Access |
✅ |
Control access for workloads in your service mesh. |
Active healthcheck |
Coming soon |
Use the ingress gateway to periodically check the health of an upstream service in your cluster. |
Client TLS policy |
Coming soon |
Enable TLS origination for your ingress gateway so that you can encrypt requests before they are forwarded to HTTPS services in your cluster. |
Connection pool settings for HTTP |
Coming soon |
Use a connection policy to configure connection pool settings for an HTTP destination. |
Connection pool settings for TCP |
Coming soon |
Set up connection pool settings for a TCP destination, such as TCP keepalive. |
CORS |
✅ |
Enforce client-site access controls with cross-origin resource sharing (CORS). |
CSRF |
(✅) |
Only with Gloo Gateway license: Apply a CSRF filter to the gateway to help prevent cross-site request forgery attacks. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license. |
Data loss prevention |
(✅) |
Only with Gloo Gateway license: Ensure that sensitive data isn't logged or leaked with Data Loss Prevention (DLP). |
External auth |
(✅) |
Only with Gloo Gateway license: Set up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license. |
Failover |
✅ |
Use a failover policy to determine where to reroute traffic in case of failure. |
Fault injection |
✅ |
Test the resilience of your apps by injecting delays and connection failures. |
Header manipulation |
✅ |
Append or remove HTTP request and response headers at the route level. |
HTTP buffer filter |
(✅) |
Only with Gloo Gateway license: Set the maximum request body size that you want to accept for a particular workload in your cluster. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license. |
JWT |
(✅) |
Only with Gloo Gateway license: Control access or route traffic based on verified claims in a JSON web token (JWT). Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license. |
Listener connection |
Coming soon |
Configure connection settings between downstream services and a gateway listener. |
Load balancer and consistent hash |
Coming soon |
Specify how you want Istio to select an upstream service to serve an incoming client request. |
Mirroring |
✅ |
Duplicate outgoing traffic, to test a new app. |
Outlier detection |
✅ |
Configure Gloo to remove unhealthy destinations from the connection pool, and add the destinations back when they become healthy again. |
Proxy protocol |
Coming soon |
Preserve connection information such as the client IP address for traffic that goes through your gateway listener. |
Rate limiting |
(✅) |
Only with Gloo Gateway license: Control the rate of requests to destinations within the service mesh. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license. |
Retry and timeout |
✅ |
Reduce transient failures and hanging systems by setting retries and timeouts. |
Transformation |
✅ |
Alter a request before matching and routing, such as with an Inja header template. |
Trim proxy config |
✅ |
Trim the number of destinations in the Istio sidecar proxy configuration for your workloads to avoid memory pressure issues. |
WAF |
(✅) |
Only with Gloo Gateway license: Filter, monitor, and block potentially harmful HTTP traffic with a Web Application Firewall (WAF) policy. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license. |
Wasm |
Coming soon |
Add a Wasm filter to the Envoy sidecar proxy, for use cases such as customizing the endpoints and thresholds for your workloads. |