While the Kubernetes Gateway API allows you to do simple routing, such as to match, redirect, or rewrite requests, you might want additional capabilities in your API gateway, such as fault injection, data loss prevention, or header control. Policies allow you to apply intelligent traffic management, resiliency, and security standards to individual routes or all the routes that the gateway serves.

Policy CRDs

Gloo Gateway uses the following custom resources to attach policies to routes and gateway listeners:

  • ListenerOption: Attach policies to one, multiple, or all gateway listeners.
  • HTTPListenerOption: Apply policies to one, multiple, or all HTTP and HTTPS listeners.
  • RouteOption: Attach policies to one, multiple, or all routes in an HTTPRoute resource.
  • VirtualHostOption: Attach policies to the hosts on one, multiple, or all gateway listeners.

Supported policies

Review the policies that you can configure in Gloo Gateway and the level at which you can apply them.

Traffic management policies

PolicyApplied viaPrecedence and merging rulesEnterprise license required?
Connection buffer limitsListenerOptionNo cross-resource conflict. Policies can conflict only if applied in multiple ListenerOption resources. For more information, see Conflicting policies.No
Direct responseDirectResponseSupported in version 1.18 and later. No cross-resource conflict. If multiple DirectResponse resources are applied to the same route, only the one that is referenced first is enforced.No
External processing
  • RouteOption
  • VirtualHostOption
  • HttpListenerOption
RouteOption configuration takes precedence over VirtualHostOption configuration, which takes precedence over HttpListenerOption configuration. Policies that are defined at different levels are not merged.Yes
Fault injectionRouteOptionNo cross-resource conflict. Policies can conflict only if applied in multiple RouteOption resources. For more information, see Conflicting policies.No
Gateway health checksHttpListenerOptionNo cross-resource conflict. Policies can conflict only if applied in multiple HttpListenerOption resources. For more information, see Conflicting policies.Yes
Header control
  • RouteOption
  • VirtualHostOption
Headers that are defined at the route and virtual host-level are merged as long as they do not conflict. If the same header is defined in both a RouteOption and VirtualHostOption resource, the RouteOption configuration takes precedence and the VirtualHostOption configuration is ignored.No
Proxy protocolListenerOptionNo cross-resource conflict. Policies can conflict only if applied in multiple ListenerOption resources. For more information, see Conflicting policies.No
RewritesRouteOptionNo cross-resource conflict. Policies can conflict only if applied in multiple RouteOption resources. For more information, see Conflicting policies.No
Transformations
  • RouteOption
  • VirtualHostOption
RouteOption configuration takes precedence over VirtualHostOption configuration. Policies that are defined at different levels are not merged.No

Resiliency policies

PolicyApplied toPrecedence and merging rulesEnterprise license required?
CachingHttpListenerOptionNo cross-resource conflict. Policies can conflict only if applied in multiple HttpListenerOption resources. For more information, see Conflicting policies.Yes
Fault injectionRouteOptionNo cross-resource conflict. Policies can conflict only if applied in multiple RouteOption resources. For more information, see Conflicting policies.No
Retries
  • RouteOption
  • VirtualHostOption
RouteOption configuration takes precedence over VirtualHostOption configuration. Policies that are defined at different levels are not merged.No
ShadowingRouteOptionNo cross-resource conflict. Policies can conflict only if applied in multiple RouteOption resources. For more information, see Conflicting policies.No
TappingHttpListenerOptionNo cross-resource conflict. Policies can conflict only if applied in multiple HttpListenerOption resources. For more information, see Conflicting policies.Yes
TimeoutsRouteOptionNo cross-resource conflict. Policies can conflict only if applied in multiple RouteOption resources. For more information, see Conflicting policies.No

Security policies

PolicyApplied toPrecedence and merging rulesEnterprise license required?
Access loggingListenerOptionNo cross-resource conflict. Policies can conflict only if applied in multiple ListenerOption resources. For more information, see Conflicting policies.No
CORS
  • RouteOption
  • VirtualHostOption
By default, the configuration of the RouteOption takes precedence over the VirtualHostOption. However, you can change this behavior for the exposeHeaders CORS option by using the corsPolicyMergeSettings field in the VirtualHostOption. Currently, only exposeHeaders is configurable. You cannot merge other CORS options such as allowHeaders or allowOrigin. For more information about this option, see the CORS configuration options.No
CSRF
  • RouteOption
  • VirtualHostOption
  • HttpListenerOption
RouteOption configuration takes precedence over VirtualHostOption configuration, which takes precedence over HttpListenerOption configuration. Policies that are defined at different levels are not merged.No
Data loss prevention
  • RouteOption
  • VirtualHostOption
  • HttpListenerOption
RouteOption configuration takes precedence over VirtualHostOption configuration, which takes precedence over HttpListenerOption configuration. Policies that are defined at different levels are not merged.Yes
External authentication and authorization
  • RouteOption
  • VirtualHostOption
  • HttpListenerOption
RouteOption configuration takes precedence over VirtualHostOption configuration, which takes precedence over HttpListenerOption configuration. Policies that are defined at different levels are not merged.Yes
Local rate limitingHttpListenerOptionNo cross-resource conflict. Policies can conflict only if applied in multiple HttpListenerOption resources. For more information, see Conflicting policies.No
Global rate limiting
  • RouteOption
  • VirtualHostOption
RouteOption configuration takes precedence over VirtualHostOption configuration. Policies that are defined at different levels are not merged.Yes
JWT
  • RouteOption
  • VirtualHostOption
RouteOption configuration takes precedence over VirtualHostOption configuration. Policies that are defined at different levels are not merged.Yes
Web Application Firewall (WAF)
  • RouteOption
  • VirtualHostOption
  • HttpListenerOption
RouteOption configuration takes precedence over VirtualHostOption configuration, which takes precedence over HttpListenerOption configuration. Policies that are defined at different levels are not merged.Yes

Policy inheritance rules when using route delegation

Policies that are defined in a RouteOption resource and that are applied to a parent HTTPRoute resource are inherited by all the child or grandchild HTTPRoutes along the route delegation chain. The following rules apply:

  • Only policies that are specified in a RouteOption resource can be inherited by a child HTTPRoute. For inheritance to take effect, you must use the spec.targetRefs field in the RouteOption resource to apply the RouteOption resource to the parent HTTPRoute resource. Any child or grandchild HTTPRoute that the parent delegates traffic to inherits these policies.
  • You can add the delegation.gateway.solo.io/enable-policy-overrides annotation to a parent HTTPRoute to allow its immediate child HTTPRoutes to override the top-level policies that are defined on the parent. You have the option to allow overriding policies of all types (delegation.gateway.solo.io/enable-policy-overrides: "*") or to limit the type of policies that a child can override (delegation.gateway.solo.io/enable-policy-overrides: "faults,headerManipulation,cors").
  • In a multi-level delegation chain with parent, child, and grandchild HTTPRoutes, the parent and the child HTTPRoutes must both set the delegation.gateway.solo.io/enable-policy-overrides annotation for the grandchild to be able to override the top-level policies that were defined on the parent.
  • If no delegation.gateway.solo.io/enable-policy-overrides annotation is set on the parent and the child HTTPRoute sets a policy that is already defined on the parent HTTPRoute, the setting on the parent HTTPRoute takes precedence and the setting on the child is ignored. For example, if the parent HTTPRoute defines a data loss prevention policy, the child HTTPRoute cannot change these settings or disable that policy.
  • If no delegation.gateway.solo.io/enable-policy-overrides annotation is set on the parent HTTPRoute, child HTTPRoutes can augment the inherited settings by defining RouteOption fields that were not already set on the parent HTTPRoute.

For an example, see the Policy inheritance guide.