kgateway-dev · yuval-k · Nov 26, 2025 · Nov 25, 2025 · Nov 26, 2025 · Nov 26, 2025
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -49,7 +49,7 @@ jobs:
         # August 29, 2025: ~9 minutes
         - cluster-name: 'cluster-four'
           go-test-args: '-timeout=25m'
-          go-test-run-regex: '^TestKgateway$$/^ExtProc$$|^TestKgateway$$/^ExtAuth$$|^TestKgateway$$/^PolicySelector$$|^TestKgateway$$/^Backends$$|^TestKgateway$$/^BackendTLSPolicies$$|^TestKgateway$$/^CSRF$$|^TestKgateway$$/^AutoHostRewrite$$|^TestKgateway$$/^LeaderElection$$'
+          go-test-run-regex: '^TestKgateway$$/^ExtProc$$|^TestKgateway$$/^ExtAuth$$|^TestKgateway$$/^PolicySelector$$|^TestKgateway$$/^Backends$$|^TestKgateway$$/^BackendTLSPolicies$$|^TestKgateway$$/^CSRF$$|^TestKgateway$$/^AutoHostRewrite$$|^TestKgateway$$/^LeaderElection$$|^TestKgateway$$/^ListenerPolicyProxyProtocol$$'
           localstack: 'false'
         # August 29, 2025: ~10 minutes
         - cluster-name: 'cluster-five'

diff --git a/api/v1alpha1/listener_policy_types.go b/api/v1alpha1/listener_policy_types.go
@@ -0,0 +1,66 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// +kubebuilder:rbac:groups=gateway.kgateway.dev,resources=listenerpolicies,verbs=get;list;watch
+// +kubebuilder:rbac:groups=gateway.kgateway.dev,resources=listenerpolicies/status,verbs=get;update;patch
+
+// +kubebuilder:printcolumn:name="Accepted",type=string,JSONPath=".status.ancestors[*].conditions[?(@.type=='Accepted')].status",description="Listener policy acceptance status"
+// +kubebuilder:printcolumn:name="Attached",type=string,JSONPath=".status.ancestors[*].conditions[?(@.type=='Attached')].status",description="Listener policy attachment status"
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:metadata:labels={app=kgateway,app.kubernetes.io/name=kgateway}
+// +kubebuilder:resource:categories=kgateway
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:labels="gateway.networking.k8s.io/policy=Direct"
+// ListenerPolicy is used for configuring Envoy listener-level settings that apply to all protocol types (HTTP, HTTPS, TCP, TLS).
+// These policies can only target `Gateway` objects.
+type ListenerPolicy struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	// +required
+	Spec ListenerPolicySpec `json:"spec"`
+	// +optional
+	Status gwv1.PolicyStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+type ListenerPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ListenerPolicy `json:"items"`
+}
+
+// ListenerPolicySpec defines the desired state of a listener policy.
+type ListenerPolicySpec struct {
+	// TargetRefs specifies the target resources by reference to attach the policy to.
+	// Only supports `Gateway` resources
+	// +optional
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:XValidation:rule="self.all(r, r.kind == 'Gateway' && (!has(r.group) || r.group == 'gateway.networking.k8s.io'))",message="targetRefs may only reference Gateway resource"
+	TargetRefs []LocalPolicyTargetReference `json:"targetRefs,omitempty"`
+
+	// TargetSelectors specifies the target selectors to select `Gateway` resources to attach the policy to.
+	// +optional
+	// +kubebuilder:validation:XValidation:rule="self.all(r, r.kind == 'Gateway' && (!has(r.group) || r.group == 'gateway.networking.k8s.io'))",message="targetSelectors may only reference Gateway resource"
+	TargetSelectors []LocalPolicyTargetSelector `json:"targetSelectors,omitempty"`
+
+	// ProxyProtocol configures the PROXY protocol listener filter.
+	// When set, Envoy will expect connections to include the PROXY protocol header.
+	// This is commonly used when kgateway is behind a load balancer that preserves client IP information.
+	// See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto
+	// +optional
+	ProxyProtocol *ProxyProtocolConfig `json:"proxyProtocol,omitempty"`
+}
+
+// ProxyProtocolConfig configures the PROXY protocol listener filter.
+// The presence of this configuration enables PROXY protocol support.
+type ProxyProtocolConfig struct {
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/api/v1alpha1/zz_generated.register.go b/api/v1alpha1/zz_generated.register.go
diff --git a/go.mod b/go.mod
@@ -33,7 +33,7 @@ require (
 	go.opencensus.io v0.24.0
 	go.uber.org/zap v1.27.0
 	golang.org/x/exp v0.0.0-20251017212417-90e834f514db
-	golang.org/x/net v0.46.0
+	golang.org/x/net v0.46.0 // indirect
 	google.golang.org/grpc v1.76.0
 	google.golang.org/protobuf v1.36.10
 	helm.sh/helm/v3 v3.19.2

diff --git a/hack/utils/oss_compliance/osa_provided.md b/hack/utils/oss_compliance/osa_provided.md
@@ -39,7 +39,6 @@ Name|Version|License
 [go.uber.org/atomic](https://go.uber.org/atomic)|v1.11.0|MIT License
 [go.uber.org/zap](https://go.uber.org/zap)|v1.27.0|MIT License
 [x/exp](https://golang.org/x/exp)|v0.0.0-20251017212417-90e834f514db|BSD 3-clause "New" or "Revised" License
-[x/net](https://golang.org/x/net)|v0.46.0|BSD 3-clause "New" or "Revised" License
 [x/time](https://golang.org/x/time)|v0.14.0|BSD 3-clause "New" or "Revised" License
 [google.golang.org/grpc](https://google.golang.org/grpc)|v1.76.0|Apache License 2.0
 [google.golang.org/protobuf](https://google.golang.org/protobuf)|v1.36.10|BSD 3-clause "New" or "Revised" License