Skip to main content
API resource reference for SecurityPolicy, an Envoy Gateway extension resource. To create or change one, see Changing resources; to inspect, see Reading resources.
This resource is part of the v1alpha1 API (an Envoy Gateway extension) and is subject to change. Fields and behavior may change in future releases.

Identity

Groupgateway.envoyproxy.io
Versionv1alpha1
KindSecurityPolicy
ScopeProject

Overview

A SecurityPolicy applies security controls to a Gateway or to a route served by it. It is an Envoy Gateway extension to the Gateway API standard, defined by the Envoy Gateway API, attached to a target resource through a policy reference rather than being embedded in the Gateway itself. Use it when you want to enforce authentication, authorization, or browser access rules on traffic entering your Project — for example requiring JWT or OIDC login, checking API keys or HTTP Basic credentials, delegating to an external authorization service, or configuring Cross-Origin Resource Sharing (CORS). A single policy attaches to one or more Gateways (or specific listeners/routes) and must live in the same Project as the resources it targets.

Spec fields

Each of the security features below is optional; set the ones you want to enforce. targetRefs selects what the policy applies to.
FieldTypeRequiredDescription
spec.targetRefs[]ObjectNoThe Gateway resources this policy attaches to. Attach by direct reference.
spec.targetRefs[].groupstringYesGroup of the target resource.
spec.targetRefs[].kindstringYesKind of the target resource.
spec.targetRefs[].namestringYesName of the target resource.
spec.targetRefs[].sectionNamestringNoA section within the target: a Gateway listener name, an HTTPRoute rule name, or a Service port name. When unset, targets the whole resource.
spec.targetSelectors[]ObjectNoAttach to resources by label instead of by name (kind required; group, matchLabels, matchExpressions optional).
spec.targetRefObjectNoDeprecated single-target reference. Use targetRefs/targetSelectors instead.
spec.jwtObjectNoJSON Web Token authentication. Requires providers; set optional to allow missing (but not invalid) tokens.
spec.oidcObjectNoOpenID Connect authentication. Requires a client secret; supply clientID (or clientIDRef) and optional cookie settings.
spec.apiKeyAuthObjectNoAPI key authentication.
spec.basicAuthObjectNoHTTP Basic authentication.
spec.extAuthObjectNoDelegate authorization to an external service.
spec.authorizationObjectNoOrdered allow/deny rules; defaultAction (Allow or Deny) applies when no rule matches (defaults to Deny).
spec.corsObjectNoCross-Origin Resource Sharing settings (allowOrigins, allowMethods, allowHeaders, exposeHeaders, allowCredentials, maxAge).

Status fields (read-only)

FieldTypeDescription
status.ancestors[]ObjectThe ancestor resources (usually Gateways) this policy is associated with, and the policy’s status against each. Up to 16 entries; an empty list means the policy applies to nothing.

Usage

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: require-cors
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: my-gateway
  cors:
    allowOrigins:
      - "https://app.example.com"
    allowMethods:
      - GET
      - POST
    allowHeaders:
      - "*"
    allowCredentials: true
    maxAge: 1h
datumctl apply -f securitypolicy.yaml --project my-project
datumctl get securitypolicies --project my-project
datumctl describe securitypolicy require-cors --project my-project
Run datumctl explain securitypolicies --recursive to see the full, live field tree for this resource.
Last modified on July 2, 2026