Source File:


A MatchableTcpGateway describes a single FilterChain configured with the TcpProxy network filter and a matcher.

A Gateway CR may select one or more MatchableTcpGateways on a single listener. This enables separate teams to own Listener configuration (Gateway CR) and FilterChain configuration (MatchableTcpGateway CR).


Field Type Description
namespacedStatuses NamespacedStatuses indicates the validation status of this resource. NamespacedStatuses is read-only by clients, and set by gateway during validation.
metadata Metadata contains the object metadata for this resource.
matcher Matcher creates a FilterChainMatch and TransportSocket for a FilterChain For each MatchableTcpGateway on a Gateway CR, the matcher must be unique. If there are any identical matchers, the Gateway will be rejected. An empty matcher will produce an empty FilterChainMatch ( effectively matching all incoming connections.
tcpGateway TcpGateway creates a FilterChain with a TcpProxy.


"sourcePrefixRanges": []
"passthroughCipherSuites": []string

Field Type Description
sourcePrefixRanges [] CidrRange specifies an IP Address and a prefix length to construct the subnet mask for a CIDR range. See
sslConfig Ssl configuration applied to the FilterChain, if using passthrough should not include secrets : - FilterChainMatch: - TransportSocket:
passthroughCipherSuites []string Enterprise-only: Passthrough cipher suites is an allow-list of OpenSSL cipher suite names for which TLS passthrough will be enabled. If a client does not support any ciphers that are natively supported by Envoy, but does support one of the ciphers in the passthrough list, then traffic will be routed via TCP Proxy to a destination specified by the TcpGateway, where TLS can then be terminated.