Envoy Gateway 1.4 Release Highlights

What Has Really Changed from 1.3 to 1.4?

This release’s key updates include significant improvements in security features, enhanced traffic management capabilities, and better operational controls. A detailed list of changes includes:

• 34 new features spanning security, traffic management, and operations
• 19 bug fixes improving stability and reliability

This article summarizes some notable new features in Envoy Gateway v1.4. For the full list of changes, see the Envoy Gateway 1.4 release notes.

Feature Highlights

Security: Enhanced Authentication and Access Management

• Finer-grained Authorization rules in SecurityPolicy: Support for HTTP method and header-based authorization via the SecurityPolicy resource.
• Upstream Credentials Injection: Support for injecting credentials from Kubernetes Secrets into request headers via HTTPRouteFilter.
• Local JWKS Source: Support for local JWKS sources (inline or via ConfigMap) to validate JWT tokens.

Traffic Management: Advanced Routing and Control

• Enhanced Rate Limiting:
  • Shared Global RateLimit buckets: Allows platform teams to add a common limit for a Gateway applicable for all traffic for all routes attached to it. This helps prevent resource exhaustion and ensures fair usage across all services.
  • Distinct Match support for Local Ratelimiting: Enables creating per user / client buckets with minimal config, making it easier to implement fine-grained rate limiting policies for different user segments or API clients.
• Zone Aware Routing: Route requests to the closest upstream backend endpoint, reducing latency and cost. Especially useful for large scale Kubernetes deployments.
• New circuit breaker support for per-endpoint thresholds: Allowing you to mitigate the impact of safeguarding upstream endpoints.
• Percentage-based request mirroring: Can be used when you want to mirror a fraction of total application traffic to a separate backend.
• Support for Lua-based EnvoyExtensionPolicy: Easily add your own Lua scripts to Envoy for custom logic.
• Dynamic upstream target selection: Support for HTTP dynamic forward proxy when the upstream target isn’t known ahead of time.

Operations: Improved Infrastructure Management

• High Availability: Enhanced control over pod termination with maxUnavailable in PodDisruptionBudget, ensuring zero-downtime during maintenance and updates by allowing proper request draining and connection cleanup.
• Selective CRD Installation: Added support for CRD installation via gateway-crds-helm chart, allowing you to selectively install the Envoy Gateway CRDs and/or the Gateway API CRDs from the standard or experimental channel
• Helm chart improvements:
  • Added support for HorizontalPodAutoscaler (HPA) to automatically scale Envoy Gateway based on resource usage
  • Introduced global configuration options for image registry and pull secrets, simplifying operations when using a private registry
  • Enhanced traffic distribution control through new Helm configuration options

Observability: Better Monitoring and Control

• Tracing Improvements: Per-route tracing configuration in BackendTrafficPolicy.
• RequestID Header: Added RequestID header configuration via ClientTrafficPolicy.
• Backend API Support for Telemetry Backends: Connect to telemetry providers over Unix Domain Sockets, enabling more direct and efficient communication with observability tools.

Summary

Envoy Gateway 1.4 empowers teams with robust security features, advanced traffic management capabilities, and streamlined operations. These updates provide enhanced security mechanisms, improved routing capabilities, and better operational controls for production environments.

Get in touch with us to learn more about how you can leverage these features to simplify your ingress traffic handling. Get time to talk to us about your use case, we look forward to helping you get the most out of Envoy Gateway.