Rework Gateway API, HTTPRoute, and GRPCRoute docs #1909
+270
−129
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: William Morgan <[email protected]>
Signed-off-by: William Morgan <[email protected]>
Signed-off-by: William Morgan <[email protected]>
kflynn
reviewed
Jan 13, 2025
Comment on lines
+170
to
+181
| ## Enabling authorization policies in live systems | ||
|
|
||
| You may have noticed that there was a period of time after we created the | ||
| `Server` resource but before we created the `ServerAuthorization` where all | ||
| requests were being rejected. To avoid this situation in live systems, we | ||
| recommend that you enable [audit mode](../../features/server-policy/#audit-mode) | ||
| in the `Server` resource (via `accessPolicy:audit`) and check the proxy | ||
| logs/metrics in the target services to see if traffic would get inadvertently | ||
| denied. Afterwards, when you're sure about your policy rules, you can fully | ||
| enable them by resetting `accessPolicy` back to `deny`. | ||
| recommend that you start with [audit | ||
| mode](../../features/server-policy/#audit-mode) enabled on the `Server` | ||
| resource. In this mode, traffic that violates the policy will not actually be | ||
| denied, and you will be able to check the proxy logs/metrics on the target | ||
| services for a complete picture of what would happen when audit mode is | ||
| disabled. Once you're sure about your policy rules, you can fully enable them by | ||
| removing audit mode to enforce the policies. |
There was a problem hiding this comment.
One request: @wmorgan, can you pull this change out of this PR? It has nothing to do with Gateway API, and may not be complete anyway...
There was a problem hiding this comment.
This was another change I was planning on making so I'd rather leave it in unless you object to the content? At the risk of a messier PR scope.
travisbeckham
requested changes
Jan 13, 2025
Signed-off-by: William Morgan <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Here's my attempt at reflecting the modern world of Linkerd. (Note: these are all in the 2.17/ subfolder; once we're good on content we should also just copy these over to 2-edge.)
Summary:
policy.linkerd.iotypes, and instead note that they are supported but deprecatedPlease review for technical accuracy as well as completeness. Note that the goal is to provide a practical guide to using the GW API types with Linkerd, not a comprehensive treatment of the GW API. Feedback welcome