Skip to content

Commit

Permalink
Kuadrant v1 blog post
Browse files Browse the repository at this point in the history
Signed-off-by: Jason Madigan <[email protected]>
  • Loading branch information
jasonmadigan committed Dec 12, 2024
1 parent 64364be commit a62b87d
Showing 1 changed file with 122 additions and 0 deletions.
122 changes: 122 additions & 0 deletions src/blog/kuadrant-v1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
---
title: Kuadrant v1
date: 2024-11-28
author: Jason Madigan
---

**Update:** Kuadrant [v1.0.1](https://github.com/Kuadrant/kuadrant-operator/releases/tag/v1.0.1) is now available, with some small bugfixes.

## Kuadrant v1!

We're thrilled to announce the release of Kuadrant [v1.0.0](https://github.com/Kuadrant/kuadrant-operator/releases/tag/v1.0.0)! This marks a major milestone in the Kuadrant project after its recent acceptance into [CNCF's sandbox](https://www.cncf.io/sandbox-projects/).

### What is Kuadrant?

Kuadrant is a set of Kubernetes-native controllers, services, and APIs that provide gateway policies for existing [Gateway API](https://gateway-api.sigs.k8s.io/) providers in both single and multi-cluster environments. It builds on top of Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and technologies such as Istio and Envoy to introduce provider-agnostic Gateway Policies for Kubernetes.

### Why v1 Matters

Reaching v1 signifies our project's stability, maturity, and production-readiness. With v1, we believe Kuadrant is now ready to power key workloads in Kubernetes environments.

### What's new in v1?

Here are some key highlights from this release:

#### CRD Graduation to v1

`AuthPolicy`, `DNSPolicy`, `RateLimitPolicy`, and `TLSPolicy` have now graduated to `v1` in their CRDs, signalling their readiness for production use. We now consider these APIs stable, and commit to enabling migration paths in subsequent API upgrades.

See the following documentation for API reference and usage examples:

- `AuthPolicy`: [Overview](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/overviews/auth/)
- `DNSPolicy`: [Overview](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/overviews/dns/)
- `RateLimitPolicy`: [Overview](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/overviews/rate-limiting/)
- `TLSPolicy`: [Overview](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/overviews/tls/)


#### CEL Support
[CEL](https://cel.dev/) (Common Expression Language) is now supported for [`AuthPolicy`](https://github.com/Kuadrant/authorino/blob/main/docs/features.md#common-feature-common-expression-language-cel) and [`RateLimitPolicy`](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/reference/ratelimitpolicy/#predicate) predicates, enabling more flexible and expressive configuration for both policy types.

#### On-cluster Gateway DNS Health Checks

`DNSPolicy` now supports DNS health checks for `Gateway` resources. This allows you to define HTTP-based health checks for targetted `Gateway` listeners with specific (i.e. non-wildcard) hostnames. These health checks evaluate the health of configured endpoints, ensuring that unhealthy enpoints are unpublished or excluded from DNS records.

An example:

Suppose you have a `Gateway` called `external` with a listener for `example.com` and want to ensure only healthy endpoints are published. You can define a `DNSPolicy` with the following configuration:

```yaml
apiVersion: kuadrant.io/v1
kind: DNSPolicy
metadata:
name: gateway-dns
spec:
healthCheck:
failureThreshold: 3
interval: 5m
path: /health
...
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: external
```
This policy sets up a health check that probes the `/health` endpoint on `example.com` every 5 minutes. If `3` consecutive checks fail, the `DNSRecord` for `example.com` will be marked unhealthy. Depending on the policy's configuration, the IP will either be excluded from DNS records (say, if it's part of a multi-value A record) or unpublished altogether. This ensures that only healthy endpoints are routed through DNS.


To read more about `DNSPolicy` and health checks, see our [DNS health checks documentation](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/user-guides/dns/dnshealthchecks/)

#### Policy Machinery Integration

Our core components now implement [policy-machinery](https://github.com/Kuadrant/policy-machinery), providing a powerful way to calculate and visualise the "state of the world" for policy-attachment based policies on Kubernetes clusters. No more guessing where policies and their behaviours originate from. Policy machinery and visualisation through the console plugin make it easier than ever to reason about policy effects, behaviours and origins.

#### Shift to the Sail Operator

With v1, we recommend installing Istio using the new Istio [Sail Operator](https://istio.io/latest/blog/2024/introducing-sail-operator/) instead of `istioctl`. Our guides and documentation for getting started have been amended to incorporate this change.


#### Envoy Gateway support

TBD

#### WASM-based Auth

TBD https://github.com/Kuadrant/wasm-shim/pull/92.

Previously, [Authorino](https://github.com/Kuadrant/authorino) (which implements `AuthPolicy`), used an Istio [AuthorizationPolicy](https://istio.io/latest/docs/reference/config/security/authorization-policy/) as a mechanism to provide authorization in the request flow. As of v1, this mechanism has been replaced with an [EnvoyFilter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/) and [WASM](https://github.com/Kuadrant/wasm-shim).

#### SectionName Support

Added support for [SectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.SectionName) throughout our policy set, allowing users to apply policies to specific sections of Gateways.

#### New Console Plugin

For [OpenShift](https://www.redhat.com/en/technologies/cloud-computing/openshift) / [OKD](https://okd.io/) console users, a new Console Plugin is available for managing policies and visualising [policy-machinery](https://github.com/Kuadrant/policy-machinery) "state of the world". We plan to make some of this functionality available through other means for Kubernetes users in the near future.


#### Other, smaller changes

In addition to the above, many more smaller fixes and enhancements are captured by our [release changelogs](https://github.com/Kuadrant/kuadrant-operator/releases/tag/v1.0.0)). Take a look at our associated component release notes too for smaller changes not covered in detail here.

### Components in this release

The individual components that make up this release of the Kuadrant Operator:

| **Component** | **Version** |
|---------------------|---------------------------------------------------------------------------------------------------|
| Authorino Operator | [v0.16.0](https://github.com/Kuadrant/authorino-operator/releases/tag/v0.16.0) |
| Limitador Operator | [v0.12.1](https://github.com/Kuadrant/limitador-operator/releases/tag/v0.12.1) |
| DNS Operator | [v0.12.0](https://github.com/Kuadrant/dns-operator/releases/tag/v0.12.0) |
| WASM Shim | [v0.8.1](https://github.com/Kuadrant/wasm-shim/releases/tag/v0.8.1) |
| Console Plugin | [v0.0.14](https://github.com/Kuadrant/console-plugin/releases/tag/v0.0.14) |

### Thank you and how to get involved

We are always looking for ways to extend the community and encourage contributions. We thank all of our community contributors for helping make v1 happen!

To find out more and get involved:

- Check out the [documentation](https://docs.kuadrant.io)
- Explore the Kuadrant [repositories](https://github.com/kuadrant/)
- Engage with the [community](https://kuadrant.io/community/)

0 comments on commit a62b87d

Please sign in to comment.