Kuadrant v1
Update: Kuadrant v1.0.1 is now available, with some small bugfixes.
Kuadrant v1!
We're thrilled to announce the release of Kuadrant v1.0.0! This marks a major milestone in the Kuadrant project after its recent acceptance into CNCF's sandbox.
What is Kuadrant?
Kuadrant is a set of Kubernetes-native controllers, services, and APIs that provide gateway policies for existing Gateway API providers in both single and multi-cluster environments. It builds on top of Kubernetes Gateway API and technologies such as Istio and Envoy to introduce provider-agnostic Gateway Policies for Kubernetes.
Why v1 Matters
Reaching v1 signifies our project's stability, maturity, and production-readiness. With v1, we believe Kuadrant is now ready to power key workloads in Kubernetes environments.
What's new in v1?
Here are some key highlights from this release:
CRD Graduation to v1
AuthPolicy, DNSPolicy, RateLimitPolicy, and TLSPolicy have now graduated to v1 in their CRDs, signalling their readiness for production use. We now consider these APIs stable, and commit to enabling migration paths in subsequent API upgrades.
See the following documentation for API reference and usage examples:
CEL Support
CEL (Common Expression Language) introduces a powerful and flexible way to define conditions and predicates in AuthPolicy and RateLimitPolicy. With CEL, you can evaluate custom boolean logic, extract and manipulate request data, and conditionally apply policies in expressive, dynamic ways. CEL's rich syntax includes string operations (e.g., split, indexOf), type-safe expressions, and robust support for combining logical operators.
Example: Dynamic Authorization Rules in an AuthPolicy
With CEL, you can configure AuthPolicy conditions to enforce access control based on dynamic request attributes. The following example demonstrates a Gateway deny-all policy with a CEL-based exception for requests to the /health path:
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
name: my-gateway-auth
namespace: gateways
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: my-gateway
defaults:
when:
- predicate: "request.path != '/health'"
rules:
authorization:
deny-all:
opa:
rego: "allow = false"
response:
unauthorized:
headers:
"content-type":
value: application/json
body:
value: |
{
"error": "Forbidden",
"message": "Access denied by default by the gateway operator. If you are the administrator of the service, create a specific auth policy for the route."
}
For much more detailed examples, see this document.
Example: User-Specific Rate Limiting in RateLimitPolicy
CEL can also simplify rate-limiting rules. Here's an example limiting general users to 1 request every 3 seconds while giving a specific user, "bob" a higher limit of 2 requests per 3 seconds:
apiVersion: kuadrant.io/v1
kind: RateLimitPolicy
metadata:
name: toystore
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: toystore
limits:
"general-user":
rates:
- limit: 1
window: 3s
counters:
- expression: auth.identity.userid
when:
- predicate: "auth.identity.userid != 'bob'"
"bob-limit":
rates:
- limit: 2
window: 3s
when:
- predicate: "auth.identity.userid == 'bob'"
Helm Installation Support
Kuadrant now offers a way to install the Kuadrant Operator via Helm charts. The Helm charts are available and indexed on ArtifactHub.io.
To get started with Helm, add the Kuadrant Helm repository and install the operator:
helm repo add kuadrant https://kuadrant.io/helm-charts/ --force-update
helm install kuadrant kuadrant/kuadrant-operator --namespace kuadrant-system --create-namespace
helm status -n kuadrant-system kuadrant
For more details, explore our Helm charts repository.
On-cluster Gateway DNS Health Checks
DNSPolicy now supports DNS health checks for Gateway resources. This allows you to define HTTP-based health checks for targetted Gateway listeners with specific (i.e. non-wildcard) hostnames. These health checks evaluate the health of configured endpoints, ensuring that unhealthy enpoints are unpublished or excluded from DNS records.
An example:
Suppose you have a Gateway called external with a listener for example.com and want to ensure only healthy endpoints are published. You can define a DNSPolicy with the following configuration:
apiVersion: kuadrant.io/v1
kind: DNSPolicy
metadata:
name: gateway-dns
spec:
healthCheck:
failureThreshold: 3
interval: 5m
path: /health
...
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: external
This policy sets up a health check that probes the /health endpoint on example.com every 5 minutes. If 3 consecutive checks fail, the DNSRecord for example.com will be marked unhealthy. Depending on the policy's configuration, the IP will either be excluded from DNS records (say, if it's part of a multi-value A record) or unpublished altogether. This ensures that only healthy endpoints are routed through DNS.
To read more about DNSPolicy and health checks, see our DNS health checks documentation
Policy Machinery Integration
Our core components now implement policy-machinery, providing a powerful way to calculate and visualise the "state of the world" for policy-attachment based policies on Kubernetes clusters. No more guessing where policies and their behaviours originate from. Policy machinery and visualisation through the console plugin make it easier than ever to reason about policy effects, behaviours and origins.
Shift to the Sail Operator
With v1, we recommend installing Istio using the new Istio Sail Operator instead of istioctl. Our guides and documentation for getting started have been amended to incorporate this change.
Envoy Gateway support
We've recently added support for Envoy Gateway as a Gateway API implementation, complementing the Istio support we’ve provided so far. Until now, Kuadrant relied exclusively on Istio as a Gateway API provider, leveraging its robust extension mechanisms, such as Wasm Plugins. However, recent advancements in Envoy Gateway, including the introduction of EnvoyPatchPolicy and Wasm Extensions, enable us to achieve similar functionality with Envoy Gateway.
Our installation guides for Kubernetes now include optional steps to choose between Istio or Envoy Gateway as your preferred Gateway API provider.
Wasm-based Auth
Although primarily an "under the hood" enhancement, this change is significant and worth highlighting.
Previously, Authorino, which implements AuthPolicy, relied on Istio's AuthorizationPolicy to provide authorization in the request flow. Starting with v1, this mechanism has been replaced with an EnvoyFilter and Wasm Extensions, aligning its implementation with how RateLimitPolicy operates.
RateLimitPolicy has long utilised a Wasm-shim as an intercept point to apply rate-limiting logic in Envoy. By adopting a similar Wasm-shim-based approach, AuthPolicy now gains improved flexibility and extensibility. This update also simplifies our architecture by standardising the mechanisms used across our core policies, ensuring both consistency and better alignment.
SectionName Support
Added support for SectionName throughout our policy set, allowing users to apply policies to specific sections of Gateways.
New Console Plugin
For OpenShift / OKD console users, a new Console Plugin is available for managing policies and visualising policy-machinery "state of the world". We plan to make some of this functionality available through other means for Kubernetes users in the near future.
Other, smaller changes
In addition to the above, many more smaller fixes and enhancements are captured by our release changelogs). Take a look at our associated component release notes too for smaller changes not covered in detail here.
Components in this release
The individual components that make up this v1.0.0 release of the Kuadrant Operator:
| Component | Version |
|---|---|
| Authorino Operator | v0.16.0 |
| Limitador Operator | v0.12.1 |
| DNS Operator | v0.12.0 |
| Wasm Shim | v0.8.1 |
| Console Plugin | v0.0.14 |
Thank you and how to get involved
We are always looking for ways to extend the community and encourage contributions. We thank all of our community contributors for helping make v1 happen!
To find out more and get involved:
- Check out the documentation
- Explore the Kuadrant repositories
- Engage with the community