envoy Gateway API extensions. The core mechanism is the `SecurityPolicy` Custom Resource Definition (CRD), which defines how authentication, authorization, and encryption are applied to incoming traffic. Policies attach to Gateway API resources (such as Gateways, HTTPRoutes, or GRPCRoutes) using `targetRefs` or `targetSelectors`. The most specific policy applies when multiple policies target the same resource. | ||
|
|
||
| Envoy Gateway supports API key, JWT, mTLS, Basic Auth, and OIDC authentication; authorization via external services or JWT claims; access control with IP allow/deny lists; CORS configuration; and rate limiting. This model enables secure, declarative access control at the edge, aligning with Kubernetes best practices. | ||
|
|
There was a problem hiding this comment.
can we add a link to SecurityPolicy concepts as well https://gateway.envoyproxy.io/docs/concepts/gateway_api_extensions/security-policy/
| - Integrate with an external OPA or custom AuthZ service. | ||
|
|
||
| ## Implementation | ||
| `AuthorizationPolicy` resources are implemented using Envoy RBAC and `ext_authz` filters, evaluated per request. |
There was a problem hiding this comment.
AuthorizationPolicy doesnt exist in the project, SecurityPolicy is defined which implements ext_authz
| @@ -0,0 +1,57 @@ | |||
| --- | |||
| title: "API Security" | |||
There was a problem hiding this comment.
is it possible to created a tiered layout for api-security and authn and authnz rather than this flat hierarchy that we have rn ?
cc @missBerg
| ## Overview | ||
| Traffic in Envoy Gateway represents the flow of network requests between clients and services. It defines how requests are received, processed, routed, and returned. Envoy Gateway uses the xDS API and Kubernetes Gateway resources (`HTTPRoute`, `Gateway`) to manage and direct traffic dynamically. | ||
|
|
||
| ## Key Concepts |
There was a problem hiding this comment.
when referring to envoy proxy resources, can we use Envoy Proxy, and also link out to proxy docs ?
https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol#resource-types
| ## Overview | ||
| Session management maintains continuity across multiple client requests. While Envoy is stateless by default, Envoy Gateway supports session persistence for sticky connections. | ||
|
|
||
| ## Key Concepts |
There was a problem hiding this comment.
can we link out to tasks for each of these - session Persistence, load balancing with consistent hash
There was a problem hiding this comment.
and explain the concepts of strong and weak affinity
| --- | ||
|
|
||
| ## Overview | ||
| Envoy Gateway can be extended to support custom logic and integrations through filters, external processors, and WebAssembly modules. |
There was a problem hiding this comment.
can we copy some of https://gateway.envoyproxy.io/docs/tasks/extensibility/ to this page, thinking out loud, is the concepts page needed now we have more data in the tasks page
| | Metrics | Quantitative data from Envoy Gateway and Envoy Proxy. Supports Prometheus (pull) and OpenTelemetry (push) sinks. Includes counters, gauges, histograms, and labels for component/resource identification. | | ||
| | Logs | Structured logs from the Envoy Gateway control plane, managed by an internal zap-based library and written to `/dev/stdout`. Logging levels can be configured per component. | | ||
| | Traces | Distributed tracing using OpenTelemetry, Zipkin, or Datadog tracers. Configurable via the EnvoyProxy CRD with support for sampling rate and custom tags. | | ||
| | Components | Core telemetry sources: Resource Provider, xDS Translator, Infra Manager, xDS Server, Status Updater. Each emits labeled metrics to support monitoring and troubleshooting. | |
2 participants
What type of PR is this?
docs: documenting concepts
What this PR does / why we need it:
Adds documentation for the high priority concepts
Which issue(s) this PR fixes:
Fixes #5694
Release Notes: No