Policy overview
Learn more about the custom resources that you can use to apply policies in Gloo Gateway.
While the Kubernetes Gateway API allows you to do simple routing, such as to match, redirect, or rewrite requests, you might want additional capabilities in your API gateway, such as fault injection, data loss prevention, or header control. Policies allow you to apply intelligent traffic management, resiliency, and security standards to individual routes or all the routes that the gateway serves.
Gloo Gateway uses the following custom resources to attach policies to routes and gateway listeners:
- ListenerOption: Attach policies to one, multiple, or all gateway listeners.
- HTTPListenerOption: Apply policies to one, multiple, or all HTTP and HTTPS listeners.
- RouteOption: Attach policies to one, multiple, or all routes in an HTTPRoute resource.
- VirtualHostOption: Attach policies to the hosts on one, multiple, or all gateway listeners.
Policy inheritance rules when using route delegation
Policies that are defined in a RouteOption resource and that are applied to a parent HTTPRoute resource are automatically inherited by all the child or grandchild HTTPRoutes along the route delegation chain. The following rules apply:
- Only policies that are specified in a RouteOption resource can be inherited by a child HTTPRoute. For inheritance to take effect, you must use the
spec.targetRefsfield in the RouteOption resource to apply the RouteOption resource to the parent HTTPRoute resource. Any child or grandchild HTTPRoute that the parent delegates traffic to inherits these policies. - Child RouteOption resources cannot override policies that are defined in a RouteOption resource that is applied to a parent HTTPRoute. If the child HTTPRoute sets a policy that is already defined on the parent HTTPRoute, the setting on the parent HTTPRoute takes precedence and the setting on the child is ignored. For example, if the parent HTTPRoute defines a data loss prevention policy, the child HTTPRoute cannot change these settings or disable that policy.
- Child HTTPRoutes can augment the inherited settings by defining RouteOption fields that were not already set on the parent HTTPRoute.
- Policies are inherited along the complete delegation chain, with parent policies having a higher priority than their respective children.
For an example, see the Policy inheritance guide.
Supported policies
Use the following table to find the policies that you can configure with each policy custom resource.
| Policy | RouteOption | VirtualHostOption | ListenerOption | HttpListenerOption |
|---|---|---|---|---|
| Access logging | ❌ | ❌ | ✅ | ❌ |
| Caching | ❌ | ❌ | ❌ | ✅ |
| Connection buffer limits | ✅ | ❌ | ✅ | ❌ |
| CORS | ✅ | ✅ | ❌ | ✅ |
| CSRF | ✅ | ✅ | ❌ | ✅ |
| Data loss prevention | ✅ | ✅ | ❌ | ✅ |
| External authentication and authorization | ✅ | ✅ | ❌ | ✅ |
| External processing | ✅ | ✅ | ❌ | ✅ |
| Fault injection | ✅ | ❌ | ❌ | ❌ |
| Local rate limiting | ❌ | ❌ | ❌ | ✅ |
| Global rate limiting | ✅ | ✅ | ❌ | ✅ |
| Header control | ✅ | ✅ | ❌ | ❌ |
| HTTPConnectionManager settings | ❌ | ❌ | ❌ | ✅ |
| JWT | ✅ | ✅ | ❌ | ❌ |
| Retries | ✅ | ✅ | ❌ | ❌ |
| Rewrites | ✅ | ❌ | ❌ | ❌ |
| Shadowing | ✅ | ❌ | ❌ | ❌ |
| Tapping | ❌ | ❌ | ❌ | ✅ |
| Timeouts | ✅ | ❌ | ❌ | ❌ |
| Transformations | ✅ | ✅ | ❌ | ❌ |
| Web Application Firewall (WAF) | ✅ | ✅ | ❌ | ✅ |