envoyproxy · jukie · Feb 16, 2026 · Feb 16, 2026 · Feb 16, 2026 · Feb 16, 2026
@@ -0,0 +1,90 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import (
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+// DynamicModuleEntry defines a dynamic module that is registered and allowed
+// for use by EnvoyExtensionPolicy resources.
+type DynamicModuleEntry struct {
+	// Name is the logical name for this module. EnvoyExtensionPolicy resources
+	// reference modules by this name.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$`
+	Name string `json:"name"`
+
+	// LibraryName is the name of the shared library file that Envoy will load.
+	// Envoy searches for lib${libraryName}.so in the path specified by the
+	// ENVOY_DYNAMIC_MODULES_SEARCH_PATH environment variable.
+	// If not specified, defaults to the value of Name.
+	//
+	// +optional
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$`
+	LibraryName *string `json:"libraryName,omitempty"`
+
+	// DoNotClose prevents the module from being unloaded with dlclose when no
+	// more references exist. This is useful for modules that maintain global
+	// state that should not be destroyed on configuration updates.
+	// Defaults to false.
+	//
+	// +optional
+	// +kubebuilder:default=false
+	DoNotClose *bool `json:"doNotClose,omitempty"`
+
+	// LoadGlobally loads the dynamic module with the RTLD_GLOBAL flag.
+	// By default, modules are loaded with RTLD_LOCAL to avoid symbol conflicts.
+	// Set this to true when the module needs to share symbols with other
+	// dynamic libraries it loads.
+	// Defaults to false.
+	//
+	// +optional
+	// +kubebuilder:default=false
+	LoadGlobally *bool `json:"loadGlobally,omitempty"`
+}
+
+// DynamicModule defines a dynamic module HTTP filter to be loaded by Envoy.
+// The module must be registered in the EnvoyProxy resource's dynamicModules
+// allowlist by the infrastructure operator.
+type DynamicModule struct {
+	// Name references a dynamic module registered in the EnvoyProxy resource's
+	// dynamicModules list. The referenced module must exist in the registry;
+	// otherwise, the policy will be rejected.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$`
+	Name string `json:"name"`
+
+	// FilterName identifies a specific filter implementation within the dynamic
+	// module. A single shared library can contain multiple filter implementations.
+	// This value is passed to the module's HTTP filter config init function to
+	// select the appropriate implementation.
+	// If not specified, defaults to an empty string.
+	//
+	// +optional
+	// +kubebuilder:validation:MaxLength=253
+	FilterName *string `json:"filterName,omitempty"`
+
+	// Config is the configuration for the dynamic module filter.
+	// This is serialized as JSON and passed to the module's initialization function.
+	//
+	// +optional
+	Config *apiextensionsv1.JSON `json:"config,omitempty"`
+
+	// TerminalFilter indicates that this dynamic module handles requests without
+	// requiring an upstream backend. The module is responsible for generating and
+	// sending the response to downstream directly.
+	// Defaults to false.
+	//
+	// +optional
+	// +kubebuilder:default=false
+	TerminalFilter *bool `json:"terminalFilter,omitempty"`
+}
@@ -65,6 +65,17 @@ type EnvoyExtensionPolicySpec struct {
 	// +kubebuilder:validation:MaxItems=16
 	// +optional
 	Lua []Lua `json:"lua,omitempty"`
+
+	// DynamicModules is an ordered list of dynamic module HTTP filters
+	// that should be added to the envoy filter chain.
+	// Each module must be registered in the EnvoyProxy resource's dynamicModules
+	// allowlist.
+	// Order matters, as the filters will be loaded in the order they are
+	// defined in this list.
+	//
+	// +kubebuilder:validation:MaxItems=16
+	// +optional
+	DynamicModules []DynamicModule `json:"dynamicModules,omitempty"`
 }
 
 //+kubebuilder:object:root=true

@@ -132,6 +132,8 @@ type EnvoyProxySpec struct {
 	//
 	// - envoy.filters.http.wasm
 	//
+	// - envoy.filters.http.dynamic_modules
+	//
 	// - envoy.filters.http.rbac
 	//
 	// - envoy.filters.http.local_ratelimit
@@ -182,6 +184,20 @@ type EnvoyProxySpec struct {
 	// Default: Strict
 	// +optional
 	LuaValidation *LuaValidation `json:"luaValidation,omitempty"`
+
+	// DynamicModules defines the set of dynamic modules that are allowed to be
+	// used by EnvoyExtensionPolicy resources. Each entry registers a module by
+	// a logical name and specifies the shared library that Envoy will load.
+	//
+	// The EnvoyProxy owner is responsible for ensuring the module .so files are available
+	// on the proxy container's filesystem (e.g., via init containers, custom images,
+	// or shared volumes).
+	//
+	// +kubebuilder:validation:MaxItems=16
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	DynamicModules []DynamicModuleEntry `json:"dynamicModules,omitempty"`
 }
 
 // +kubebuilder:validation:Enum=Strict;InsecureSyntax;Disabled
@@ -248,7 +264,7 @@ type FilterPosition struct {
 }
 
 // EnvoyFilter defines the type of Envoy HTTP filter.
-// +kubebuilder:validation:Enum=envoy.filters.http.custom_response;envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.header_mutation;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.credential_injector;envoy.filters.http.compressor;envoy.filters.http.dynamic_forward_proxy
+// +kubebuilder:validation:Enum=envoy.filters.http.custom_response;envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.header_mutation;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.dynamic_modules;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.credential_injector;envoy.filters.http.compressor;envoy.filters.http.dynamic_forward_proxy
 type EnvoyFilter string
 
 const (
@@ -298,6 +314,9 @@ const (
 	// EnvoyFilterWasm defines the Envoy HTTP WebAssembly filter.
 	EnvoyFilterWasm EnvoyFilter = "envoy.filters.http.wasm"
 
+	// EnvoyFilterDynamicModules defines the Envoy HTTP dynamic modules filter.
+	EnvoyFilterDynamicModules EnvoyFilter = "envoy.filters.http.dynamic_modules"
+
 	// EnvoyFilterRBAC defines the Envoy RBAC filter.
 	EnvoyFilterRBAC EnvoyFilter = "envoy.filters.http.rbac"
 

@@ -47,6 +47,56 @@ spec:
           spec:
             description: Spec defines the desired state of EnvoyExtensionPolicy.
             properties:
+              dynamicModules:
+                description: |-
+                  DynamicModules is an ordered list of dynamic module HTTP filters
+                  that should be added to the envoy filter chain.
+                  Each module must be registered in the EnvoyProxy resource's dynamicModules
+                  allowlist.
+                  Order matters, as the filters will be loaded in the order they are
+                  defined in this list.
+                items:
+                  description: |-
+                    DynamicModule defines a dynamic module HTTP filter to be loaded by Envoy.
+                    The module must be registered in the EnvoyProxy resource's dynamicModules
+                    allowlist by the infrastructure operator.
+                  properties:
+                    config:
+                      description: |-
+                        Config is the configuration for the dynamic module filter.
+                        This is serialized as JSON and passed to the module's initialization function.
+                      x-kubernetes-preserve-unknown-fields: true
+                    filterName:
+                      description: |-
+                        FilterName identifies a specific filter implementation within the dynamic
+                        module. A single shared library can contain multiple filter implementations.
+                        This value is passed to the module's HTTP filter config init function to
+                        select the appropriate implementation.
+                        If not specified, defaults to an empty string.
+                      maxLength: 253
+                      type: string
+                    name:
+                      description: |-
+                        Name references a dynamic module registered in the EnvoyProxy resource's
+                        dynamicModules list. The referenced module must exist in the registry;
+                        otherwise, the policy will be rejected.
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$
+                      type: string
+                    terminalFilter:
+                      default: false
+                      description: |-
+                        TerminalFilter indicates that this dynamic module handles requests without
+                        requiring an upstream backend. The module is responsible for generating and
+                        sending the response to downstream directly.
+                        Defaults to false.
+                      type: boolean
+                  required:
+                  - name
+                  type: object
+                maxItems: 16
+                type: array
               extProc:
                 description: |-
                   ExtProc is an ordered list of external processing filters