diff --git a/site/content/en/contributions/design/config-api.md b/site/content/en/contributions/design/config-api.md
index 1c6f3057848..89b7b0d838a 100644
--- a/site/content/en/contributions/design/config-api.md
+++ b/site/content/en/contributions/design/config-api.md
@@ -88,7 +88,7 @@ type Gateway struct {
// defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
// for additional details:
//
- // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+ // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
//
// +optional
ControllerName string `json:"controllerName,omitempty"`
diff --git a/site/content/en/docs/tasks/security/threat-model.md b/site/content/en/docs/tasks/security/threat-model.md
index c1bba3f9726..f5083875107 100644
--- a/site/content/en/docs/tasks/security/threat-model.md
+++ b/site/content/en/docs/tasks/security/threat-model.md
@@ -396,7 +396,7 @@ When considering internal threat actors, we chose to follow the [security model]
**Threat**: Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.
- **Recommendation**: To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing.
+ **Recommendation**: To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing.
Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).
@@ -603,7 +603,7 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru
|EGTM-008|EGTM-EG-003|Envoy Gateway| There is a risk of a threat actor misconfiguring static config and compromising the integrity of Envoy Gateway, ultimately leading to the compromised confidentiality, integrity, or availability of tenant data and cluster resources.
| Accidental or deliberate misconfiguration of static configuration leads to a misconfigured deployment of Envoy Gateway, for example logging parameters could be modified or global rate limiting configuration misconfigured.
|Medium| Implement a GitOps model, utilising Kubernetes\' Role-Based Access Control (RBAC) and adhering to the principle of least privilege to minimise human intervention on the cluster. For instance, tools like [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) can be used for declarative GitOps deployments, ensuring all changes are tracked and reviewed. Additionally, configure your source control management (SCM) system to include mandatory pull request (PR) reviews, commit signing, and protected branches to ensure only authorised changes can be committed to the start-up configuration. |
|EGTM-010|EGTM-CS-005|Container Security| There is a risk that a threat actor exploits a weak pod security context, compromising the CIA of a node and the resources / services which run on it.
| Threat Actor who has compromised a pod exploits weak security context to escape to a node, potentially leading to the compromise of Envoy Proxy or Gateway running on the same node.
|Medium| To mitigate this risk, apply [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) at a minimum of [Baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) level to all namespaces, especially those containing Envoy Gateway and Proxy Pods. Pod security standards are implemented through K8s [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) to provide [admission control modes](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) (enforce, audit, and warn) for namespaces. Pod security standards can be enforced by namespace labels as shown [here](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/), to enforce a baseline level of pod security to specific namespaces.
Further enhance the security by implementing a sandboxing solution such as [gVisor](https://gvisor.dev/) for Envoy Gateway and Proxy Pods to isolate the application from the host kernel. This can be set within the runtimeClassName of the Pod specification. |
|EGTM-012|EGTM-GW-004|Gateway API| There is a risk that a threat actor could abuse excessive RBAC privileges to create ReferenceGrant resources. These resources could then be used to create cross-namespace communication, leading to unauthorised access to the application. This could compromise the confidentiality and integrity of resources and configuration in the affected namespaces and potentially disrupt the availability of services that rely on these object references.
| A ReferenceGrant is created, which validates traffic to cross namespace trust boundaries without a valid business reason, such as a route in one tenant\'s namespace referencing a backend in another.
|Medium| Ensure that the ability to create ReferenceGrant resources is restricted to the minimum number of people. Pay special attention to ClusterRoles that allow that action. |
-|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.
| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.
|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing.
Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).
[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. |
+|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.
| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.
|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing.
Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).
[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. |
|EGTM-019|EGTM-DP-004|Container Security| There is a risk that replay attacks using stolen or reused JSON Web Tokens (JWTs) can compromise transmission integrity, thereby undermining the confidentiality and integrity of the data plane.
| Transmission integrity is compromised due to replay attacks using stolen or reused JSON Web Tokens (JWTs).
|Medium| Comply with JWT best practices for enhanced security, paying special attention to the use of short-lived tokens, which reduce the window of opportunity for a replay attack. The [exp](https://datatracker.ietf.org/doc/html/rfc7519#page-9) claim can be used to set token expiration times. |
|EGTM-024|EGTM-EG-008|Envoy Gateway| There is a risk of developers getting more privileges than required due to the use of SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy and BackendTrafficPolicy. These resources can be attached to a Gateway resource. Therefore, a developer with permission to deploy them would be able to modify a Gateway configuration by targeting the gateway in the policy manifest. This conflicts with the [Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model), where developers do not have write permissions on Gateways.
| Excessive developer permissions lead to a misconfiguration and/or unauthorised access.
|Medium| Considering the Tenant C scenario (represented in the Architecture Diagram), if a developer can create SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy or BackendTrafficPolicy objects in namespace C, they would be able to modify a Gateway configuration by attaching the policy to the gateway. In such scenarios, it is recommended to either:
a. Create a separate namespace, where developers have no permissions, > to host tenant C\'s gateway. Note that, due to design decisions, > the > SecurityPolicy/EnvoyPatchPolicy/ClientTrafficPolicy/BackendTrafficPolicy > object can only target resources deployed in the same namespace. > Therefore, having a separate namespace for the gateway would > prevent developers from attaching the policy to the gateway.
b. Forbid the creation of these policies for developers in namespace C.
On the other hand, in scenarios similar to tenants A and B, where a shared gateway namespace is in place, this issue is more limited. Note that in this scenario, developers don\'t have access to the shared gateway namespace.
In addition, it is important to mention that EnvoyPatchPolicy resources can also be attached to GatewayClass resources. This means that, in order to comply with the Advanced 4 Tier model, individuals with the Application Administrator role should not have access to this resource either. |
|EGTM-003|EGTM-EG-001|Envoy Gateway| There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic.
| Exploit weak cipher suite configuration to downgrade security of proxied connections.
|Low| Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway.
EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](../operations/customize-envoyproxy) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. |
diff --git a/site/content/en/latest/tasks/security/threat-model.md b/site/content/en/latest/tasks/security/threat-model.md
index cd5927e8d98..a16319f9d72 100644
--- a/site/content/en/latest/tasks/security/threat-model.md
+++ b/site/content/en/latest/tasks/security/threat-model.md
@@ -603,7 +603,7 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru
|EGTM-008|EGTM-EG-003|Envoy Gateway| There is a risk of a threat actor misconfiguring static config and compromising the integrity of Envoy Gateway, ultimately leading to the compromised confidentiality, integrity, or availability of tenant data and cluster resources.
| Accidental or deliberate misconfiguration of static configuration leads to a misconfigured deployment of Envoy Gateway, for example logging parameters could be modified or global rate limiting configuration misconfigured.
|Medium| Implement a GitOps model, utilising Kubernetes\' Role-Based Access Control (RBAC) and adhering to the principle of least privilege to minimise human intervention on the cluster. For instance, tools like [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) can be used for declarative GitOps deployments, ensuring all changes are tracked and reviewed. Additionally, configure your source control management (SCM) system to include mandatory pull request (PR) reviews, commit signing, and protected branches to ensure only authorised changes can be committed to the start-up configuration. |
|EGTM-010|EGTM-CS-005|Container Security| There is a risk that a threat actor exploits a weak pod security context, compromising the CIA of a node and the resources / services which run on it.
| Threat Actor who has compromised a pod exploits weak security context to escape to a node, potentially leading to the compromise of Envoy Proxy or Gateway running on the same node.
|Medium| To mitigate this risk, apply [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) at a minimum of [Baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) level to all namespaces, especially those containing Envoy Gateway and Proxy Pods. Pod security standards are implemented through K8s [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) to provide [admission control modes](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) (enforce, audit, and warn) for namespaces. Pod security standards can be enforced by namespace labels as shown [here](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/), to enforce a baseline level of pod security to specific namespaces.
Further enhance the security by implementing a sandboxing solution such as [gVisor](https://gvisor.dev/) for Envoy Gateway and Proxy Pods to isolate the application from the host kernel. This can be set within the runtimeClassName of the Pod specification. |
|EGTM-012|EGTM-GW-004|Gateway API| There is a risk that a threat actor could abuse excessive RBAC privileges to create ReferenceGrant resources. These resources could then be used to create cross-namespace communication, leading to unauthorised access to the application. This could compromise the confidentiality and integrity of resources and configuration in the affected namespaces and potentially disrupt the availability of services that rely on these object references.
| A ReferenceGrant is created, which validates traffic to cross namespace trust boundaries without a valid business reason, such as a route in one tenant\'s namespace referencing a backend in another.
|Medium| Ensure that the ability to create ReferenceGrant resources is restricted to the minimum number of people. Pay special attention to ClusterRoles that allow that action. |
-|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.
| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.
|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing.
Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).
[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. |
+|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.
| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.
|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing.
Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).
[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. |
|EGTM-019|EGTM-DP-004|Container Security| There is a risk that replay attacks using stolen or reused JSON Web Tokens (JWTs) can compromise transmission integrity, thereby undermining the confidentiality and integrity of the data plane.
| Transmission integrity is compromised due to replay attacks using stolen or reused JSON Web Tokens (JWTs).
|Medium| Comply with JWT best practices for enhanced security, paying special attention to the use of short-lived tokens, which reduce the window of opportunity for a replay attack. The [exp](https://datatracker.ietf.org/doc/html/rfc7519#page-9) claim can be used to set token expiration times. |
|EGTM-024|EGTM-EG-008|Envoy Gateway| There is a risk of developers getting more privileges than required due to the use of SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy and BackendTrafficPolicy. These resources can be attached to a Gateway resource. Therefore, a developer with permission to deploy them would be able to modify a Gateway configuration by targeting the gateway in the policy manifest. This conflicts with the [Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model), where developers do not have write permissions on Gateways.
| Excessive developer permissions lead to a misconfiguration and/or unauthorised access.
|Medium| Considering the Tenant C scenario (represented in the Architecture Diagram), if a developer can create SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy or BackendTrafficPolicy objects in namespace C, they would be able to modify a Gateway configuration by attaching the policy to the gateway. In such scenarios, it is recommended to either:
a. Create a separate namespace, where developers have no permissions, > to host tenant C\'s gateway. Note that, due to design decisions, > the > SecurityPolicy/EnvoyPatchPolicy/ClientTrafficPolicy/BackendTrafficPolicy > object can only target resources deployed in the same namespace. > Therefore, having a separate namespace for the gateway would > prevent developers from attaching the policy to the gateway.
b. Forbid the creation of these policies for developers in namespace C.
On the other hand, in scenarios similar to tenants A and B, where a shared gateway namespace is in place, this issue is more limited. Note that in this scenario, developers don\'t have access to the shared gateway namespace.
In addition, it is important to mention that EnvoyPatchPolicy resources can also be attached to GatewayClass resources. This means that, in order to comply with the Advanced 4 Tier model, individuals with the Application Administrator role should not have access to this resource either. |
|EGTM-003|EGTM-EG-001|Envoy Gateway| There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic.
| Exploit weak cipher suite configuration to downgrade security of proxied connections.
|Low| Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway.
EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](../operations/customize-envoyproxy) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. |
diff --git a/site/content/en/news/releases/v0.2.md b/site/content/en/news/releases/v0.2.md
index e6eec10a3f6..10cd1216ed8 100644
--- a/site/content/en/news/releases/v0.2.md
+++ b/site/content/en/news/releases/v0.2.md
@@ -41,6 +41,6 @@ release and future direction of the project.
[docs]: https://gateway.envoyproxy.io/index.html
[Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.2.0
[conformance tests]: https://gateway-api.sigs.k8s.io/concepts/conformance/?h=conformance
-[quickstart guide]: ../v0.2/user/quickstart
+[quickstart guide]: ../../v0.2/user/quickstart
[EnvoyCon NA]: https://events.linuxfoundation.org/envoycon-north-america/program/schedule/
[our talk]: https://sched.co/1AO5S
diff --git a/site/content/en/news/releases/v0.3.md b/site/content/en/news/releases/v0.3.md
index e693c4f4716..90f164025a8 100644
--- a/site/content/en/news/releases/v0.3.md
+++ b/site/content/en/news/releases/v0.3.md
@@ -42,5 +42,5 @@ The release adds a ton of features and functionality. Here are some highlights:
[Release Notes]: ./notes/v0.3.0
[matrix]: ./matrix
-[docs]: https://gateway.envoyproxy.io/v0.3.0/index.html
+[docs]: /v0.3
[Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.3.0
diff --git a/site/content/en/news/releases/v0.4.md b/site/content/en/news/releases/v0.4.md
index bcbe9eb3fa5..1df25b4b405 100644
--- a/site/content/en/news/releases/v0.4.md
+++ b/site/content/en/news/releases/v0.4.md
@@ -53,5 +53,5 @@ The release adds a ton of features and functionality. Here are some highlights:
[Release Notes]: ./notes/v0.4.0
[matrix]: ./matrix
-[docs]: https://gateway.envoyproxy.io/v0.4.0/index.html
+[docs]: /v0.4
[Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.4.0
diff --git a/site/content/en/news/releases/v0.5.md b/site/content/en/news/releases/v0.5.md
index bd93e5dd8db..860b040985b 100644
--- a/site/content/en/news/releases/v0.5.md
+++ b/site/content/en/news/releases/v0.5.md
@@ -53,5 +53,5 @@ The release adds a ton of features and functionality. Here are some highlights:
[Release Notes]: ./notes/v0.5.0
[matrix]: ./matrix
-[docs]: https://gateway.envoyproxy.io/v0.5.0/index.html
+[docs]: /v0.5
[Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.5.0
diff --git a/site/content/en/news/releases/v0.6.md b/site/content/en/news/releases/v0.6.md
index 37ebbae81c5..bfb6c57d405 100644
--- a/site/content/en/news/releases/v0.6.md
+++ b/site/content/en/news/releases/v0.6.md
@@ -78,5 +78,5 @@ The release adds a ton of features and functionality. Here are some highlights:
[Release Notes]: ./notes/v0.6.0
[matrix]: ./matrix
-[docs]: https://gateway.envoyproxy.io/v0.6.0/index.html
+[docs]: https://gateway.envoyproxy.io/v0.6
[Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.6.0
diff --git a/site/content/en/v0.2/contributions/CONTRIBUTING.md b/site/content/en/v0.2/contributions/CONTRIBUTING.md
index f94b2c940e9..b37898e948e 100644
--- a/site/content/en/v0.2/contributions/CONTRIBUTING.md
+++ b/site/content/en/v0.2/contributions/CONTRIBUTING.md
@@ -49,7 +49,7 @@ to the following guidelines for all code, APIs, and documentation:
build. If your PR cannot have 100% coverage for some reason please clearly explain why when you
open it.
* Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/site) folder of the repo as
- well as the [changelog](/blog/releases).
+ well as the [changelog](/news/releases).
* All code comments and documentation are expected to have proper English grammar and punctuation.
If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try
to find some help but there are no guarantees.
@@ -175,7 +175,7 @@ git config --add alias.c "commit -s"
## Fixing DCO
If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best
-practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)
+practice is to [squash](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-commits)
the commit history to a single commit, append the DCO sign-off as described above, and [force
push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in
your history:
diff --git a/site/content/en/v0.2/contributions/DEVELOP.md b/site/content/en/v0.2/contributions/DEVELOP.md
index 6f82c4a411f..13c61295f02 100644
--- a/site/content/en/v0.2/contributions/DEVELOP.md
+++ b/site/content/en/v0.2/contributions/DEVELOP.md
@@ -139,7 +139,7 @@ There are many other endpoints on the [Envoy admin interface][] that may be help
### JWT Testing
-An example [JSON Web Token (JWT)][jwt] and [JSON Web Key Set (JWKS)][jwks] are used for the [request authentication][]
+An example [JSON Web Token (JWT)][jwt] and [JSON Web Key Set (JWKS)][jwks] are used for the request authentication
user guide. The JWT was created by the [JWT Debugger][], using the `RS256` algorithm. The public key from the JWTs
verify signature was copied to [JWK Creator][] for generating the JWK. The JWK Creator was configured with matching
settings, i.e. `Signing` public key use and the `RS256` algorithm. The generated JWK was wrapped in a JWKS structure
@@ -158,6 +158,5 @@ and is hosted in the repo.
[Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface
[jwt]: https://tools.ietf.org/html/rfc7519
[jwks]: https://tools.ietf.org/html/rfc7517
-[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
[JWT Debugger]: https://jwt.io/
[JWK Creator]: https://russelldavies.github.io/jwk-creator/
diff --git a/site/content/en/v0.2/contributions/RELEASING.md b/site/content/en/v0.2/contributions/RELEASING.md
index eb566306141..bad13a6830c 100644
--- a/site/content/en/v0.2/contributions/RELEASING.md
+++ b/site/content/en/v0.2/contributions/RELEASING.md
@@ -73,7 +73,7 @@ export GITHUB_REMOTE=origin
### Setup cherry picker action
-After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release.
+After release branch cut, RM (Release Manager) should add job [cherrypick action](https://github.com/envoyproxy/gateway/blob/main/.github/workflows/cherrypick.yaml) for target release.
Configuration looks like following:
diff --git a/site/content/en/v0.2/design/config-api.md b/site/content/en/v0.2/design/config-api.md
index 466b84d8f35..0ed5253007d 100644
--- a/site/content/en/v0.2/design/config-api.md
+++ b/site/content/en/v0.2/design/config-api.md
@@ -88,7 +88,7 @@ type Gateway struct {
// defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
// for additional details:
//
- // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+ // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
//
// +optional
ControllerName string `json:"controllerName,omitempty"`
@@ -347,6 +347,6 @@ __Note:__ The NetworkPublishing API is currently undefined and is provided here
[issue_51]: https://github.com/envoyproxy/gateway/issues/51
[design_doc]: https://github.com/envoyproxy/gateway/blob/main/docs/design/SYSTEM_DESIGN.md
[gw_api]: https://gateway-api.sigs.k8s.io/
-[gc]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+[gc]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
[union]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#unions
diff --git a/site/content/en/v0.2/design/system-design.md b/site/content/en/v0.2/design/system-design.md
index 72c0a98ecda..a414843a955 100644
--- a/site/content/en/v0.2/design/system-design.md
+++ b/site/content/en/v0.2/design/system-design.md
@@ -159,16 +159,16 @@ The draft for this document is [here][draft_design].
[grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
[rls]: https://github.com/envoyproxy/ratelimit
[rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit
-[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional
+[crf]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#filters-optional
[gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts
[listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners
[route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route
-[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional
+[be_ref]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#backendrefs-optional
[cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster
[draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit
[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
-[be]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.BackendObjectReference
+[be]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.BackendObjectReference
[svc]: https://kubernetes.io/docs/concepts/services-networking/service/
-[ wcd ]: ./watching.md
+[ wcd ]: ./watching
[Issue #37]: https://github.com/envoyproxy/gateway/issues/37
-[roadmap]: roadmap.md
+[roadmap]: ../contributions/roadmap
diff --git a/site/content/en/v0.2/user/quickstart.md b/site/content/en/v0.2/user/quickstart.md
index 291480b1747..08d77a1d8ea 100644
--- a/site/content/en/v0.2/user/quickstart.md
+++ b/site/content/en/v0.2/user/quickstart.md
@@ -9,7 +9,7 @@ This guide will help you get started with Envoy Gateway in a few simple steps.
A Kubernetes cluster.
-__Note:__ Refer to the [Compatibility Matrix](/blog/2022/10/01/versions/) for supported Kubernetes versions.
+__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix/) for supported Kubernetes versions.
## Installation
diff --git a/site/content/en/v0.3/api/config_types.md b/site/content/en/v0.3/api/config_types.md
index 4ff5b3f6f18..76999b6d181 100644
--- a/site/content/en/v0.3/api/config_types.md
+++ b/site/content/en/v0.3/api/config_types.md
@@ -104,7 +104,7 @@ _Appears in:_
| Field | Description |
| --- | --- |
-| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass |
+| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass |
## KubernetesDeploymentSpec
diff --git a/site/content/en/v0.3/contributions/CONTRIBUTING.md b/site/content/en/v0.3/contributions/CONTRIBUTING.md
index f94b2c940e9..b37898e948e 100644
--- a/site/content/en/v0.3/contributions/CONTRIBUTING.md
+++ b/site/content/en/v0.3/contributions/CONTRIBUTING.md
@@ -49,7 +49,7 @@ to the following guidelines for all code, APIs, and documentation:
build. If your PR cannot have 100% coverage for some reason please clearly explain why when you
open it.
* Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/site) folder of the repo as
- well as the [changelog](/blog/releases).
+ well as the [changelog](/news/releases).
* All code comments and documentation are expected to have proper English grammar and punctuation.
If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try
to find some help but there are no guarantees.
@@ -175,7 +175,7 @@ git config --add alias.c "commit -s"
## Fixing DCO
If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best
-practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)
+practice is to [squash](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-commits)
the commit history to a single commit, append the DCO sign-off as described above, and [force
push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in
your history:
diff --git a/site/content/en/v0.3/contributions/DEVELOP.md b/site/content/en/v0.3/contributions/DEVELOP.md
index 6f82c4a411f..67500b42915 100644
--- a/site/content/en/v0.3/contributions/DEVELOP.md
+++ b/site/content/en/v0.3/contributions/DEVELOP.md
@@ -158,6 +158,6 @@ and is hosted in the repo.
[Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface
[jwt]: https://tools.ietf.org/html/rfc7519
[jwks]: https://tools.ietf.org/html/rfc7517
-[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
+[request authentication]: ../user/authn
[JWT Debugger]: https://jwt.io/
[JWK Creator]: https://russelldavies.github.io/jwk-creator/
diff --git a/site/content/en/v0.3/contributions/RELEASING.md b/site/content/en/v0.3/contributions/RELEASING.md
index eb566306141..bad13a6830c 100644
--- a/site/content/en/v0.3/contributions/RELEASING.md
+++ b/site/content/en/v0.3/contributions/RELEASING.md
@@ -73,7 +73,7 @@ export GITHUB_REMOTE=origin
### Setup cherry picker action
-After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release.
+After release branch cut, RM (Release Manager) should add job [cherrypick action](https://github.com/envoyproxy/gateway/blob/main/.github/workflows/cherrypick.yaml) for target release.
Configuration looks like following:
diff --git a/site/content/en/v0.3/design/config-api.md b/site/content/en/v0.3/design/config-api.md
index 466b84d8f35..0ed5253007d 100644
--- a/site/content/en/v0.3/design/config-api.md
+++ b/site/content/en/v0.3/design/config-api.md
@@ -88,7 +88,7 @@ type Gateway struct {
// defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
// for additional details:
//
- // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+ // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
//
// +optional
ControllerName string `json:"controllerName,omitempty"`
@@ -347,6 +347,6 @@ __Note:__ The NetworkPublishing API is currently undefined and is provided here
[issue_51]: https://github.com/envoyproxy/gateway/issues/51
[design_doc]: https://github.com/envoyproxy/gateway/blob/main/docs/design/SYSTEM_DESIGN.md
[gw_api]: https://gateway-api.sigs.k8s.io/
-[gc]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+[gc]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
[union]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#unions
diff --git a/site/content/en/v0.3/design/gatewayapi-support.md b/site/content/en/v0.3/design/gatewayapi-support.md
index 67eaf05bb4a..d9daaf04198 100644
--- a/site/content/en/v0.3/design/gatewayapi-support.md
+++ b/site/content/en/v0.3/design/gatewayapi-support.md
@@ -96,7 +96,7 @@ these types of cross-namespace references. Envoy Gateway supports the following
namespace.
- Allowing a Gateway's [SecretObjectReference][] to reference a secret in a different namespace.
-[system design]: https://gateway.envoyproxy.io/latest/design/system-design.html
+[system design]: ../design/system-design
[Gateway API]: https://gateway-api.sigs.k8s.io/
[GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass
[parameters reference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference
@@ -113,9 +113,9 @@ these types of cross-namespace references. Envoy Gateway supports the following
[TLSRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute
[ReferenceGrant]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.ReferenceGrant
[SecretObjectReference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectReference
-[rate limiting]: https://gateway.envoyproxy.io/latest/user/rate-limit.html
-[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
-[EnvoyProxy]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoyproxy
+[rate limiting]: ../user/rate-limit
+[request authentication]: ../user/authn
+[EnvoyProxy]: ../api/config_types#envoyproxy
[resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts
[ExtensionRefs]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilterType
[grpc-filter]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter
diff --git a/site/content/en/v0.3/design/system-design.md b/site/content/en/v0.3/design/system-design.md
index 72c0a98ecda..a683e5307bc 100644
--- a/site/content/en/v0.3/design/system-design.md
+++ b/site/content/en/v0.3/design/system-design.md
@@ -159,16 +159,16 @@ The draft for this document is [here][draft_design].
[grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
[rls]: https://github.com/envoyproxy/ratelimit
[rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit
-[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional
+[crf]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#filters-optional
[gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts
[listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners
[route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route
-[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional
+[be_ref]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#backendrefs-optional
[cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster
[draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit
[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
-[be]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.BackendObjectReference
+[be]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.BackendObjectReference
[svc]: https://kubernetes.io/docs/concepts/services-networking/service/
[ wcd ]: ./watching.md
[Issue #37]: https://github.com/envoyproxy/gateway/issues/37
-[roadmap]: roadmap.md
+[roadmap]: ../contributions/roadmap
diff --git a/site/content/en/v0.3/user/authn.md b/site/content/en/v0.3/user/authn.md
index 312e4103b9b..a4887d57438 100644
--- a/site/content/en/v0.3/user/authn.md
+++ b/site/content/en/v0.3/user/authn.md
@@ -92,5 +92,5 @@ kubectl delete authenticationfilter/jwt-example
Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
[jwt]: https://tools.ietf.org/html/rfc7519
-[AuthenticationFilter]: https://gateway.envoyproxy.io/v0.3.0/api/extension_types.html#authenticationfilter
+[AuthenticationFilter]: ../api/extension_types#authenticationfilter
[jwks]: https://tools.ietf.org/html/rfc7517
diff --git a/site/content/en/v0.3/user/quickstart.md b/site/content/en/v0.3/user/quickstart.md
index 4875a1ff987..c98ef97e20b 100644
--- a/site/content/en/v0.3/user/quickstart.md
+++ b/site/content/en/v0.3/user/quickstart.md
@@ -9,7 +9,7 @@ This guide will help you get started with Envoy Gateway in a few simple steps.
A Kubernetes cluster.
-__Note:__ Refer to the [Compatibility Matrix](/blog/2022/10/01/versions/) for supported Kubernetes versions.
+__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix/) for supported Kubernetes versions.
## Installation
diff --git a/site/content/en/v0.3/user/rate-limit.md b/site/content/en/v0.3/user/rate-limit.md
index 08eae102547..bf0675e546e 100644
--- a/site/content/en/v0.3/user/rate-limit.md
+++ b/site/content/en/v0.3/user/rate-limit.md
@@ -484,8 +484,8 @@ transfer-encoding: chunked
[Global rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
-[RateLimitFilter]: https://gateway.envoyproxy.io/v0.3.0/api/extension_types.html#ratelimitfilter
+[RateLimitFilter]: ../api/config_types#ratelimitfilter
[Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit
-[EnvoyGateway]: https://gateway.envoyproxy.io/v0.3.0/api/config_types.html#envoygateway
+[EnvoyGateway]: ../api/config_types#envoygateway
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
[ExtensionRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.HTTPRouteFilter
diff --git a/site/content/en/v0.3/user/udp-routing.md b/site/content/en/v0.3/user/udp-routing.md
index 4652db42120..1425c553092 100644
--- a/site/content/en/v0.3/user/udp-routing.md
+++ b/site/content/en/v0.3/user/udp-routing.md
@@ -153,4 +153,4 @@ kubectl delete udproute/coredns
Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
[UDPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute
-[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/v0.3.0/configuration/listeners/udp_filters/udp_proxy
+[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy
diff --git a/site/content/en/v0.4/api/config_types.md b/site/content/en/v0.4/api/config_types.md
index 91f6b5fd532..fd702f4ca4b 100644
--- a/site/content/en/v0.4/api/config_types.md
+++ b/site/content/en/v0.4/api/config_types.md
@@ -227,7 +227,7 @@ _Appears in:_
| Field | Description |
| --- | --- |
-| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass |
+| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass |
## GroupVersionKind
diff --git a/site/content/en/v0.4/contributions/CONTRIBUTING.md b/site/content/en/v0.4/contributions/CONTRIBUTING.md
index f94b2c940e9..b37898e948e 100644
--- a/site/content/en/v0.4/contributions/CONTRIBUTING.md
+++ b/site/content/en/v0.4/contributions/CONTRIBUTING.md
@@ -49,7 +49,7 @@ to the following guidelines for all code, APIs, and documentation:
build. If your PR cannot have 100% coverage for some reason please clearly explain why when you
open it.
* Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/site) folder of the repo as
- well as the [changelog](/blog/releases).
+ well as the [changelog](/news/releases).
* All code comments and documentation are expected to have proper English grammar and punctuation.
If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try
to find some help but there are no guarantees.
@@ -175,7 +175,7 @@ git config --add alias.c "commit -s"
## Fixing DCO
If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best
-practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)
+practice is to [squash](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-commits)
the commit history to a single commit, append the DCO sign-off as described above, and [force
push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in
your history:
diff --git a/site/content/en/v0.4/contributions/DEVELOP.md b/site/content/en/v0.4/contributions/DEVELOP.md
index 6f82c4a411f..67500b42915 100644
--- a/site/content/en/v0.4/contributions/DEVELOP.md
+++ b/site/content/en/v0.4/contributions/DEVELOP.md
@@ -158,6 +158,6 @@ and is hosted in the repo.
[Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface
[jwt]: https://tools.ietf.org/html/rfc7519
[jwks]: https://tools.ietf.org/html/rfc7517
-[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
+[request authentication]: ../user/authn
[JWT Debugger]: https://jwt.io/
[JWK Creator]: https://russelldavies.github.io/jwk-creator/
diff --git a/site/content/en/v0.4/contributions/RELEASING.md b/site/content/en/v0.4/contributions/RELEASING.md
index eb566306141..bad13a6830c 100644
--- a/site/content/en/v0.4/contributions/RELEASING.md
+++ b/site/content/en/v0.4/contributions/RELEASING.md
@@ -73,7 +73,7 @@ export GITHUB_REMOTE=origin
### Setup cherry picker action
-After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release.
+After release branch cut, RM (Release Manager) should add job [cherrypick action](https://github.com/envoyproxy/gateway/blob/main/.github/workflows/cherrypick.yaml) for target release.
Configuration looks like following:
diff --git a/site/content/en/v0.4/design/bootstrap.md b/site/content/en/v0.4/design/bootstrap.md
index 9a8f0c789ef..08c71f978d1 100644
--- a/site/content/en/v0.4/design/bootstrap.md
+++ b/site/content/en/v0.4/design/bootstrap.md
@@ -376,6 +376,6 @@ spec:
```
[Issue 31]: https://github.com/envoyproxy/gateway/issues/31
-[EnvoyProxy]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoyproxy
+[EnvoyProxy]: ../api/config_types#envoyproxy
[GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass
[parametersRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference
diff --git a/site/content/en/v0.4/design/config-api.md b/site/content/en/v0.4/design/config-api.md
index ca5380151a8..3762bfb93e9 100644
--- a/site/content/en/v0.4/design/config-api.md
+++ b/site/content/en/v0.4/design/config-api.md
@@ -88,7 +88,7 @@ type Gateway struct {
// defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
// for additional details:
//
- // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+ // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
//
// +optional
ControllerName string `json:"controllerName,omitempty"`
@@ -347,6 +347,6 @@ __Note:__ The NetworkPublishing API is currently undefined and is provided here
[issue_51]: https://github.com/envoyproxy/gateway/issues/51
[design_doc]: https://github.com/envoyproxy/gateway/blob/main/docs/design/SYSTEM_DESIGN.md
[gw_api]: https://gateway-api.sigs.k8s.io/
-[gc]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+[gc]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
[union]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#unions
diff --git a/site/content/en/v0.4/design/extending-envoy-gateway.md b/site/content/en/v0.4/design/extending-envoy-gateway.md
index df19dcc09d5..bc9d2960706 100644
--- a/site/content/en/v0.4/design/extending-envoy-gateway.md
+++ b/site/content/en/v0.4/design/extending-envoy-gateway.md
@@ -314,11 +314,11 @@ Extending Envoy Gateway by using an external extension server which makes use of
[Envoy]: https://www.envoyproxy.io/
[Envoy specific configuration (xDS)]: https://www.envoyproxy.io/docs/envoy/v1.25.1/configuration/configuration
[v1beta1]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1
-[rate limiting]: https://gateway.envoyproxy.io/v0.3.0/user/rate-limit.html
-[authentication]: https://gateway.envoyproxy.io/v0.3.0/user/authn.html
+[rate limiting]: ../user/rate-limit
+[authentication]: ../user/authn
[HTTPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRoute
[GRPCRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute
-[EnvoyGateway config]: https://gateway.envoyproxy.io/v0.3.0/api/config_types.html#envoygateway
+[EnvoyGateway config]: ../api/config_types#envoygateway
[controller-runtime]: https://github.com/kubernetes-sigs/controller-runtime
[Unstructured]: https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured
[Listener]: https://www.envoyproxy.io/docs/envoy/v1.23.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener
diff --git a/site/content/en/v0.4/design/system-design.md b/site/content/en/v0.4/design/system-design.md
index 16123948ee7..c17c234c13f 100644
--- a/site/content/en/v0.4/design/system-design.md
+++ b/site/content/en/v0.4/design/system-design.md
@@ -159,16 +159,16 @@ The draft for this document is [here][draft_design].
[grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
[rls]: https://github.com/envoyproxy/ratelimit
[rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit
-[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional
+[crf]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#filters-optional
[gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts
[listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners
[route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route
-[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional
+[be_ref]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#backendrefs-optional
[cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster
[draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit
[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
-[be]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.BackendObjectReference
+[be]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.BackendObjectReference
[svc]: https://kubernetes.io/docs/concepts/services-networking/service/
[ wcd ]: ./watching.md
[Issue #37]: https://github.com/envoyproxy/gateway/issues/37
-[roadmap]: roadmap.md
+[roadmap]: ../contributions/roadmap
diff --git a/site/content/en/v0.4/user/authn.md b/site/content/en/v0.4/user/authn.md
index 9f25623bdf7..907e16f752e 100644
--- a/site/content/en/v0.4/user/authn.md
+++ b/site/content/en/v0.4/user/authn.md
@@ -92,5 +92,5 @@ kubectl delete authenticationfilter/jwt-example
Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
[jwt]: https://tools.ietf.org/html/rfc7519
-[AuthenticationFilter]: https://gateway.envoyproxy.io/v0.4.0/api/extension_types.html#authenticationfilter
+[AuthenticationFilter]: ../api/config_types#authenticationfilter
[jwks]: https://tools.ietf.org/html/rfc7517
diff --git a/site/content/en/v0.4/user/customize-envoyproxy.md b/site/content/en/v0.4/user/customize-envoyproxy.md
index 0f2b92f2dab..692750b8623 100644
--- a/site/content/en/v0.4/user/customize-envoyproxy.md
+++ b/site/content/en/v0.4/user/customize-envoyproxy.md
@@ -243,11 +243,11 @@ spec:
EOF
```
-You can use [egctl translate](https://gateway.envoyproxy.io/v0.4.0/user/egctl.html#validating-gateway-api-configuration)
+You can use [egctl translate](../user/egctl#validating-gateway-api-configuration)
to get the default xDS Bootstrap configuration used by Envoy Gateway.
After applying the config, the bootstrap config will be overridden by the new config you provided.
Any errors in the configuration will be surfaced as status within the `GatewayClass` resource.
-You can also validate this configuration using [egctl translate](https://gateway.envoyproxy.io/v0.4/user/egctl.html#validating-gateway-api-configuration).
+You can also validate this configuration using [egctl translate](../user/egctl#validating-gateway-api-configuration).
[Gateway API documentation]: https://gateway-api.sigs.k8s.io/
-[EnvoyProxy]: https://gateway.envoyproxy.io/v0.4.0/api/config_types.html#envoyproxy
+[EnvoyProxy]: ../api/config_types#envoyproxy
diff --git a/site/content/en/v0.4/user/egctl.md b/site/content/en/v0.4/user/egctl.md
index 29f0200f896..3e4b6c79d99 100644
--- a/site/content/en/v0.4/user/egctl.md
+++ b/site/content/en/v0.4/user/egctl.md
@@ -463,7 +463,7 @@ spec:
EOF
```
-You can see the output contains a [EnvoyProxy](https://gateway.envoyproxy.io/v0.4/api/config_types.html#envoyproxy) resource that
+You can see the output contains a [EnvoyProxy](../api/config_types#envoyproxy) resource that
can be used as a starting point to modify the xDS bootstrap resource for the managed Envoy Proxy fleet.
```yaml
diff --git a/site/content/en/v0.4/user/gatewayapi-support.md b/site/content/en/v0.4/user/gatewayapi-support.md
index 79e07749842..f0938702966 100644
--- a/site/content/en/v0.4/user/gatewayapi-support.md
+++ b/site/content/en/v0.4/user/gatewayapi-support.md
@@ -96,7 +96,7 @@ these types of cross-namespace references. Envoy Gateway supports the following
namespace.
- Allowing a Gateway's [SecretObjectReference][] to reference a secret in a different namespace.
-[system design]: https://gateway.envoyproxy.io/latest/design/system-design.html
+[system design]: ../design/system-design
[Gateway API]: https://gateway-api.sigs.k8s.io/
[GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass
[parameters reference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference
@@ -113,9 +113,9 @@ these types of cross-namespace references. Envoy Gateway supports the following
[TLSRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute
[ReferenceGrant]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.ReferenceGrant
[SecretObjectReference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectReference
-[rate limiting]: https://gateway.envoyproxy.io/latest/user/rate-limit.html
-[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
-[EnvoyProxy]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoyproxy
+[rate limiting]: ./rate-limit
+[request authentication]: ../user/authn
+[EnvoyProxy]: ../api/config_types#envoyproxy
[resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts
[ExtensionRefs]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilterType
[grpc-filter]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter
diff --git a/site/content/en/v0.4/user/quickstart.md b/site/content/en/v0.4/user/quickstart.md
index ef4df466c1a..7020707a0c5 100644
--- a/site/content/en/v0.4/user/quickstart.md
+++ b/site/content/en/v0.4/user/quickstart.md
@@ -9,7 +9,7 @@ This guide will help you get started with Envoy Gateway in a few simple steps.
A Kubernetes cluster.
-__Note:__ Refer to the [Compatibility Matrix](/blog/2022/10/01/versions/) for supported Kubernetes versions.
+__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix/) for supported Kubernetes versions.
## Installation
diff --git a/site/content/en/v0.4/user/rate-limit.md b/site/content/en/v0.4/user/rate-limit.md
index e932db92627..847115571d6 100644
--- a/site/content/en/v0.4/user/rate-limit.md
+++ b/site/content/en/v0.4/user/rate-limit.md
@@ -625,9 +625,9 @@ EOF
kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system
```
-[Global rate limiting]: https://www.envoyproxy.io/docs/envoy/v0.4.0/intro/arch_overview/other_features/global_rate_limiting
-[RateLimitFilter]: https://gateway.envoyproxy.io/v0.4.0/api/extension_types.html#ratelimitfilter
+[Global rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
+[RateLimitFilter]: ../api/extension_types#ratelimitfilter
[Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit
-[EnvoyGateway]: https://gateway.envoyproxy.io/v0.4.0/api/config_types.html#envoygateway
+[EnvoyGateway]: ../api/config_types#envoygateway
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
[ExtensionRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.HTTPRouteFilter
diff --git a/site/content/en/v0.4/user/udp-routing.md b/site/content/en/v0.4/user/udp-routing.md
index 5230be9f8f5..c57a8ab1a82 100644
--- a/site/content/en/v0.4/user/udp-routing.md
+++ b/site/content/en/v0.4/user/udp-routing.md
@@ -153,4 +153,4 @@ kubectl delete udproute/coredns
Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
[UDPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute
-[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/v0.4.0/configuration/listeners/udp_filters/udp_proxy
+[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy
diff --git a/site/content/en/v0.5/api/config_types.md b/site/content/en/v0.5/api/config_types.md
index 93764201f34..23010b5d035 100644
--- a/site/content/en/v0.5/api/config_types.md
+++ b/site/content/en/v0.5/api/config_types.md
@@ -431,7 +431,7 @@ _Appears in:_
| Field | Description |
| --- | --- |
-| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass |
+| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass |
## GroupVersionKind
diff --git a/site/content/en/v0.5/contributions/CONTRIBUTING.md b/site/content/en/v0.5/contributions/CONTRIBUTING.md
index f94b2c940e9..b37898e948e 100644
--- a/site/content/en/v0.5/contributions/CONTRIBUTING.md
+++ b/site/content/en/v0.5/contributions/CONTRIBUTING.md
@@ -49,7 +49,7 @@ to the following guidelines for all code, APIs, and documentation:
build. If your PR cannot have 100% coverage for some reason please clearly explain why when you
open it.
* Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/site) folder of the repo as
- well as the [changelog](/blog/releases).
+ well as the [changelog](/news/releases).
* All code comments and documentation are expected to have proper English grammar and punctuation.
If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try
to find some help but there are no guarantees.
@@ -175,7 +175,7 @@ git config --add alias.c "commit -s"
## Fixing DCO
If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best
-practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)
+practice is to [squash](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-commits)
the commit history to a single commit, append the DCO sign-off as described above, and [force
push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in
your history:
diff --git a/site/content/en/v0.5/contributions/DEVELOP.md b/site/content/en/v0.5/contributions/DEVELOP.md
index 6f82c4a411f..67500b42915 100644
--- a/site/content/en/v0.5/contributions/DEVELOP.md
+++ b/site/content/en/v0.5/contributions/DEVELOP.md
@@ -158,6 +158,6 @@ and is hosted in the repo.
[Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface
[jwt]: https://tools.ietf.org/html/rfc7519
[jwks]: https://tools.ietf.org/html/rfc7517
-[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
+[request authentication]: ../user/authn
[JWT Debugger]: https://jwt.io/
[JWK Creator]: https://russelldavies.github.io/jwk-creator/
diff --git a/site/content/en/v0.5/contributions/RELEASING.md b/site/content/en/v0.5/contributions/RELEASING.md
index f84f711b068..206c9f0589d 100644
--- a/site/content/en/v0.5/contributions/RELEASING.md
+++ b/site/content/en/v0.5/contributions/RELEASING.md
@@ -73,7 +73,7 @@ export GITHUB_REMOTE=origin
### Setup cherry picker action
-After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release.
+After release branch cut, RM (Release Manager) should add job [cherrypick action](https://github.com/envoyproxy/gateway/blob/main/.github/workflows/cherrypick.yaml) for target release.
Configuration looks like following:
diff --git a/site/content/en/v0.5/design/bootstrap.md b/site/content/en/v0.5/design/bootstrap.md
index 9a8f0c789ef..08c71f978d1 100644
--- a/site/content/en/v0.5/design/bootstrap.md
+++ b/site/content/en/v0.5/design/bootstrap.md
@@ -376,6 +376,6 @@ spec:
```
[Issue 31]: https://github.com/envoyproxy/gateway/issues/31
-[EnvoyProxy]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoyproxy
+[EnvoyProxy]: ../api/config_types#envoyproxy
[GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass
[parametersRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference
diff --git a/site/content/en/v0.5/design/config-api.md b/site/content/en/v0.5/design/config-api.md
index ca5380151a8..3762bfb93e9 100644
--- a/site/content/en/v0.5/design/config-api.md
+++ b/site/content/en/v0.5/design/config-api.md
@@ -88,7 +88,7 @@ type Gateway struct {
// defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
// for additional details:
//
- // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+ // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
//
// +optional
ControllerName string `json:"controllerName,omitempty"`
@@ -347,6 +347,6 @@ __Note:__ The NetworkPublishing API is currently undefined and is provided here
[issue_51]: https://github.com/envoyproxy/gateway/issues/51
[design_doc]: https://github.com/envoyproxy/gateway/blob/main/docs/design/SYSTEM_DESIGN.md
[gw_api]: https://gateway-api.sigs.k8s.io/
-[gc]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+[gc]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
[union]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#unions
diff --git a/site/content/en/v0.5/design/envoy-patch-policy.md b/site/content/en/v0.5/design/envoy-patch-policy.md
index d34937d05ef..04081ac0763 100644
--- a/site/content/en/v0.5/design/envoy-patch-policy.md
+++ b/site/content/en/v0.5/design/envoy-patch-policy.md
@@ -167,10 +167,10 @@ patches will work.
[Gateway API]: https://gateway-api.sigs.k8s.io/
[Kubernetes]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
[Kustomize]: https://github.com/kubernetes-sigs/kustomize/blob/master/examples/jsonpatch.md
-[Extension APIs]: https://gateway.envoyproxy.io/latest/api/extension_types.html
-[RateLimit]: https://gateway.envoyproxy.io/latest/user/rate-limit.html
-[EnvoyGateway]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoygateway
-[Extending the Control Plane]: https://gateway.envoyproxy.io/latest/design/extending-envoy-gateway.html
+[Extension APIs]: ../api/extension_types
+[RateLimit]: ../user/rate-limit
+[EnvoyGateway]: ../api/config_types#envoygateway
+[Extending the Control Plane]: ./extending-envoy-gateway
[EnvoyFilter]: https://istio.io/latest/docs/reference/config/networking/envoy-filter
-[egctl x translate]: https://gateway.envoyproxy.io/latest/user/egctl.html#egctl-experimental-translate
-[Bootstrap configuration using EnvoyProxy API]: https://gateway.envoyproxy.io/latest/user/customize-envoyproxy.html#customize-envoyproxy-bootstrap-config
+[egctl x translate]: ../user/egctl#egctl-experimental-translate
+[Bootstrap configuration using EnvoyProxy API]: ../user/customize-envoyproxy#customize-envoyproxy-bootstrap-config
diff --git a/site/content/en/v0.5/design/extending-envoy-gateway.md b/site/content/en/v0.5/design/extending-envoy-gateway.md
index 0caa870ffb1..7624ceaa2af 100644
--- a/site/content/en/v0.5/design/extending-envoy-gateway.md
+++ b/site/content/en/v0.5/design/extending-envoy-gateway.md
@@ -315,11 +315,11 @@ Extending Envoy Gateway by using an external extension server which makes use of
[Envoy]: https://www.envoyproxy.io/
[Envoy specific configuration (xDS)]: https://www.envoyproxy.io/docs/envoy/v1.25.1/configuration/configuration
[v1beta1]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1
-[rate limiting]: https://gateway.envoyproxy.io/v0.3.0/user/rate-limit.html
-[authentication]: https://gateway.envoyproxy.io/v0.3.0/user/authn.html
+[rate limiting]: ../user/rate-limit
+[authentication]: ../user/authn
[HTTPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRoute
[GRPCRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute
-[EnvoyGateway config]: https://gateway.envoyproxy.io/v0.3.0/api/config_types.html#envoygateway
+[EnvoyGateway config]: ../api/config_types#envoygateway
[controller-runtime]: https://github.com/kubernetes-sigs/controller-runtime
[Unstructured]: https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured
[Listener]: https://www.envoyproxy.io/docs/envoy/v1.23.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener
diff --git a/site/content/en/v0.5/design/system-design.md b/site/content/en/v0.5/design/system-design.md
index 16123948ee7..c40c3e51fc9 100644
--- a/site/content/en/v0.5/design/system-design.md
+++ b/site/content/en/v0.5/design/system-design.md
@@ -159,16 +159,17 @@ The draft for this document is [here][draft_design].
[grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
[rls]: https://github.com/envoyproxy/ratelimit
[rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit
-[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional
+[crf]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#filters-optional
[gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts
[listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners
[route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route
-[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional
+[be_ref]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#backendrefs-optional
[cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster
[draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit
[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
-[be]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.BackendObjectReference
+[be]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.BackendObjectReference
[svc]: https://kubernetes.io/docs/concepts/services-networking/service/
-[ wcd ]: ./watching.md
+[ wcd ]: ./watching
[Issue #37]: https://github.com/envoyproxy/gateway/issues/37
-[roadmap]: roadmap.md
+[roadmap]: ../contributions/roadmap
+
diff --git a/site/content/en/v0.5/install/install-egctl.md b/site/content/en/v0.5/install/install-egctl.md
index 8534acb7127..86649ac248c 100644
--- a/site/content/en/v0.5/install/install-egctl.md
+++ b/site/content/en/v0.5/install/install-egctl.md
@@ -52,6 +52,6 @@ curl https://gateway.envoyproxy.io/get-egctl.sh | VERSION=latest bash
{{% alert title="Next Steps" color="warning" %}}
-You can refer to [User Guides](../../user/egctl) to more details about egctl.
+You can refer to [User Guides](../user/egctl) to more details about egctl.
{{% /alert %}}
diff --git a/site/content/en/v0.5/install/install-helm.md b/site/content/en/v0.5/install/install-helm.md
index 44e84aaa9df..4e988b07b11 100644
--- a/site/content/en/v0.5/install/install-helm.md
+++ b/site/content/en/v0.5/install/install-helm.md
@@ -10,7 +10,7 @@ Envoy Gateway can be installed via a Helm chart with a few simple steps, dependi
## Before you begin
{{% alert title="Compatibility Matrix" color="warning" %}}
-Refer to the [Version Compatibility Matrix](/blog/2022/10/01/versions/) to learn more.
+Refer to the [Version Compatibility Matrix](/news/releases/matrix/) to learn more.
{{% /alert %}}
The Envoy Gateway Helm chart is hosted by DockerHub.
@@ -138,5 +138,5 @@ These are the ports used by Envoy Gateway and the managed Envoy Proxy.
| Heath Check | 0.0.0.0 | 19001 |
{{% alert title="Next Steps" color="warning" %}}
-Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../../user).
+Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../user).
{{% /alert %}}
diff --git a/site/content/en/v0.5/install/install-yaml.md b/site/content/en/v0.5/install/install-yaml.md
index 28f6bec4a76..fcf0c55b37d 100644
--- a/site/content/en/v0.5/install/install-yaml.md
+++ b/site/content/en/v0.5/install/install-yaml.md
@@ -17,7 +17,7 @@ Envoy Gateway is designed to run in Kubernetes for production. The most essentia
* The `kubectl` command-line tool
{{% alert title="Compatibility Matrix" color="warning" %}}
-Refer to the [Version Compatibility Matrix](/blog/2022/10/01/versions/) to learn more.
+Refer to the [Version Compatibility Matrix](/news/releases/matrix/) to learn more.
{{% /alert %}}
## Install with YAML
@@ -36,4 +36,4 @@ Refer to the [Developer Guide](../../contributions/develop) to learn more.
2. Next Steps
- Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../../user).
+ Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../user).
diff --git a/site/content/en/v0.5/user/authn.md b/site/content/en/v0.5/user/authn.md
index 3762e6f814b..77954272288 100644
--- a/site/content/en/v0.5/user/authn.md
+++ b/site/content/en/v0.5/user/authn.md
@@ -92,5 +92,5 @@ kubectl delete authenticationfilter/jwt-example
Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
[jwt]: https://tools.ietf.org/html/rfc7519
-[AuthenticationFilter]: https://gateway.envoyproxy.io/v0.5.0/api/extension_types.html#authenticationfilter
+[AuthenticationFilter]: ../api/extension_types#authenticationfilter
[jwks]: https://tools.ietf.org/html/rfc7517
diff --git a/site/content/en/v0.5/user/customize-envoyproxy.md b/site/content/en/v0.5/user/customize-envoyproxy.md
index 24bdbec7033..937f5b82435 100644
--- a/site/content/en/v0.5/user/customize-envoyproxy.md
+++ b/site/content/en/v0.5/user/customize-envoyproxy.md
@@ -304,12 +304,12 @@ spec:
EOF
```
-You can use [egctl translate](https://gateway.envoyproxy.io/v0.5.0/user/egctl.html#validating-gateway-api-configuration)
+You can use [egctl translate](./egctl#validating-gateway-api-configuration)
to get the default xDS Bootstrap configuration used by Envoy Gateway.
After applying the config, the bootstrap config will be overridden by the new config you provided.
Any errors in the configuration will be surfaced as status within the `GatewayClass` resource.
-You can also validate this configuration using [egctl translate](https://gateway.envoyproxy.io/v0.5.0/user/egctl.html#validating-gateway-api-configuration).
+You can also validate this configuration using [egctl translate](./egctl.html#validating-gateway-api-configuration).
[Gateway API documentation]: https://gateway-api.sigs.k8s.io/
-[EnvoyProxy]: https://gateway.envoyproxy.io/v0.5.0/api/config_types.html#envoyproxy
+[EnvoyProxy]: ../api/config_types#envoyproxy
diff --git a/site/content/en/v0.5/user/egctl.md b/site/content/en/v0.5/user/egctl.md
index a09b1b43481..4977d2f6c87 100644
--- a/site/content/en/v0.5/user/egctl.md
+++ b/site/content/en/v0.5/user/egctl.md
@@ -444,7 +444,7 @@ spec:
EOF
```
-You can see the output contains a [EnvoyProxy](https://gateway.envoyproxy.io/v0.5.0/api/config_types.html#envoyproxy) resource that
+You can see the output contains a [EnvoyProxy](../api/config_types#envoyproxy) resource that
can be used as a starting point to modify the xDS bootstrap resource for the managed Envoy Proxy fleet.
```yaml
diff --git a/site/content/en/v0.5/user/envoy-patch-policy.md b/site/content/en/v0.5/user/envoy-patch-policy.md
index ae237f2f6ae..cf1f1d78abe 100644
--- a/site/content/en/v0.5/user/envoy-patch-policy.md
+++ b/site/content/en/v0.5/user/envoy-patch-policy.md
@@ -194,9 +194,9 @@ across versions for these reasons
* Envoy Gateway might alter the xDS translation creating a different xDS output
such as changing the `name` field of resources.
-[EnvoyPatchPolicy]: https://gateway.envoyproxy.io/v0.5.0/api/extension_types.html#envoypatchpolicy
-[EnvoyGateway]: https://gateway.envoyproxy.io/v0.5.0/api/config_types.html#envoygateway
+[EnvoyPatchPolicy]: ../api/extension_types#envoypatchpolicy
+[EnvoyGateway]: ../api/config_types#envoygateway
[JSON Patch]: https://datatracker.ietf.org/doc/html/rfc6902
-[xDS]: https://www.envoyproxy.io/docs/envoy/v0.5.0/intro/arch_overview/operations/dynamic_configuration
-[Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/v0.5.0/configuration/http/http_conn_man/local_reply
-[egctl x translate]: https://gateway.envoyproxy.io/v0.5.0/user/egctl.html#egctl-experimental-translate
+[xDS]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration
+[Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/local_reply
+[egctl x translate]: ./egctl#egctl-experimental-translate
diff --git a/site/content/en/v0.5/user/gatewayapi-support.md b/site/content/en/v0.5/user/gatewayapi-support.md
index 368745d2f75..28505934c47 100644
--- a/site/content/en/v0.5/user/gatewayapi-support.md
+++ b/site/content/en/v0.5/user/gatewayapi-support.md
@@ -94,7 +94,7 @@ these types of cross-namespace references. Envoy Gateway supports the following
namespace.
- Allowing a Gateway's [SecretObjectReference][] to reference a secret in a different namespace.
-[system design]: https://gateway.envoyproxy.io/v0.5.0/design/system-design.html
+[system design]: ../design/system-design
[Gateway API]: https://gateway-api.sigs.k8s.io/
[GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass
[parameters reference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference
@@ -110,9 +110,9 @@ these types of cross-namespace references. Envoy Gateway supports the following
[TLSRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute
[ReferenceGrant]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.ReferenceGrant
[SecretObjectReference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectReference
-[rate limiting]: https://gateway.envoyproxy.io/v0.5.0/user/rate-limit.html
-[request authentication]: https://gateway.envoyproxy.io/v0.5.0/user/authn.html
-[EnvoyProxy]: https://gateway.envoyproxy.io/v0.5.0/api/config_types.html#envoyproxy
+[rate limiting]: ./rate-limit
+[request authentication]: ./authn
+[EnvoyProxy]: ../api/config_types#envoyproxy
[resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts
[ExtensionRefs]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilterType
[grpc-filter]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter
diff --git a/site/content/en/v0.5/user/quickstart.md b/site/content/en/v0.5/user/quickstart.md
index 8443d6f323f..be0ae418896 100644
--- a/site/content/en/v0.5/user/quickstart.md
+++ b/site/content/en/v0.5/user/quickstart.md
@@ -9,7 +9,7 @@ This guide will help you get started with Envoy Gateway in a few simple steps.
A Kubernetes cluster.
-__Note:__ Refer to the [Compatibility Matrix](/blog/2022/10/01/versions/) for supported Kubernetes versions.
+__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix/) for supported Kubernetes versions.
## Installation
diff --git a/site/content/en/v0.5/user/rate-limit.md b/site/content/en/v0.5/user/rate-limit.md
index bddca2d52bb..5f97900c494 100644
--- a/site/content/en/v0.5/user/rate-limit.md
+++ b/site/content/en/v0.5/user/rate-limit.md
@@ -802,9 +802,9 @@ EOF
kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system
```
-[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/v0.5.0/intro/arch_overview/other_features/global_rate_limiting
-[RateLimitFilter]: https://gateway.envoyproxy.io/v0.5.0/api/extension_types.html#ratelimitfilter
+[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
+[RateLimitFilter]: ../api/extension_types#ratelimitfilter
[Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit
-[EnvoyGateway]: https://gateway.envoyproxy.io/v0.5.0/api/config_types.html#envoygateway
+[EnvoyGateway]: ../api/config_types#envoygateway
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
[ExtensionRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.HTTPRouteFilter
diff --git a/site/content/en/v0.5/user/udp-routing.md b/site/content/en/v0.5/user/udp-routing.md
index f5eaf0c5541..330f2bdfc01 100644
--- a/site/content/en/v0.5/user/udp-routing.md
+++ b/site/content/en/v0.5/user/udp-routing.md
@@ -153,4 +153,4 @@ kubectl delete udproute/coredns
Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
[UDPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute
-[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/v0.5.0/configuration/listeners/udp_filters/udp_proxy
+[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy
diff --git a/site/content/en/v0.6/api/extension_types.md b/site/content/en/v0.6/api/extension_types.md
index 08b53e29c85..351356d5fb4 100644
--- a/site/content/en/v0.6/api/extension_types.md
+++ b/site/content/en/v0.6/api/extension_types.md
@@ -780,7 +780,7 @@ _Appears in:_
| Field | Description |
| --- | --- |
-| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1.GatewayClass |
+| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass |
#### GlobalRateLimit
diff --git a/site/content/en/v0.6/contributions/CONTRIBUTING.md b/site/content/en/v0.6/contributions/CONTRIBUTING.md
index f94b2c940e9..b37898e948e 100644
--- a/site/content/en/v0.6/contributions/CONTRIBUTING.md
+++ b/site/content/en/v0.6/contributions/CONTRIBUTING.md
@@ -49,7 +49,7 @@ to the following guidelines for all code, APIs, and documentation:
build. If your PR cannot have 100% coverage for some reason please clearly explain why when you
open it.
* Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/site) folder of the repo as
- well as the [changelog](/blog/releases).
+ well as the [changelog](/news/releases).
* All code comments and documentation are expected to have proper English grammar and punctuation.
If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try
to find some help but there are no guarantees.
@@ -175,7 +175,7 @@ git config --add alias.c "commit -s"
## Fixing DCO
If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best
-practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)
+practice is to [squash](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-commits)
the commit history to a single commit, append the DCO sign-off as described above, and [force
push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in
your history:
diff --git a/site/content/en/v0.6/contributions/DEVELOP.md b/site/content/en/v0.6/contributions/DEVELOP.md
index 6f82c4a411f..366524eb9c7 100644
--- a/site/content/en/v0.6/contributions/DEVELOP.md
+++ b/site/content/en/v0.6/contributions/DEVELOP.md
@@ -158,6 +158,6 @@ and is hosted in the repo.
[Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface
[jwt]: https://tools.ietf.org/html/rfc7519
[jwks]: https://tools.ietf.org/html/rfc7517
-[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
+[request authentication]: ../user/jwt-authentication
[JWT Debugger]: https://jwt.io/
[JWK Creator]: https://russelldavies.github.io/jwk-creator/
diff --git a/site/content/en/v0.6/contributions/RELEASING.md b/site/content/en/v0.6/contributions/RELEASING.md
index 50d2db76abd..5abb7ba4503 100644
--- a/site/content/en/v0.6/contributions/RELEASING.md
+++ b/site/content/en/v0.6/contributions/RELEASING.md
@@ -6,7 +6,10 @@ description: "This section tells the release process of Envoy Gateway."
This document guides maintainers through the process of creating an Envoy Gateway release.
- [Release Candidate](#release-candidate)
+ - [Prerequisites](#prerequisites)
+ - [Setup cherry picker action](#setup-cherry-picker-action)
- [Minor Release](#minor-release)
+ - [Prerequisites](#prerequisites-1)
- [Announce the Release](#announce-the-release)
## Release Candidate
@@ -73,7 +76,7 @@ export GITHUB_REMOTE=origin
### Setup cherry picker action
-After release branch cut, RM (Release Manager) should add job [cherrypick action](../../../.github/workflows/cherrypick.yaml) for target release.
+After release branch cut, RM (Release Manager) should add job [cherrypick action](https://github.com/envoyproxy/gateway/blob/main/.github/workflows/cherrypick.yaml) for target release.
Configuration looks like following:
diff --git a/site/content/en/v0.6/design/bootstrap.md b/site/content/en/v0.6/design/bootstrap.md
index c0581347a24..743a0d9bad8 100644
--- a/site/content/en/v0.6/design/bootstrap.md
+++ b/site/content/en/v0.6/design/bootstrap.md
@@ -376,6 +376,6 @@ spec:
```
[Issue 31]: https://github.com/envoyproxy/gateway/issues/31
-[EnvoyProxy]: ../../api/extension_types#envoyproxy
+[EnvoyProxy]: ../api/extension_types#envoyproxy
[GatewayClass]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
[parametersRef]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ParametersReference
diff --git a/site/content/en/v0.6/design/config-api.md b/site/content/en/v0.6/design/config-api.md
index 1c6f3057848..89b7b0d838a 100644
--- a/site/content/en/v0.6/design/config-api.md
+++ b/site/content/en/v0.6/design/config-api.md
@@ -88,7 +88,7 @@ type Gateway struct {
// defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
// for additional details:
//
- // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+ // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass
//
// +optional
ControllerName string `json:"controllerName,omitempty"`
diff --git a/site/content/en/v0.6/design/envoy-patch-policy.md b/site/content/en/v0.6/design/envoy-patch-policy.md
index 83ccb035b4d..1aa441ef114 100644
--- a/site/content/en/v0.6/design/envoy-patch-policy.md
+++ b/site/content/en/v0.6/design/envoy-patch-policy.md
@@ -167,10 +167,10 @@ patches will work.
[Gateway API]: https://gateway-api.sigs.k8s.io/
[Kubernetes]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
[Kustomize]: https://github.com/kubernetes-sigs/kustomize/blob/master/examples/jsonpatch.md
-[Extension APIs]: ../../api/extension_types/
-[RateLimit]: ../../user/rate-limit/
-[EnvoyGateway]: ../../api/extension_types#envoygateway
+[Extension APIs]: ../api/extension_types
+[RateLimit]: ../user/rate-limit
+[EnvoyGateway]: ../api/extension_types#envoygateway
[Extending the Control Plane]: ../extending-envoy-gateway/
[EnvoyFilter]: https://istio.io/latest/docs/reference/config/networking/envoy-filter
-[egctl x translate]: ../../user/egctl#egctl-experimental-translate
-[Bootstrap configuration using EnvoyProxy API]: ../../user/customize-envoyproxy#customize-envoyproxy-bootstrap-config
+[egctl x translate]: ../user/egctl#egctl-experimental-translate
+[Bootstrap configuration using EnvoyProxy API]: ../user/customize-envoyproxy#customize-envoyproxy-bootstrap-config
diff --git a/site/content/en/v0.6/design/extending-envoy-gateway.md b/site/content/en/v0.6/design/extending-envoy-gateway.md
index 104bd804542..4976b16754e 100644
--- a/site/content/en/v0.6/design/extending-envoy-gateway.md
+++ b/site/content/en/v0.6/design/extending-envoy-gateway.md
@@ -315,11 +315,11 @@ Extending Envoy Gateway by using an external extension server which makes use of
[Envoy]: https://www.envoyproxy.io/
[Envoy specific configuration (xDS)]: https://www.envoyproxy.io/docs/envoy/v1.25.1/configuration/configuration
[v1]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1
-[rate limiting]: ../../user/rate-limit/
-[authentication]: ../../user/jwt-authentication/
+[rate limiting]: ../user/rate-limit
+[authentication]: ../user/jwt-authentication
[HTTPRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute
[GRPCRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute
-[EnvoyGateway config]: ../../api/extension_types#envoygateway
+[EnvoyGateway config]: ../api/extension_types#envoygateway
[controller-runtime]: https://github.com/kubernetes-sigs/controller-runtime
[Unstructured]: https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured
[Listener]: https://www.envoyproxy.io/docs/envoy/v1.23.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener
diff --git a/site/content/en/v0.6/design/system-design.md b/site/content/en/v0.6/design/system-design.md
index 956482ffcc3..c64846873b1 100644
--- a/site/content/en/v0.6/design/system-design.md
+++ b/site/content/en/v0.6/design/system-design.md
@@ -159,11 +159,11 @@ The draft for this document is [here][draft_design].
[grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
[rls]: https://github.com/envoyproxy/ratelimit
[rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit
-[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional
+[crf]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#filters-optional
[gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts
[listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners
[route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route
-[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional
+[be_ref]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute#backendrefs-optional
[cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster
[draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit
[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
diff --git a/site/content/en/v0.6/install/install-helm.md b/site/content/en/v0.6/install/install-helm.md
index 7bb4b63952b..37c1c649152 100644
--- a/site/content/en/v0.6/install/install-helm.md
+++ b/site/content/en/v0.6/install/install-helm.md
@@ -10,7 +10,7 @@ Envoy Gateway can be installed via a Helm chart with a few simple steps, dependi
## Before you begin
{{% alert title="Compatibility Matrix" color="warning" %}}
-Refer to the [Version Compatibility Matrix](/blog/2022/10/01/versions/) to learn more.
+Refer to the [Version Compatibility Matrix](/news/releases/matrix/) to learn more.
{{% /alert %}}
The Envoy Gateway Helm chart is hosted by DockerHub.
@@ -140,5 +140,5 @@ These are the ports used by Envoy Gateway and the managed Envoy Proxy.
| Heath Check | 0.0.0.0 | 19001 |
{{% alert title="Next Steps" color="warning" %}}
-Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../../user).
+Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../user).
{{% /alert %}}
diff --git a/site/content/en/v0.6/install/install-yaml.md b/site/content/en/v0.6/install/install-yaml.md
index 0b617d34be6..e00cf0f2733 100644
--- a/site/content/en/v0.6/install/install-yaml.md
+++ b/site/content/en/v0.6/install/install-yaml.md
@@ -17,7 +17,7 @@ Envoy Gateway is designed to run in Kubernetes for production. The most essentia
* The `kubectl` command-line tool
{{% alert title="Compatibility Matrix" color="warning" %}}
-Refer to the [Version Compatibility Matrix](/blog/2022/10/01/versions/) to learn more.
+Refer to the [Version Compatibility Matrix](/news/releases/matrix/) to learn more.
{{% /alert %}}
## Install with YAML
@@ -36,4 +36,4 @@ Refer to the [Developer Guide](/contributions/develop) to learn more.
2. Next Steps
- Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](/latest/user).
+ Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../user).
diff --git a/site/content/en/v0.6/user/cors.md b/site/content/en/v0.6/user/cors.md
index d8867ccb8d2..4c7d694e0a7 100644
--- a/site/content/en/v0.6/user/cors.md
+++ b/site/content/en/v0.6/user/cors.md
@@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT
## Prerequisites
-Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](./quickstart) guide to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Configuration
@@ -53,7 +53,7 @@ kubectl get securitypolicy/cors-example -o yaml
## Testing
-Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the
+Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](./quickstart) guide is set. If not, follow the
Quickstart instructions to set the variable.
```shell
@@ -102,7 +102,7 @@ its configuration. It won't deny any requests. The browsers are responsible for
## Clean-Up
-Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](./quickstart) guide to uninstall Envoy Gateway and the example manifest.
Delete the SecurityPolicy:
diff --git a/site/content/en/v0.6/user/customize-envoyproxy.md b/site/content/en/v0.6/user/customize-envoyproxy.md
index 7f9bfb7cdc0..5835bd73b6c 100644
--- a/site/content/en/v0.6/user/customize-envoyproxy.md
+++ b/site/content/en/v0.6/user/customize-envoyproxy.md
@@ -8,7 +8,7 @@ Service. To learn more about GatewayClass and ParametersRef, please refer to [Ga
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Add GatewayClass ParametersRef
@@ -318,5 +318,5 @@ Any errors in the configuration will be surfaced as status within the `GatewayCl
You can also validate this configuration using [egctl translate][].
[Gateway API documentation]: https://gateway-api.sigs.k8s.io/
-[EnvoyProxy]: ../../api/extension_types#envoyproxy
-[egctl translate]: ../egctl#validating-gateway-api-configuration
+[EnvoyProxy]: ../api/extension_types#envoyproxy
+[egctl translate]: ./egctl#validating-gateway-api-configuration
diff --git a/site/content/en/v0.6/user/egctl.md b/site/content/en/v0.6/user/egctl.md
index 937c783cc02..999ccc82903 100644
--- a/site/content/en/v0.6/user/egctl.md
+++ b/site/content/en/v0.6/user/egctl.md
@@ -396,7 +396,7 @@ spec:
EOF
```
-You can see the output contains a [EnvoyProxy](../../api/extension_types#envoyproxy) resource that
+You can see the output contains a [EnvoyProxy](../api/extension_types#envoyproxy) resource that
can be used as a starting point to modify the xDS bootstrap resource for the managed Envoy Proxy fleet.
```yaml
diff --git a/site/content/en/v0.6/user/envoy-patch-policy.md b/site/content/en/v0.6/user/envoy-patch-policy.md
index 9bf6459d2cd..da09f4a3263 100644
--- a/site/content/en/v0.6/user/envoy-patch-policy.md
+++ b/site/content/en/v0.6/user/envoy-patch-policy.md
@@ -22,7 +22,7 @@ not exposed by Envoy Gateway APIs today.
### Prerequisites
-* Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest.
+* Follow the steps from the [Quickstart](./quickstart) guide to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
### Enable EnvoyPatchPolicy
@@ -194,9 +194,9 @@ across versions for these reasons
* Envoy Gateway might alter the xDS translation creating a different xDS output
such as changing the `name` field of resources.
-[EnvoyPatchPolicy]: ../../api/extension_types#envoypatchpolicy
-[EnvoyGateway]: ../../api/extension_types#envoygateway
+[EnvoyPatchPolicy]: ../api/extension_types#envoypatchpolicy
+[EnvoyGateway]: ../api/extension_types#envoygateway
[JSON Patch]: https://datatracker.ietf.org/doc/html/rfc6902
-[xDS]: https://www.envoyproxy.io/docs/envoy/v0.6.0/intro/arch_overview/operations/dynamic_configuration
-[Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/v0.6.0/configuration/http/http_conn_man/local_reply
-[egctl x translate]: ../egctl#egctl-experimental-translate
+[xDS]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration
+[Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/local_reply
+[egctl x translate]: ./egctl#egctl-experimental-translate
diff --git a/site/content/en/v0.6/user/gateway-api-metrics.md b/site/content/en/v0.6/user/gateway-api-metrics.md
index fef51bde69f..3f787e33a50 100644
--- a/site/content/en/v0.6/user/gateway-api-metrics.md
+++ b/site/content/en/v0.6/user/gateway-api-metrics.md
@@ -7,7 +7,7 @@ The project also provides example dashboard for visualising the metrics using Gr
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
Run the following commands to install the metrics stack, with the Gateway API State Metrics configuration, on your kubernetes cluster:
@@ -29,7 +29,7 @@ kubectl -n monitoring rollout status --watch --timeout=5m statefulset/prometheus
kubectl -n monitoring port-forward service/prometheus-k8s 9090:9090 > /dev/null &
```
-Navigate to [http://localhost:9090](http://localhost:9090).
+Navigate to `http://localhost:9090`.
Metrics can be queried from the 'Graph' tab e.g. `gatewayapi_gateway_created`
See the [Gateway API State Metrics README](https://github.com/Kuadrant/gateway-api-state-metrics/tree/main#metrics) for the full list of Gateway API metrics available.
@@ -47,7 +47,7 @@ kubectl -n monitoring wait --timeout=5m deployment/grafana --for=condition=Avail
kubectl -n monitoring port-forward service/grafana 3000:3000 > /dev/null &
```
-Navigate to [http://localhost:3000](http://localhost:3000) and sign in with admin/admin.
+Navigate to `http://localhost:3000` and sign in with admin/admin.
The Gateway API State dashboards will be available in the 'Default' folder and tagged with 'gateway-api'.
See the [Gateway API State Metrics README](https://github.com/Kuadrant/gateway-api-state-metrics/tree/main#dashboards) for further information on available dashboards.
diff --git a/site/content/en/v0.6/user/gatewayapi-support.md b/site/content/en/v0.6/user/gatewayapi-support.md
index 064bb5b2b1b..107edf886cc 100644
--- a/site/content/en/v0.6/user/gatewayapi-support.md
+++ b/site/content/en/v0.6/user/gatewayapi-support.md
@@ -110,9 +110,9 @@ these types of cross-namespace references. Envoy Gateway supports the following
[TLSRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute
[ReferenceGrant]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.ReferenceGrant
[SecretObjectReference]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SecretObjectReference
-[rate limiting]: ../rate-limit/
-[request authentication]: ../jwt-authentication/
-[EnvoyProxy]: ../../api/extension_types#envoyproxy
+[rate limiting]: ./rate-limit
+[request authentication]: ./jwt-authentication
+[EnvoyProxy]: ../api/extension_types#envoyproxy
[resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts
[ExtensionRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteFilterType
[grpc-filter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter
diff --git a/site/content/en/v0.6/user/grafana-integration.md b/site/content/en/v0.6/user/grafana-integration.md
index 7223a35e942..fc9512eed27 100644
--- a/site/content/en/v0.6/user/grafana-integration.md
+++ b/site/content/en/v0.6/user/grafana-integration.md
@@ -7,7 +7,7 @@ This guide shows you how to visualise the metrics exposed to prometheus using gr
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
Follow the steps from the [Proxy Observability](../proxy-observability#Metrics) to enable prometheus metrics.
@@ -62,4 +62,4 @@ Envoy Gateway has examples of dashboard for you to get started:
-You can load the above dashboards in your Grafana to get started. Please refer to Grafana docs for [importing dashboards](https://grafana.com/docs/grafana/v0.6.0/dashboards/manage-dashboards/#import-a-dashboard).
+You can load the above dashboards in your Grafana to get started. Please refer to Grafana docs for [importing dashboards](https://grafana.com/docs/grafana/latest/dashboards/manage-dashboards/#import-a-dashboard).
diff --git a/site/content/en/v0.6/user/http-redirect.md b/site/content/en/v0.6/user/http-redirect.md
index 1ef88e53fa3..2fec0b521a9 100644
--- a/site/content/en/v0.6/user/http-redirect.md
+++ b/site/content/en/v0.6/user/http-redirect.md
@@ -9,7 +9,7 @@ learn more about HTTP routing, refer to the [Gateway API documentation][].
## Prerequisites
-Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTPS.
## Redirects
diff --git a/site/content/en/v0.6/user/http-request-headers.md b/site/content/en/v0.6/user/http-request-headers.md
index 25b675a16d7..6372aacbf02 100644
--- a/site/content/en/v0.6/user/http-request-headers.md
+++ b/site/content/en/v0.6/user/http-request-headers.md
@@ -14,7 +14,7 @@ client.
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Adding Request Headers
diff --git a/site/content/en/v0.6/user/http-request-mirroring.md b/site/content/en/v0.6/user/http-request-mirroring.md
index db6bcca33f2..9f2aac4b6ce 100644
--- a/site/content/en/v0.6/user/http-request-mirroring.md
+++ b/site/content/en/v0.6/user/http-request-mirroring.md
@@ -244,7 +244,7 @@ EOF
Error from server: error when creating "STDIN": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.rules[0].filters: Invalid value: "RequestMirror": cannot be used multiple times in the same rule
```
-[Quickstart Guide]: ../quickstart/
+[Quickstart Guide]: ./quickstart/
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
[backendRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendRef
[HTTPRequestMirrorFilter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRequestMirrorFilter
diff --git a/site/content/en/v0.6/user/http-response-headers.md b/site/content/en/v0.6/user/http-response-headers.md
index 76cf33362b4..1a3ab351ebf 100644
--- a/site/content/en/v0.6/user/http-response-headers.md
+++ b/site/content/en/v0.6/user/http-response-headers.md
@@ -12,7 +12,7 @@ upstream service.
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Adding Response Headers
diff --git a/site/content/en/v0.6/user/http-traffic-splitting.md b/site/content/en/v0.6/user/http-traffic-splitting.md
index 49e6ca89c2f..6d3257af415 100644
--- a/site/content/en/v0.6/user/http-traffic-splitting.md
+++ b/site/content/en/v0.6/user/http-traffic-splitting.md
@@ -8,7 +8,7 @@ with status code `500` for all requests that would have been sent to that backen
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Single backendRef
diff --git a/site/content/en/v0.6/user/http-urlrewrite.md b/site/content/en/v0.6/user/http-urlrewrite.md
index 945a24a7a44..b806a355b2c 100644
--- a/site/content/en/v0.6/user/http-urlrewrite.md
+++ b/site/content/en/v0.6/user/http-urlrewrite.md
@@ -7,7 +7,7 @@ used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequ
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Rewrite URL Prefix Path
diff --git a/site/content/en/v0.6/user/jwt-authentication.md b/site/content/en/v0.6/user/jwt-authentication.md
index e11358c22fa..6c04873a10f 100644
--- a/site/content/en/v0.6/user/jwt-authentication.md
+++ b/site/content/en/v0.6/user/jwt-authentication.md
@@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT
## Prerequisites
-Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](./quickstart) guide to install Envoy Gateway and the example manifest.
For GRPC - follow the steps from the [GRPC Routing](../grpc-routing/) example.
Before proceeding, you should be able to query the example backend using HTTP or GRPC.
@@ -71,7 +71,7 @@ kubectl get securitypolicy/jwt-example -o yaml
## Testing
-Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the
+Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](./quickstart) guide is set. If not, follow the
Quickstart instructions to set the variable.
```shell
@@ -150,7 +150,7 @@ You should see the below response
## Clean-Up
-Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart](./quickstart) guide to uninstall Envoy Gateway and the example manifest.
Delete the SecurityPolicy:
diff --git a/site/content/en/v0.6/user/proxy-observability.md b/site/content/en/v0.6/user/proxy-observability.md
index 8601a0de7a8..77b391eadfb 100644
--- a/site/content/en/v0.6/user/proxy-observability.md
+++ b/site/content/en/v0.6/user/proxy-observability.md
@@ -7,7 +7,7 @@ This guide show you how to config proxy observability, includes metrics, logs, a
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
[FluentBit](https://fluentbit.io/) is used to collect logs from the EnvoyProxy instances and forward them to Loki. Install FluentBit:
@@ -87,7 +87,7 @@ curl localhost:19001/metrics | grep "default/backend/rule/0/match/0-www"
## Logs
-By default, Envoy Gateway send logs to stdout in [default text format](https://www.envoyproxy.io/docs/envoy/v0.6.0/configuration/observability/access_log/usage.html#default-format-string).
+By default, Envoy Gateway send logs to stdout in [default text format](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage.html#default-format-string).
Verify logs from loki:
```shell
diff --git a/site/content/en/v0.6/user/quickstart.md b/site/content/en/v0.6/user/quickstart.md
index 2e47dd6f26b..6a35933590e 100644
--- a/site/content/en/v0.6/user/quickstart.md
+++ b/site/content/en/v0.6/user/quickstart.md
@@ -9,7 +9,7 @@ This guide will help you get started with Envoy Gateway in a few simple steps.
A Kubernetes cluster.
-__Note:__ Refer to the [Compatibility Matrix](/blog/2022/10/01/versions/) for supported Kubernetes versions.
+__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix/) for supported Kubernetes versions.
__Note:__ In case your Kubernetes cluster, does not have a LoadBalancer implementation, we recommend installing one
so the `Gateway` resource has an Address associated with it. We recommend using [MetalLB](https://metallb.universe.tf/installation/).
diff --git a/site/content/en/v0.6/user/rate-limit.md b/site/content/en/v0.6/user/rate-limit.md
index 8f5867413ce..5a8cf305bbd 100644
--- a/site/content/en/v0.6/user/rate-limit.md
+++ b/site/content/en/v0.6/user/rate-limit.md
@@ -21,7 +21,7 @@ can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource.
### Install Envoy Gateway
-* Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the HTTPRoute example manifest.
+* Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the HTTPRoute example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
### Install Redis
@@ -817,10 +817,10 @@ EOF
kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system
```
-[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/v0.6.0/intro/arch_overview/other_features/global_rate_limiting
-[BackendTrafficPolicy]: ../../api/extension_types#backendtrafficpolicy
+[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
+[BackendTrafficPolicy]: ../api/extension_types#backendtrafficpolicy
[Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit
-[EnvoyGateway]: ../../api/extension_types#envoygateway
+[EnvoyGateway]: ../api/extension_types#envoygateway
[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/
[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/
diff --git a/site/content/en/v0.6/user/secure-gateways.md b/site/content/en/v0.6/user/secure-gateways.md
index 805aeb8b1a6..1c1551fb92a 100644
--- a/site/content/en/v0.6/user/secure-gateways.md
+++ b/site/content/en/v0.6/user/secure-gateways.md
@@ -11,7 +11,7 @@ testing and demonstration purposes only.
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## TLS Certificates
@@ -242,7 +242,7 @@ Lastly, test connectivity using the above [Testing section](#testing).
## Clean-Up
-Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to uninstall Envoy Gateway and the example manifest.
Delete the Secrets:
@@ -257,14 +257,14 @@ This section gives a walkthrough to generate RSA and ECDSA derived certificates
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
-Follow the steps in the [TLS Certificates](../secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic.
+Follow the steps in the [TLS Certificates](./secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic.
## Pre-checks
-While testing in [Cluster without External LoadBalancer Support](../secure-gateways#clusters-without-external-loadbalancer-support), we can query the example app through Envoy proxy while enforcing an RSA cipher, as shown below:
+While testing in [Cluster without External LoadBalancer Support](./secure-gateways#clusters-without-external-loadbalancer-support), we can query the example app through Envoy proxy while enforcing an RSA cipher, as shown below:
```shell
curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \
@@ -295,7 +295,7 @@ Moving forward in the doc, we will be configuring the existing Gateway listener
## TLS Certificates
-Reuse the CA certificate and key pair generated in the [Secure Gateways](../secure-gateways#tls-certificates) guide and use this CA to sign both RSA and ECDSA Server certificates.
+Reuse the CA certificate and key pair generated in the [Secure Gateways](./secure-gateways#tls-certificates) guide and use this CA to sign both RSA and ECDSA Server certificates.
Note the CA certificate and key names are `example.com.crt` and `example.com.key` respectively.
@@ -369,14 +369,14 @@ This sections gives a walkthrough to generate multiple certificates correspondin
## Prerequisites
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
-Follow the steps in the [TLS Certificates](../secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic.
+Follow the steps in the [TLS Certificates](./secure-gateways#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic.
## Additional Configurations
-Using the [TLS Certificates](../secure-gateways#tls-certificates) section in the guide we first generate additional Secret for another Host `www.sample.com`.
+Using the [TLS Certificates](./secure-gateways#tls-certificates) section in the guide we first generate additional Secret for another Host `www.sample.com`.
```shell
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=sample Inc./CN=sample.com' -keyout sample.com.key -out sample.com.crt
@@ -446,7 +446,7 @@ Since the multiple certificates are configured on the same Gateway listener, Env
### Clusters with External LoadBalancer Support
-Refer to the steps mentioned earlier in the guide under [Testing in clusters with External LoadBalancer Support](../secure-gateways#clusters-with-external-loadbalancer-support)
+Refer to the steps mentioned earlier in the guide under [Testing in clusters with External LoadBalancer Support](./secure-gateways#clusters-with-external-loadbalancer-support)
## Next Steps
diff --git a/site/content/en/v0.6/user/tls-cert-manager.md b/site/content/en/v0.6/user/tls-cert-manager.md
index 7776fbb2413..aeb5e1a0759 100644
--- a/site/content/en/v0.6/user/tls-cert-manager.md
+++ b/site/content/en/v0.6/user/tls-cert-manager.md
@@ -18,7 +18,7 @@ Changing to the Let's Encrypt production environment is straight-forward after t
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## Deploying cert-manager
@@ -432,5 +432,5 @@ eg-https kubernetes.io/tls 3 42m
## See Also
-* [Secure Gateways](../secure-gateways/)
+* [Secure Gateways](./secure-gateways)
* [Securing gateway.networking.k8s.io Gateway Resources](https://cert-manager.io/docs/usage/gateway/)
diff --git a/site/content/en/v0.6/user/tls-passthrough.md b/site/content/en/v0.6/user/tls-passthrough.md
index aab53254cc9..3390af7ea8a 100644
--- a/site/content/en/v0.6/user/tls-passthrough.md
+++ b/site/content/en/v0.6/user/tls-passthrough.md
@@ -12,7 +12,7 @@ to terminate the TLS connection, while the Gateway routes the requests to the ap
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway and the example manifest.
Before proceeding, you should be able to query the example backend using HTTP.
## TLS Certificates
@@ -106,7 +106,7 @@ curl -v -HHost:passthrough.example.com --resolve "passthrough.example.com:6443:$
## Clean-Up
-Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway and the example manifest.
+Follow the steps from the [Quickstart Guide](./quickstart) to uninstall Envoy Gateway and the example manifest.
Delete the Secret:
diff --git a/site/content/en/v0.6/user/tls-termination.md b/site/content/en/v0.6/user/tls-termination.md
index 4ac72aac7af..706f95b71ca 100644
--- a/site/content/en/v0.6/user/tls-termination.md
+++ b/site/content/en/v0.6/user/tls-termination.md
@@ -10,7 +10,7 @@ This guide will walk through the steps required to configure TLS Terminate mode
## Installation
-Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway.
+Follow the steps from the [Quickstart Guide](./quickstart) to install Envoy Gateway.
## TLS Certificates
Generate the certificates and keys used by the Gateway to terminate client TLS connections.
diff --git a/site/content/en/v0.6/user/udp-routing.md b/site/content/en/v0.6/user/udp-routing.md
index 8d80fe789cf..20a77ca17cb 100644
--- a/site/content/en/v0.6/user/udp-routing.md
+++ b/site/content/en/v0.6/user/udp-routing.md
@@ -137,7 +137,7 @@ _udp.foo.bar.com. 0 IN SRV 0 0 42376 .
## Clean-Up
-Follow the steps from the [Quickstart Guide](../quickstart) to uninstall Envoy Gateway.
+Follow the steps from the [Quickstart Guide](./quickstart) to uninstall Envoy Gateway.
Delete the CoreDNS example manifest and the UDPRoute:
@@ -153,4 +153,4 @@ kubectl delete udproute/coredns
Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
[UDPRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute
-[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/v0.6.0/configuration/listeners/udp_filters/udp_proxy
+[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy
diff --git a/site/content/en/v1.0/tasks/security/threat-model.md b/site/content/en/v1.0/tasks/security/threat-model.md
index c1bba3f9726..f5083875107 100644
--- a/site/content/en/v1.0/tasks/security/threat-model.md
+++ b/site/content/en/v1.0/tasks/security/threat-model.md
@@ -396,7 +396,7 @@ When considering internal threat actors, we chose to follow the [security model]
**Threat**: Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.
- **Recommendation**: To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing.
+ **Recommendation**: To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing.
Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).
@@ -603,7 +603,7 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru
|EGTM-008|EGTM-EG-003|Envoy Gateway| There is a risk of a threat actor misconfiguring static config and compromising the integrity of Envoy Gateway, ultimately leading to the compromised confidentiality, integrity, or availability of tenant data and cluster resources.
| Accidental or deliberate misconfiguration of static configuration leads to a misconfigured deployment of Envoy Gateway, for example logging parameters could be modified or global rate limiting configuration misconfigured.
|Medium| Implement a GitOps model, utilising Kubernetes\' Role-Based Access Control (RBAC) and adhering to the principle of least privilege to minimise human intervention on the cluster. For instance, tools like [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) can be used for declarative GitOps deployments, ensuring all changes are tracked and reviewed. Additionally, configure your source control management (SCM) system to include mandatory pull request (PR) reviews, commit signing, and protected branches to ensure only authorised changes can be committed to the start-up configuration. |
|EGTM-010|EGTM-CS-005|Container Security| There is a risk that a threat actor exploits a weak pod security context, compromising the CIA of a node and the resources / services which run on it.
| Threat Actor who has compromised a pod exploits weak security context to escape to a node, potentially leading to the compromise of Envoy Proxy or Gateway running on the same node.
|Medium| To mitigate this risk, apply [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) at a minimum of [Baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) level to all namespaces, especially those containing Envoy Gateway and Proxy Pods. Pod security standards are implemented through K8s [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) to provide [admission control modes](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) (enforce, audit, and warn) for namespaces. Pod security standards can be enforced by namespace labels as shown [here](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/), to enforce a baseline level of pod security to specific namespaces.
Further enhance the security by implementing a sandboxing solution such as [gVisor](https://gvisor.dev/) for Envoy Gateway and Proxy Pods to isolate the application from the host kernel. This can be set within the runtimeClassName of the Pod specification. |
|EGTM-012|EGTM-GW-004|Gateway API| There is a risk that a threat actor could abuse excessive RBAC privileges to create ReferenceGrant resources. These resources could then be used to create cross-namespace communication, leading to unauthorised access to the application. This could compromise the confidentiality and integrity of resources and configuration in the affected namespaces and potentially disrupt the availability of services that rely on these object references.
| A ReferenceGrant is created, which validates traffic to cross namespace trust boundaries without a valid business reason, such as a route in one tenant\'s namespace referencing a backend in another.
|Medium| Ensure that the ability to create ReferenceGrant resources is restricted to the minimum number of people. Pay special attention to ClusterRoles that allow that action. |
-|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.
| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.
|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing.
Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).
[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. |
+|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.
| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.
|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing.
Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).
[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. |
|EGTM-019|EGTM-DP-004|Container Security| There is a risk that replay attacks using stolen or reused JSON Web Tokens (JWTs) can compromise transmission integrity, thereby undermining the confidentiality and integrity of the data plane.
| Transmission integrity is compromised due to replay attacks using stolen or reused JSON Web Tokens (JWTs).
|Medium| Comply with JWT best practices for enhanced security, paying special attention to the use of short-lived tokens, which reduce the window of opportunity for a replay attack. The [exp](https://datatracker.ietf.org/doc/html/rfc7519#page-9) claim can be used to set token expiration times. |
|EGTM-024|EGTM-EG-008|Envoy Gateway| There is a risk of developers getting more privileges than required due to the use of SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy and BackendTrafficPolicy. These resources can be attached to a Gateway resource. Therefore, a developer with permission to deploy them would be able to modify a Gateway configuration by targeting the gateway in the policy manifest. This conflicts with the [Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model), where developers do not have write permissions on Gateways.
| Excessive developer permissions lead to a misconfiguration and/or unauthorised access.
|Medium| Considering the Tenant C scenario (represented in the Architecture Diagram), if a developer can create SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy or BackendTrafficPolicy objects in namespace C, they would be able to modify a Gateway configuration by attaching the policy to the gateway. In such scenarios, it is recommended to either:
a. Create a separate namespace, where developers have no permissions, > to host tenant C\'s gateway. Note that, due to design decisions, > the > SecurityPolicy/EnvoyPatchPolicy/ClientTrafficPolicy/BackendTrafficPolicy > object can only target resources deployed in the same namespace. > Therefore, having a separate namespace for the gateway would > prevent developers from attaching the policy to the gateway.
b. Forbid the creation of these policies for developers in namespace C.
On the other hand, in scenarios similar to tenants A and B, where a shared gateway namespace is in place, this issue is more limited. Note that in this scenario, developers don\'t have access to the shared gateway namespace.
In addition, it is important to mention that EnvoyPatchPolicy resources can also be attached to GatewayClass resources. This means that, in order to comply with the Advanced 4 Tier model, individuals with the Application Administrator role should not have access to this resource either. |
|EGTM-003|EGTM-EG-001|Envoy Gateway| There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic.
| Exploit weak cipher suite configuration to downgrade security of proxied connections.
|Low| Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway.
EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](../operations/customize-envoyproxy) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. |
diff --git a/site/package.json b/site/package.json
index 499d153e7b5..2ea4bc1f1ae 100644
--- a/site/package.json
+++ b/site/package.json
@@ -32,7 +32,7 @@
},
"devDependencies": {
"autoprefixer": "^10.4.14",
- "hugo-extended": "0.123.8",
- "postcss-cli": "^10.1.0"
+ "hugo-extended": "0.128.0",
+ "postcss-cli": "^11.0.0"
}
}
diff --git a/tools/make/docs.mk b/tools/make/docs.mk
index 704e9e44c52..30fc447e0e1 100644
--- a/tools/make/docs.mk
+++ b/tools/make/docs.mk
@@ -1,6 +1,6 @@
DOCS_OUTPUT_DIR := site/public
RELEASE_VERSIONS ?= $(foreach v,$(wildcard ${ROOT_DIR}/docs/*),$(notdir ${v}))
-LINKINATOR_IGNORE := "github.com githubusercontent.com example.com github.io _print v0.6 v0.5 v0.4 v0.3 v0.2"
+LINKINATOR_IGNORE := "github.com githubusercontent.com example.com github.io _print"
CLEAN_NODE_MODULES ?= true
##@ Docs