gateway icon indicating copy to clipboard operation
gateway copied to clipboard
verified publisher icon envoyproxy

Custom policy attachment status reporting doc

Open muwaqar opened this issue 8 months ago • 3 comments

Description: Envoy Gateway supports custom policy attachments via Extension server (see example here). But it is not clear how the status for the policy attachment be updated.

Ask of this issue is to have a companion doc to EG extensions design which details to a vendor authoring custom policies on how to leverage EG extension server to do status reporting for their custom policies.

Looking thru GEP-713, the status reporting on the policy attachments seems like can get very complicated with multiple options floated.

Perhaps we can start with "Standard status struct" scenario (reference) which is what BackendTLSPolicy follows.

[optional Relevant Links:]

Any extra documentation required to understand the issue.

muwaqar avatar Jun 18 '25 17:06 muwaqar

@muwaqar can you share some specific examples of external resources, and what sort of status enrichment you are ideally looking to achieve ? this will help decide the content and location/order of the callout and edit

arkodg avatar Jun 18 '25 18:06 arkodg

I am not looking for anything specific. Just a general mechanism/guideline to vendors on how to update policy resource with status with EG extension server, similar to how BackendTLSPolicy works. This is just generally helpful to check if the policy was accepted by the system and relevant changes applied to the Envoy xDS.

apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
...
spec:
  targetRefs:
  - group: ""
    kind: Service
    name: my-backend
  ...
status:
  ancestors:
  - ancestorRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: mygateway
      namespace: myns
      sectionName: https
    conditions:
    - lastTransitionTime: "2025-06-18T23:13:20Z"
      message: Policy has been accepted.
      reason: Accepted
      status: "True"
      type: Accepted
    controllerName: example.com/mycontroller

muwaqar avatar Jun 19 '25 00:06 muwaqar

Sounds like you are looking for a Programmed condition, which indicates successful translation and push to the DP

arkodg avatar Jun 19 '25 01:06 arkodg

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar Jul 19 '25 04:07 github-actions[bot]

this is also needed for custom backendRef

Xunzhuo avatar Jul 19 '25 05:07 Xunzhuo

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar Aug 18 '25 08:08 github-actions[bot]