Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v1 blog post #70

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion src/_includes/layout.njk
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,6 @@ title: Kuadrant.io
</div>
</footer><!-- End Footer -->

<div id="preloader"></div>
<a href="#" class="back-to-top d-flex align-items-center justify-content-center"><i class="bi bi-arrow-up-short"></i></a>

<!-- Vendor JS Files -->
Expand All @@ -141,6 +140,11 @@ title: Kuadrant.io
<script src="/static/vendor/waypoints/noframework.waypoints.js"></script>
<script src="/static/vendor/php-email-form/validate.js"></script>

<link href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/themes/prism.min.css" rel="stylesheet">
<script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/prism.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/components/prism-yaml.min.js"></script>


<!-- Template Main JS File -->
<script src="/static/js/main.js"></script>

Expand Down
199 changes: 199 additions & 0 deletions src/blog/kuadrant-v1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,199 @@
---
title: Kuadrant v1
date: 2024-11-28
author: Jason Madigan
---

**Update:** Kuadrant [v1.0.1](https://github.com/Kuadrant/kuadrant-operator/releases/tag/v1.0.1) is now available, with some small bugfixes.

## Kuadrant v1!

We're thrilled to announce the release of Kuadrant [v1.0.0](https://github.com/Kuadrant/kuadrant-operator/releases/tag/v1.0.0)! This marks a major milestone in the Kuadrant project after its recent acceptance into [CNCF's sandbox](https://www.cncf.io/sandbox-projects/).

### What is Kuadrant?

Kuadrant is a set of Kubernetes-native controllers, services, and APIs that provide gateway policies for existing [Gateway API](https://gateway-api.sigs.k8s.io/) providers in both single and multi-cluster environments. It builds on top of Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and technologies such as Istio and Envoy to introduce provider-agnostic Gateway Policies for Kubernetes.

### Why v1 Matters

Reaching v1 signifies our project's stability, maturity, and production-readiness. With v1, we believe Kuadrant is now ready to power key workloads in Kubernetes environments.

### What's new in v1?

Here are some key highlights from this release:

#### CRD Graduation to v1

`AuthPolicy`, `DNSPolicy`, `RateLimitPolicy`, and `TLSPolicy` have now graduated to `v1` in their CRDs, signalling their readiness for production use. We now consider these APIs stable, and commit to enabling migration paths in subsequent API upgrades.

See the following documentation for API reference and usage examples:

- `AuthPolicy`: [Overview](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/overviews/auth/)
- `DNSPolicy`: [Overview](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/overviews/dns/)
- `RateLimitPolicy`: [Overview](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/overviews/rate-limiting/)
- `TLSPolicy`: [Overview](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/overviews/tls/)


#### CEL Support
[CEL](https://cel.dev/) (Common Expression Language) introduces a powerful and flexible way to define conditions and predicates in [`AuthPolicy`](https://github.com/Kuadrant/authorino/blob/main/docs/features.md#common-feature-common-expression-language-cel) and [`RateLimitPolicy`](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/reference/ratelimitpolicy/#predicate). With CEL, you can evaluate custom boolean logic, extract and manipulate request data, and conditionally apply policies in expressive, dynamic ways. CEL's rich syntax includes string operations (e.g., `split`, `indexOf`), type-safe expressions, and robust support for combining logical operators.

**Example: Dynamic Authorization Rules in an `AuthPolicy`**

With CEL, you can configure AuthPolicy conditions to enforce access control based on dynamic request attributes. The following example demonstrates a Gateway deny-all policy with a CEL-based exception for requests to the `/health` path:

```yaml
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
name: my-gateway-auth
namespace: gateways
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: my-gateway
defaults:
when:
- predicate: "request.path != '/health'"
rules:
authorization:
deny-all:
opa:
rego: "allow = false"
response:
unauthorized:
headers:
"content-type":
value: application/json
body:
value: |
{
"error": "Forbidden",
"message": "Access denied by default by the gateway operator. If you are the administrator of the service, create a specific auth policy for the route."
}
```

For much more detailed examples, see this [document](https://github.com/Kuadrant/authorino/blob/main/docs/features.md#common-feature-conditions-when).

**Example: User-Specific Rate Limiting in RateLimitPolicy**

CEL can also simplify rate-limiting rules. Here's an example limiting general users to 1 request every 3 seconds while giving a specific user, "bob" a higher limit of 2 requests per 3 seconds:

```yaml
apiVersion: kuadrant.io/v1
kind: RateLimitPolicy
metadata:
name: toystore
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: toystore
limits:
"general-user":
rates:
- limit: 1
window: 3s
counters:
- expression: auth.identity.userid
when:
- predicate: "auth.identity.userid != 'bob'"
"bob-limit":
rates:
- limit: 2
window: 3s
when:
- predicate: "auth.identity.userid == 'bob'"
```




#### On-cluster Gateway DNS Health Checks

`DNSPolicy` now supports DNS health checks for `Gateway` resources. This allows you to define HTTP-based health checks for targetted `Gateway` listeners with specific (i.e. non-wildcard) hostnames. These health checks evaluate the health of configured endpoints, ensuring that unhealthy enpoints are unpublished or excluded from DNS records.

An example:

Suppose you have a `Gateway` called `external` with a listener for `example.com` and want to ensure only healthy endpoints are published. You can define a `DNSPolicy` with the following configuration:

```yaml
apiVersion: kuadrant.io/v1
kind: DNSPolicy
metadata:
name: gateway-dns
spec:
healthCheck:
failureThreshold: 3
interval: 5m
path: /health
...
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: external
```

This policy sets up a health check that probes the `/health` endpoint on `example.com` every 5 minutes. If `3` consecutive checks fail, the `DNSRecord` for `example.com` will be marked unhealthy. Depending on the policy's configuration, the IP will either be excluded from DNS records (say, if it's part of a multi-value A record) or unpublished altogether. This ensures that only healthy endpoints are routed through DNS.


To read more about `DNSPolicy` and health checks, see our [DNS health checks documentation](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/user-guides/dns/dnshealthchecks/)

#### Policy Machinery Integration

Our core components now implement [policy-machinery](https://github.com/Kuadrant/policy-machinery), providing a powerful way to calculate and visualise the "state of the world" for policy-attachment based policies on Kubernetes clusters. No more guessing where policies and their behaviours originate from. Policy machinery and visualisation through the console plugin make it easier than ever to reason about policy effects, behaviours and origins.

#### Shift to the Sail Operator

With v1, we recommend installing Istio using the new Istio [Sail Operator](https://istio.io/latest/blog/2024/introducing-sail-operator/) instead of `istioctl`. Our guides and documentation for getting started have been amended to incorporate this change.


#### Envoy Gateway support

We've recently added [support](https://github.com/Kuadrant/kuadrant-operator/issues/325) for [Envoy Gateway](https://gateway.envoyproxy.io/) as a Gateway API implementation, complementing the Istio support we’ve provided so far. Until now, Kuadrant relied exclusively on Istio as a Gateway API provider, leveraging its robust extension mechanisms, such as [Wasm Plugins](https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/). However, recent advancements in Envoy Gateway, including the introduction of [`EnvoyPatchPolicy`](https://gateway.envoyproxy.io/contributions/design/envoy-patch-policy/) and [Wasm Extensions](https://gateway.envoyproxy.io/v1.1/tasks/extensibility/wasm/), enable us to achieve similar functionality with Envoy Gateway.

Our [installation guides](https://docs.kuadrant.io/1.0.x/kuadrant-operator/doc/install/install-kubernetes/#optional-install-envoy-gateway-as-a-gateway-api-provider) for Kubernetes now include optional steps to choose between Istio or Envoy Gateway as your preferred Gateway API provider.


#### Wasm-based Auth

Although primarily an "under the hood" enhancement, this change is significant and worth highlighting.

Previously, [Authorino](https://github.com/Kuadrant/authorino), which implements `AuthPolicy`, relied on Istio's [AuthorizationPolicy](https://istio.io/latest/docs/reference/config/security/authorization-policy/) to provide authorization in the request flow. Starting with v1, this mechanism has been replaced with an [EnvoyFilter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/) and [Wasm Extensions](https://github.com/Kuadrant/wasm-shim), aligning its implementation with how `RateLimitPolicy` operates.

`RateLimitPolicy` has long utilised a Wasm-shim as an intercept point to apply rate-limiting logic in Envoy. By adopting a similar Wasm-shim-based approach, `AuthPolicy` now gains improved flexibility and extensibility. This update also simplifies our architecture by standardising the mechanisms used across our core policies, ensuring both consistency and better alignment.

#### SectionName Support

Added support for [SectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.SectionName) throughout our policy set, allowing users to apply policies to specific sections of Gateways.

#### New Console Plugin

For [OpenShift](https://www.redhat.com/en/technologies/cloud-computing/openshift) / [OKD](https://okd.io/) console users, a new Console Plugin is available for managing policies and visualising [policy-machinery](https://github.com/Kuadrant/policy-machinery) "state of the world". We plan to make some of this functionality available through other means for Kubernetes users in the near future.


#### Other, smaller changes

In addition to the above, many more smaller fixes and enhancements are captured by our [release changelogs](https://github.com/Kuadrant/kuadrant-operator/releases/tag/v1.0.0)). Take a look at our associated component release notes too for smaller changes not covered in detail here.

jasonmadigan marked this conversation as resolved.
Show resolved Hide resolved
### Components in this release

The individual components that make up this v1.0.0 release of the Kuadrant Operator:

| **Component** | **Version** |
|---------------------|---------------------------------------------------------------------------------------------------|
| Authorino Operator | [v0.16.0](https://github.com/Kuadrant/authorino-operator/releases/tag/v0.16.0) |
| Limitador Operator | [v0.12.1](https://github.com/Kuadrant/limitador-operator/releases/tag/v0.12.1) |
| DNS Operator | [v0.12.0](https://github.com/Kuadrant/dns-operator/releases/tag/v0.12.0) |
| Wasm Shim | [v0.8.1](https://github.com/Kuadrant/wasm-shim/releases/tag/v0.8.1) |
| Console Plugin | [v0.0.14](https://github.com/Kuadrant/console-plugin/releases/tag/v0.0.14) |

### Thank you and how to get involved

We are always looking for ways to extend the community and encourage contributions. We thank all of our community contributors for helping make v1 happen!

To find out more and get involved:

- Check out the [documentation](https://docs.kuadrant.io)
- Explore the Kuadrant [repositories](https://github.com/kuadrant/)
- Engage with the [community](https://kuadrant.io/community/)
80 changes: 40 additions & 40 deletions static/css/style.css
Original file line number Diff line number Diff line change
Expand Up @@ -31,45 +31,7 @@ h3,
h4,
h5,
h6 {
font-family: "Jost", sans-serif;
}

/*--------------------------------------------------------------
# Preloader
--------------------------------------------------------------*/
#preloader {
position: fixed;
top: 0;
left: 0;
right: 0;
bottom: 0;
z-index: 9999;
overflow: hidden;
background: #37517e;
}

#preloader:before {
content: "";
position: fixed;
top: calc(50% - 30px);
left: calc(50% - 30px);
border: 6px solid #37517e;
border-top-color: #fff;
border-bottom-color: #fff;
border-radius: 50%;
width: 60px;
height: 60px;
animation: animate-preloader 1s linear infinite;
}

@keyframes animate-preloader {
0% {
transform: rotate(0deg);
}

100% {
transform: rotate(360deg);
}
font-family: "Open Sans", sans-serif;
}

/*--------------------------------------------------------------
Expand Down Expand Up @@ -1952,4 +1914,42 @@ h1, h2, h3, h4, h5 {

.footer-contact img {
max-width: 20em;
}
}

h1 {
font-size: 2rem;
color: #37517e;
font-weight: 700;
margin-bottom: 1rem;
}

h2 {
font-size: 1.75rem;
color: #2a4866;
font-weight: 600;
margin-bottom: 0.9rem;
}

h3 {
font-size: 1.5rem;
color: #37517e;
font-weight: 500;
letter-spacing: 0.02rem;
margin-bottom: 0.8rem;
}

h4 {
font-size: 1.25rem;
color: #2a4866;
font-weight: 500;
margin-bottom: 0.7rem;
}

h5 {
font-size: 1rem;
color: #537198;
font-weight: 400;
text-transform: capitalize;
letter-spacing: 0.05rem;
margin-bottom: 0.6rem;
}
10 changes: 0 additions & 10 deletions static/js/main.js
Original file line number Diff line number Diff line change
Expand Up @@ -155,16 +155,6 @@
}
});

/**
* Preloader
*/
let preloader = select('#preloader');
if (preloader) {
window.addEventListener('load', () => {
preloader.remove()
});
}

/**
* Initiate glightbox
*/
Expand Down