From 50c998e74d82b4d62804534b3176269a7e81028d Mon Sep 17 00:00:00 2001
From: Jesse Haka <haka.jesse@gmail.com>
Date: Tue, 20 Feb 2024 21:22:44 +0200
Subject: [PATCH 01/17] add authorisation api spec

Signed-off-by: Jesse Haka <haka.jesse@gmail.com>
---
 api/v1alpha1/authorization_types.go           |  54 ++++++++
 api/v1alpha1/securitypolicy_types.go          |   5 +
 .../validation/securitypolicy_validate.go     |  34 ++++-
 .../securitypolicy_validate_test.go           | 122 +++++++++++++++++-
 api/v1alpha1/zz_generated.deepcopy.go         |  74 +++++++++++
 ...ateway.envoyproxy.io_securitypolicies.yaml |  43 ++++++
 site/content/en/latest/api/extension_types.md |  61 +++++++++
 7 files changed, 388 insertions(+), 5 deletions(-)
 create mode 100644 api/v1alpha1/authorization_types.go

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
new file mode 100644
index 0000000000..20b9104bf6
--- /dev/null
+++ b/api/v1alpha1/authorization_types.go
@@ -0,0 +1,54 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+// Authorization defines the authorization configuration.
+type Authorization struct {
+	// Rules contains all the authorization rules.
+	//
+	// +kubebuilder:validation:MinItems=1
+	Rules []Rule `json:"rules,omitempty"`
+}
+
+// Rule defines the single authorization rule.
+type Rule struct {
+	// Subjects contains the subject configuration.
+	// If empty, all subjects are included.
+	//
+	// +optional
+	Subjects []Subject `json:"subjects,omitempty"`
+
+	// Permissions contains allowed HTTP methods.
+	// If empty, all methods are matching.
+	//
+	// +optional
+	Permissions []string `json:"permissions,omitempty"`
+
+	// Action defines the action to be taken if the rule matches.
+	Action RuleActionType `json:"action"`
+}
+
+// Subject contains the subject configuration.
+type Subject struct {
+	// ClientCIDR contains client cidr configuration.
+	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+	//
+	// +optional
+	ClientCIDR *string `json:"clientCIDR,omitempty"`
+}
+
+// RuleActionType specifies the types of authorization rule action.
+// +kubebuilder:validation:Enum=Allow;Deny;Log
+type RuleActionType string
+
+const (
+	// Allow is the action to allow the request.
+	Allow RuleActionType = "Allow"
+	// Deny is the action to deny the request.
+	Deny RuleActionType = "Deny"
+	// Log is the action to log the request.
+	Log RuleActionType = "Log"
+)
diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go
index 85c0b21892..74e3b2ca5a 100644
--- a/api/v1alpha1/securitypolicy_types.go
+++ b/api/v1alpha1/securitypolicy_types.go
@@ -69,6 +69,11 @@ type SecurityPolicySpec struct {
 	//
 	// +optional
 	ExtAuth *ExtAuth `json:"extAuth,omitempty"`
+
+	// Authorization defines the authorization configuration.
+	//
+	// +optional
+	Authorization *Authorization `json:"authorization,omitempty"`
 }
 
 //+kubebuilder:object:root=true
diff --git a/api/v1alpha1/validation/securitypolicy_validate.go b/api/v1alpha1/validation/securitypolicy_validate.go
index 628d3f8017..5f40b252e5 100644
--- a/api/v1alpha1/validation/securitypolicy_validate.go
+++ b/api/v1alpha1/validation/securitypolicy_validate.go
@@ -8,6 +8,7 @@ package validation
 import (
 	"errors"
 	"fmt"
+	"net"
 	"net/mail"
 	"net/url"
 
@@ -24,7 +25,7 @@ func ValidateSecurityPolicy(policy *egv1a1.SecurityPolicy) error {
 		return errors.New("policy is nil")
 	}
 	if err := validateSecurityPolicySpec(&policy.Spec); err != nil {
-		errs = append(errs, errors.New("policy is nil"))
+		errs = append(errs, err)
 	}
 
 	return utilerrors.NewAggregate(errs)
@@ -42,6 +43,8 @@ func validateSecurityPolicySpec(spec *egv1a1.SecurityPolicySpec) error {
 		sum++
 	case spec.JWT != nil:
 		sum++
+	case spec.Authorization != nil:
+		sum++
 	}
 	if sum == 0 {
 		errs = append(errs, errors.New("no security policy is specified"))
@@ -52,13 +55,40 @@ func validateSecurityPolicySpec(spec *egv1a1.SecurityPolicySpec) error {
 		return utilerrors.NewAggregate(errs)
 	}
 
-	if err := ValidateJWTProvider(spec.JWT.Providers); err != nil {
+	if spec.JWT != nil {
+		if err := ValidateJWTProvider(spec.JWT.Providers); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	if err := ValidateAuthorization(spec.Authorization); err != nil {
 		errs = append(errs, err)
 	}
 
 	return utilerrors.NewAggregate(errs)
 }
 
+// ValidateAuthorization validates the provided Authorisation configuration.
+func ValidateAuthorization(as *egv1a1.Authorization) error {
+	var errs []error
+	if as == nil {
+		return nil
+	}
+
+	for _, rule := range as.Rules {
+		for _, subject := range rule.Subjects {
+			if subject.ClientCIDR != nil {
+				_, _, err := net.ParseCIDR(*subject.ClientCIDR)
+				if err != nil {
+					errs = append(errs, fmt.Errorf("invalid CIDR: %s", *subject.ClientCIDR))
+				}
+			}
+		}
+	}
+
+	return utilerrors.NewAggregate(errs)
+}
+
 // ValidateJWTProvider validates the provided JWT authentication configuration.
 func ValidateJWTProvider(providers []egv1a1.JWTProvider) error {
 	var errs []error
diff --git a/api/v1alpha1/validation/securitypolicy_validate_test.go b/api/v1alpha1/validation/securitypolicy_validate_test.go
index 489c7644f8..8bf286ac8b 100644
--- a/api/v1alpha1/validation/securitypolicy_validate_test.go
+++ b/api/v1alpha1/validation/securitypolicy_validate_test.go
@@ -8,12 +8,16 @@ package validation
 import (
 	"testing"
 
-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 )
 
+func asPtr(s string) *string {
+	return &s
+}
+
 func TestValidateSecurityPolicy(t *testing.T) {
 	testCases := []struct {
 		name     string
@@ -463,6 +467,118 @@ func TestValidateSecurityPolicy(t *testing.T) {
 			},
 			expected: true,
 		},
+		{
+			name: "authorisation with valid ipv4 cidr",
+			policy: &egv1a1.SecurityPolicy{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       egv1a1.KindSecurityPolicy,
+					APIVersion: egv1a1.GroupVersion.String(),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+					Name:      "test",
+				},
+				Spec: egv1a1.SecurityPolicySpec{
+					Authorization: &egv1a1.Authorization{
+						Rules: []egv1a1.Rule{
+							{
+								Subjects: []egv1a1.Subject{
+									{
+										ClientCIDR: asPtr("192.168.1.0/24"),
+									},
+								},
+								Action: egv1a1.Allow,
+							},
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "authorisation with valid ipv6 cidr",
+			policy: &egv1a1.SecurityPolicy{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       egv1a1.KindSecurityPolicy,
+					APIVersion: egv1a1.GroupVersion.String(),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+					Name:      "test",
+				},
+				Spec: egv1a1.SecurityPolicySpec{
+					Authorization: &egv1a1.Authorization{
+						Rules: []egv1a1.Rule{
+							{
+								Subjects: []egv1a1.Subject{
+									{
+										ClientCIDR: asPtr("2001:db8::/64"),
+									},
+								},
+								Action: egv1a1.Allow,
+							},
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "authorisation with invalid ipv4 cidr",
+			policy: &egv1a1.SecurityPolicy{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       egv1a1.KindSecurityPolicy,
+					APIVersion: egv1a1.GroupVersion.String(),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+					Name:      "test",
+				},
+				Spec: egv1a1.SecurityPolicySpec{
+					Authorization: &egv1a1.Authorization{
+						Rules: []egv1a1.Rule{
+							{
+								Subjects: []egv1a1.Subject{
+									{
+										ClientCIDR: asPtr("192.168.1.001/24"),
+									},
+								},
+								Action: egv1a1.Allow,
+							},
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "authorisation with invalid ipv6 cidr",
+			policy: &egv1a1.SecurityPolicy{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       egv1a1.KindSecurityPolicy,
+					APIVersion: egv1a1.GroupVersion.String(),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+					Name:      "test",
+				},
+				Spec: egv1a1.SecurityPolicySpec{
+					Authorization: &egv1a1.Authorization{
+						Rules: []egv1a1.Rule{
+							{
+								Subjects: []egv1a1.Subject{
+									{
+										ClientCIDR: asPtr("2001:dffoob8::/64"),
+									},
+								},
+								Action: egv1a1.Allow,
+							},
+						},
+					},
+				},
+			},
+			expected: false,
+		},
 	}
 
 	for i := range testCases {
@@ -470,9 +586,9 @@ func TestValidateSecurityPolicy(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			err := ValidateSecurityPolicy(tc.policy)
 			if tc.expected {
-				require.NoError(t, err)
+				assert.NoError(t, err)
 			} else {
-				require.Error(t, err)
+				assert.Error(t, err)
 			}
 		})
 	}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index c3d53f443b..05c2d611ac 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -151,6 +151,28 @@ func (in *ActiveHealthCheckPayload) DeepCopy() *ActiveHealthCheckPayload {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Authorization) DeepCopyInto(out *Authorization) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]Rule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authorization.
+func (in *Authorization) DeepCopy() *Authorization {
+	if in == nil {
+		return nil
+	}
+	out := new(Authorization)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackOffPolicy) DeepCopyInto(out *BackOffPolicy) {
 	*out = *in
@@ -3806,6 +3828,33 @@ func (in *RetryOn) DeepCopy() *RetryOn {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Rule) DeepCopyInto(out *Rule) {
+	*out = *in
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]Subject, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
+func (in *Rule) DeepCopy() *Rule {
+	if in == nil {
+		return nil
+	}
+	out := new(Rule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecurityPolicy) DeepCopyInto(out *SecurityPolicy) {
 	*out = *in
@@ -3894,6 +3943,11 @@ func (in *SecurityPolicySpec) DeepCopyInto(out *SecurityPolicySpec) {
 		*out = new(ExtAuth)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Authorization != nil {
+		in, out := &in.Authorization, &out.Authorization
+		*out = new(Authorization)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityPolicySpec.
@@ -3991,6 +4045,26 @@ func (in *StringMatch) DeepCopy() *StringMatch {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Subject) DeepCopyInto(out *Subject) {
+	*out = *in
+	if in.ClientCIDR != nil {
+		in, out := &in.ClientCIDR, &out.ClientCIDR
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Subject.
+func (in *Subject) DeepCopy() *Subject {
+	if in == nil {
+		return nil
+	}
+	out := new(Subject)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPActiveHealthChecker) DeepCopyInto(out *TCPActiveHealthChecker) {
 	*out = *in
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 2758a9c252..067ada339e 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -49,6 +49,49 @@ spec:
           spec:
             description: Spec defines the desired state of SecurityPolicy.
             properties:
+              authorization:
+                description: Authorization defines the authorization configuration.
+                properties:
+                  rules:
+                    description: Rules contains all the authorization rules.
+                    items:
+                      description: Rule defines the single authorization rule.
+                      properties:
+                        action:
+                          description: Action defines the action to be taken if the
+                            rule matches.
+                          enum:
+                          - Allow
+                          - Deny
+                          - Log
+                          type: string
+                        permissions:
+                          description: |-
+                            Permissions contains allowed HTTP methods.
+                            If empty, all methods are matching.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: |-
+                            Subjects contains the subject configuration.
+                            If empty, all subjects are included.
+                          items:
+                            description: Subject contains the subject configuration.
+                            properties:
+                              clientCIDR:
+                                description: |-
+                                  ClientCIDR contains client cidr configuration.
+                                  Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                                type: string
+                            type: object
+                          type: array
+                      required:
+                      - action
+                      type: object
+                    minItems: 1
+                    type: array
+                type: object
               basicAuth:
                 description: BasicAuth defines the configuration for the HTTP Basic
                   Authentication.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index d485100eab..45dd4fa071 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -171,6 +171,20 @@ _Appears in:_
 | `TCP` | ActiveHealthCheckerTypeTCP defines the TCP type of health checking.<br /> | 
 
 
+#### Authorization
+
+
+
+Authorization defines the authorization configuration.
+
+_Appears in:_
+- [SecurityPolicySpec](#securitypolicyspec)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `rules` | _[Rule](#rule) array_ |  true  | Rules contains all the authorization rules. |
+
+
 #### BackOffPolicy
 
 
@@ -2865,6 +2879,38 @@ _Appears in:_
 | `httpStatusCodes` | _[HTTPStatus](#httpstatus) array_ |  false  | HttpStatusCodes specifies the http status codes to be retried.<br />The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. |
 
 
+#### Rule
+
+
+
+Rule defines the single authorization rule.
+
+_Appears in:_
+- [Authorization](#authorization)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `subjects` | _[Subject](#subject) array_ |  false  | Subjects contains the subject configuration.<br />If empty, all subjects are included. |
+| `permissions` | _string array_ |  false  | Permissions contains allowed HTTP methods.<br />If empty, all methods are matching. |
+| `action` | _[RuleActionType](#ruleactiontype)_ |  true  | Action defines the action to be taken if the rule matches. |
+
+
+#### RuleActionType
+
+_Underlying type:_ _string_
+
+RuleActionType specifies the types of authorization rule action.
+
+_Appears in:_
+- [Rule](#rule)
+
+| Value | Description |
+| ----- | ----------- |
+| `Allow` | Allow is the action to allow the request.<br /> | 
+| `Deny` | Deny is the action to deny the request.<br /> | 
+| `Log` | Log is the action to log the request.<br /> | 
+
+
 #### SecurityPolicy
 
 
@@ -2916,6 +2962,7 @@ _Appears in:_
 | `jwt` | _[JWT](#jwt)_ |  false  | JWT defines the configuration for JSON Web Token (JWT) authentication. |
 | `oidc` | _[OIDC](#oidc)_ |  false  | OIDC defines the configuration for the OpenID Connect (OIDC) authentication. |
 | `extAuth` | _[ExtAuth](#extauth)_ |  false  | ExtAuth defines the configuration for External Authorization. |
+| `authorization` | _[Authorization](#authorization)_ |  false  | Authorization defines the authorization configuration. |
 
 
 #### ServiceExternalTrafficPolicy
@@ -3032,6 +3079,20 @@ _Appears in:_
 | `RegularExpression` | StringMatchRegularExpression :The input string must match the regular expression<br />specified in the match value.<br />The regex string must adhere to the syntax documented in<br />https://github.com/google/re2/wiki/Syntax.<br /> | 
 
 
+#### Subject
+
+
+
+Subject contains the subject configuration.
+
+_Appears in:_
+- [Rule](#rule)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `clientCIDR` | _string_ |  false  | ClientCIDR contains client cidr configuration.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
+
+
 #### TCPActiveHealthChecker
 
 

From 9c55f248d690865244623ee06b3fb958d548fb39 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Wed, 8 May 2024 14:39:56 -0700
Subject: [PATCH 02/17] add comments

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go           |  20 ++-
 .../validation/securitypolicy_validate.go     |  34 +----
 .../securitypolicy_validate_test.go           | 122 +-----------------
 api/v1alpha1/zz_generated.deepcopy.go         |  36 ++++--
 ...ateway.envoyproxy.io_securitypolicies.yaml |  45 ++++---
 site/content/en/latest/api/extension_types.md |  24 +++-
 6 files changed, 92 insertions(+), 189 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index 20b9104bf6..7e2fc7f498 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -8,6 +8,8 @@ package v1alpha1
 // Authorization defines the authorization configuration.
 type Authorization struct {
 	// Rules contains all the authorization rules.
+	// Rules are evaluated in order, the first matching rule will be applied,
+	// and the rest will be skipped.
 	//
 	// +kubebuilder:validation:MinItems=1
 	Rules []Rule `json:"rules,omitempty"`
@@ -15,20 +17,26 @@ type Authorization struct {
 
 // Rule defines the single authorization rule.
 type Rule struct {
-	// Subjects contains the subject configuration.
+	// Action defines the action to be taken if the rule matches.
+	Action RuleActionType `json:"action"`
+
+	// Policies contains the list of authorization policies.
+	Policies []Policy `json:"policies"`
+}
+
+// Policy defines the authorization policy.
+type Policy struct {
+	// Subject contains the subject configuration.
 	// If empty, all subjects are included.
 	//
 	// +optional
-	Subjects []Subject `json:"subjects,omitempty"`
+	Subject Subject `json:"subjects,omitempty"`
 
 	// Permissions contains allowed HTTP methods.
 	// If empty, all methods are matching.
 	//
 	// +optional
 	Permissions []string `json:"permissions,omitempty"`
-
-	// Action defines the action to be taken if the rule matches.
-	Action RuleActionType `json:"action"`
 }
 
 // Subject contains the subject configuration.
@@ -37,7 +45,7 @@ type Subject struct {
 	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
 	//
 	// +optional
-	ClientCIDR *string `json:"clientCIDR,omitempty"`
+	ClientCIDR []string `json:"clientCIDR,omitempty"`
 }
 
 // RuleActionType specifies the types of authorization rule action.
diff --git a/api/v1alpha1/validation/securitypolicy_validate.go b/api/v1alpha1/validation/securitypolicy_validate.go
index 5f40b252e5..628d3f8017 100644
--- a/api/v1alpha1/validation/securitypolicy_validate.go
+++ b/api/v1alpha1/validation/securitypolicy_validate.go
@@ -8,7 +8,6 @@ package validation
 import (
 	"errors"
 	"fmt"
-	"net"
 	"net/mail"
 	"net/url"
 
@@ -25,7 +24,7 @@ func ValidateSecurityPolicy(policy *egv1a1.SecurityPolicy) error {
 		return errors.New("policy is nil")
 	}
 	if err := validateSecurityPolicySpec(&policy.Spec); err != nil {
-		errs = append(errs, err)
+		errs = append(errs, errors.New("policy is nil"))
 	}
 
 	return utilerrors.NewAggregate(errs)
@@ -43,8 +42,6 @@ func validateSecurityPolicySpec(spec *egv1a1.SecurityPolicySpec) error {
 		sum++
 	case spec.JWT != nil:
 		sum++
-	case spec.Authorization != nil:
-		sum++
 	}
 	if sum == 0 {
 		errs = append(errs, errors.New("no security policy is specified"))
@@ -55,40 +52,13 @@ func validateSecurityPolicySpec(spec *egv1a1.SecurityPolicySpec) error {
 		return utilerrors.NewAggregate(errs)
 	}
 
-	if spec.JWT != nil {
-		if err := ValidateJWTProvider(spec.JWT.Providers); err != nil {
-			errs = append(errs, err)
-		}
-	}
-
-	if err := ValidateAuthorization(spec.Authorization); err != nil {
+	if err := ValidateJWTProvider(spec.JWT.Providers); err != nil {
 		errs = append(errs, err)
 	}
 
 	return utilerrors.NewAggregate(errs)
 }
 
-// ValidateAuthorization validates the provided Authorisation configuration.
-func ValidateAuthorization(as *egv1a1.Authorization) error {
-	var errs []error
-	if as == nil {
-		return nil
-	}
-
-	for _, rule := range as.Rules {
-		for _, subject := range rule.Subjects {
-			if subject.ClientCIDR != nil {
-				_, _, err := net.ParseCIDR(*subject.ClientCIDR)
-				if err != nil {
-					errs = append(errs, fmt.Errorf("invalid CIDR: %s", *subject.ClientCIDR))
-				}
-			}
-		}
-	}
-
-	return utilerrors.NewAggregate(errs)
-}
-
 // ValidateJWTProvider validates the provided JWT authentication configuration.
 func ValidateJWTProvider(providers []egv1a1.JWTProvider) error {
 	var errs []error
diff --git a/api/v1alpha1/validation/securitypolicy_validate_test.go b/api/v1alpha1/validation/securitypolicy_validate_test.go
index 8bf286ac8b..489c7644f8 100644
--- a/api/v1alpha1/validation/securitypolicy_validate_test.go
+++ b/api/v1alpha1/validation/securitypolicy_validate_test.go
@@ -8,16 +8,12 @@ package validation
 import (
 	"testing"
 
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 )
 
-func asPtr(s string) *string {
-	return &s
-}
-
 func TestValidateSecurityPolicy(t *testing.T) {
 	testCases := []struct {
 		name     string
@@ -467,118 +463,6 @@ func TestValidateSecurityPolicy(t *testing.T) {
 			},
 			expected: true,
 		},
-		{
-			name: "authorisation with valid ipv4 cidr",
-			policy: &egv1a1.SecurityPolicy{
-				TypeMeta: metav1.TypeMeta{
-					Kind:       egv1a1.KindSecurityPolicy,
-					APIVersion: egv1a1.GroupVersion.String(),
-				},
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "test",
-					Name:      "test",
-				},
-				Spec: egv1a1.SecurityPolicySpec{
-					Authorization: &egv1a1.Authorization{
-						Rules: []egv1a1.Rule{
-							{
-								Subjects: []egv1a1.Subject{
-									{
-										ClientCIDR: asPtr("192.168.1.0/24"),
-									},
-								},
-								Action: egv1a1.Allow,
-							},
-						},
-					},
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "authorisation with valid ipv6 cidr",
-			policy: &egv1a1.SecurityPolicy{
-				TypeMeta: metav1.TypeMeta{
-					Kind:       egv1a1.KindSecurityPolicy,
-					APIVersion: egv1a1.GroupVersion.String(),
-				},
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "test",
-					Name:      "test",
-				},
-				Spec: egv1a1.SecurityPolicySpec{
-					Authorization: &egv1a1.Authorization{
-						Rules: []egv1a1.Rule{
-							{
-								Subjects: []egv1a1.Subject{
-									{
-										ClientCIDR: asPtr("2001:db8::/64"),
-									},
-								},
-								Action: egv1a1.Allow,
-							},
-						},
-					},
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "authorisation with invalid ipv4 cidr",
-			policy: &egv1a1.SecurityPolicy{
-				TypeMeta: metav1.TypeMeta{
-					Kind:       egv1a1.KindSecurityPolicy,
-					APIVersion: egv1a1.GroupVersion.String(),
-				},
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "test",
-					Name:      "test",
-				},
-				Spec: egv1a1.SecurityPolicySpec{
-					Authorization: &egv1a1.Authorization{
-						Rules: []egv1a1.Rule{
-							{
-								Subjects: []egv1a1.Subject{
-									{
-										ClientCIDR: asPtr("192.168.1.001/24"),
-									},
-								},
-								Action: egv1a1.Allow,
-							},
-						},
-					},
-				},
-			},
-			expected: false,
-		},
-		{
-			name: "authorisation with invalid ipv6 cidr",
-			policy: &egv1a1.SecurityPolicy{
-				TypeMeta: metav1.TypeMeta{
-					Kind:       egv1a1.KindSecurityPolicy,
-					APIVersion: egv1a1.GroupVersion.String(),
-				},
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "test",
-					Name:      "test",
-				},
-				Spec: egv1a1.SecurityPolicySpec{
-					Authorization: &egv1a1.Authorization{
-						Rules: []egv1a1.Rule{
-							{
-								Subjects: []egv1a1.Subject{
-									{
-										ClientCIDR: asPtr("2001:dffoob8::/64"),
-									},
-								},
-								Action: egv1a1.Allow,
-							},
-						},
-					},
-				},
-			},
-			expected: false,
-		},
 	}
 
 	for i := range testCases {
@@ -586,9 +470,9 @@ func TestValidateSecurityPolicy(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			err := ValidateSecurityPolicy(tc.policy)
 			if tc.expected {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 			} else {
-				assert.Error(t, err)
+				require.Error(t, err)
 			}
 		})
 	}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 05c2d611ac..efcb7410cd 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -3119,6 +3119,27 @@ func (in *PerRetryPolicy) DeepCopy() *PerRetryPolicy {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Policy) DeepCopyInto(out *Policy) {
+	*out = *in
+	in.Subject.DeepCopyInto(&out.Subject)
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
+func (in *Policy) DeepCopy() *Policy {
+	if in == nil {
+		return nil
+	}
+	out := new(Policy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessingModeOptions) DeepCopyInto(out *ProcessingModeOptions) {
 	*out = *in
@@ -3831,18 +3852,13 @@ func (in *RetryOn) DeepCopy() *RetryOn {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Rule) DeepCopyInto(out *Rule) {
 	*out = *in
-	if in.Subjects != nil {
-		in, out := &in.Subjects, &out.Subjects
-		*out = make([]Subject, len(*in))
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]Policy, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.Permissions != nil {
-		in, out := &in.Permissions, &out.Permissions
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
@@ -4050,8 +4066,8 @@ func (in *Subject) DeepCopyInto(out *Subject) {
 	*out = *in
 	if in.ClientCIDR != nil {
 		in, out := &in.ClientCIDR, &out.ClientCIDR
-		*out = new(string)
-		**out = **in
+		*out = make([]string, len(*in))
+		copy(*out, *in)
 	}
 }
 
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 067ada339e..14fdb8a7b9 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -53,7 +53,10 @@ spec:
                 description: Authorization defines the authorization configuration.
                 properties:
                   rules:
-                    description: Rules contains all the authorization rules.
+                    description: |-
+                      Rules contains all the authorization rules.
+                      Rules are evaluated in order, the first matching rule will be applied,
+                      and the rest will be skipped.
                     items:
                       description: Rule defines the single authorization rule.
                       properties:
@@ -65,29 +68,37 @@ spec:
                           - Deny
                           - Log
                           type: string
-                        permissions:
-                          description: |-
-                            Permissions contains allowed HTTP methods.
-                            If empty, all methods are matching.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: |-
-                            Subjects contains the subject configuration.
-                            If empty, all subjects are included.
+                        policies:
+                          description: Policies contains the list of authorization
+                            policies.
                           items:
-                            description: Subject contains the subject configuration.
+                            description: Policy defines the authorization policy.
                             properties:
-                              clientCIDR:
+                              permissions:
                                 description: |-
-                                  ClientCIDR contains client cidr configuration.
-                                  Valid examples are "192.168.1.0/24" or "2001:db8::/64"
-                                type: string
+                                  Permissions contains allowed HTTP methods.
+                                  If empty, all methods are matching.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: |-
+                                  Subject contains the subject configuration.
+                                  If empty, all subjects are included.
+                                properties:
+                                  clientCIDR:
+                                    description: |-
+                                      ClientCIDR contains client cidr configuration.
+                                      Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                             type: object
                           type: array
                       required:
                       - action
+                      - policies
                       type: object
                     minItems: 1
                     type: array
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 45dd4fa071..3016678248 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -182,7 +182,7 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `rules` | _[Rule](#rule) array_ |  true  | Rules contains all the authorization rules. |
+| `rules` | _[Rule](#rule) array_ |  true  | Rules contains all the authorization rules.<br />Rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped. |
 
 
 #### BackOffPolicy
@@ -2248,6 +2248,21 @@ _Appears in:_
 | `backOff` | _[BackOffPolicy](#backoffpolicy)_ |  false  | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential<br />back-off algorithm for retries. For additional details,<br />see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries |
 
 
+#### Policy
+
+
+
+Policy defines the authorization policy.
+
+_Appears in:_
+- [Rule](#rule)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `subjects` | _[Subject](#subject)_ |  false  | Subject contains the subject configuration.<br />If empty, all subjects are included. |
+| `permissions` | _string array_ |  false  | Permissions contains allowed HTTP methods.<br />If empty, all methods are matching. |
+
+
 #### ProcessingModeOptions
 
 
@@ -2890,9 +2905,8 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `subjects` | _[Subject](#subject) array_ |  false  | Subjects contains the subject configuration.<br />If empty, all subjects are included. |
-| `permissions` | _string array_ |  false  | Permissions contains allowed HTTP methods.<br />If empty, all methods are matching. |
 | `action` | _[RuleActionType](#ruleactiontype)_ |  true  | Action defines the action to be taken if the rule matches. |
+| `policies` | _[Policy](#policy) array_ |  true  | Policies contains the list of authorization policies. |
 
 
 #### RuleActionType
@@ -3086,11 +3100,11 @@ _Appears in:_
 Subject contains the subject configuration.
 
 _Appears in:_
-- [Rule](#rule)
+- [Policy](#policy)
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `clientCIDR` | _string_ |  false  | ClientCIDR contains client cidr configuration.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
+| `clientCIDR` | _string array_ |  false  | ClientCIDR contains client cidr configuration.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
 
 
 #### TCPActiveHealthChecker

From 9e13737c8d137ddb9f6afeaba0ed57609d1720ed Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Thu, 9 May 2024 11:24:54 -0700
Subject: [PATCH 03/17] Remove permission in the first run

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go                        | 2 +-
 api/v1alpha1/securitypolicy_types.go                       | 1 +
 api/v1alpha1/zz_generated.deepcopy.go                      | 5 -----
 .../generated/gateway.envoyproxy.io_securitypolicies.yaml  | 7 -------
 site/content/en/latest/api/extension_types.md              | 2 --
 5 files changed, 2 insertions(+), 15 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index 7e2fc7f498..fa3720cfec 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -36,7 +36,7 @@ type Policy struct {
 	// If empty, all methods are matching.
 	//
 	// +optional
-	Permissions []string `json:"permissions,omitempty"`
+	// Permissions []string `json:"permissions,omitempty"`
 }
 
 // Subject contains the subject configuration.
diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go
index 74e3b2ca5a..a20e31e16f 100644
--- a/api/v1alpha1/securitypolicy_types.go
+++ b/api/v1alpha1/securitypolicy_types.go
@@ -73,6 +73,7 @@ type SecurityPolicySpec struct {
 	// Authorization defines the authorization configuration.
 	//
 	// +optional
+	// +notImplementedHide
 	Authorization *Authorization `json:"authorization,omitempty"`
 }
 
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index efcb7410cd..b4bd818a6d 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -3123,11 +3123,6 @@ func (in *PerRetryPolicy) DeepCopy() *PerRetryPolicy {
 func (in *Policy) DeepCopyInto(out *Policy) {
 	*out = *in
 	in.Subject.DeepCopyInto(&out.Subject)
-	if in.Permissions != nil {
-		in, out := &in.Permissions, &out.Permissions
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 14fdb8a7b9..f3be6180b2 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -74,13 +74,6 @@ spec:
                           items:
                             description: Policy defines the authorization policy.
                             properties:
-                              permissions:
-                                description: |-
-                                  Permissions contains allowed HTTP methods.
-                                  If empty, all methods are matching.
-                                items:
-                                  type: string
-                                type: array
                               subjects:
                                 description: |-
                                   Subject contains the subject configuration.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 3016678248..f0e2203add 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -2260,7 +2260,6 @@ _Appears in:_
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
 | `subjects` | _[Subject](#subject)_ |  false  | Subject contains the subject configuration.<br />If empty, all subjects are included. |
-| `permissions` | _string array_ |  false  | Permissions contains allowed HTTP methods.<br />If empty, all methods are matching. |
 
 
 #### ProcessingModeOptions
@@ -2976,7 +2975,6 @@ _Appears in:_
 | `jwt` | _[JWT](#jwt)_ |  false  | JWT defines the configuration for JSON Web Token (JWT) authentication. |
 | `oidc` | _[OIDC](#oidc)_ |  false  | OIDC defines the configuration for the OpenID Connect (OIDC) authentication. |
 | `extAuth` | _[ExtAuth](#extauth)_ |  false  | ExtAuth defines the configuration for External Authorization. |
-| `authorization` | _[Authorization](#authorization)_ |  false  | Authorization defines the authorization configuration. |
 
 
 #### ServiceExternalTrafficPolicy

From bbd2999a47dc6cfc8382898e8afcfc4468322d92 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Thu, 9 May 2024 12:14:42 -0700
Subject: [PATCH 04/17] Move subject and permission to Rule

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go           |  6 ----
 api/v1alpha1/zz_generated.deepcopy.go         | 24 +------------
 ...ateway.envoyproxy.io_securitypolicies.yaml | 35 +++++++------------
 site/content/en/latest/api/extension_types.md | 18 ++--------
 4 files changed, 16 insertions(+), 67 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index fa3720cfec..f064985a9d 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -20,12 +20,6 @@ type Rule struct {
 	// Action defines the action to be taken if the rule matches.
 	Action RuleActionType `json:"action"`
 
-	// Policies contains the list of authorization policies.
-	Policies []Policy `json:"policies"`
-}
-
-// Policy defines the authorization policy.
-type Policy struct {
 	// Subject contains the subject configuration.
 	// If empty, all subjects are included.
 	//
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index b4bd818a6d..ea4a3a5b3b 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -3119,22 +3119,6 @@ func (in *PerRetryPolicy) DeepCopy() *PerRetryPolicy {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Policy) DeepCopyInto(out *Policy) {
-	*out = *in
-	in.Subject.DeepCopyInto(&out.Subject)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
-func (in *Policy) DeepCopy() *Policy {
-	if in == nil {
-		return nil
-	}
-	out := new(Policy)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessingModeOptions) DeepCopyInto(out *ProcessingModeOptions) {
 	*out = *in
@@ -3847,13 +3831,7 @@ func (in *RetryOn) DeepCopy() *RetryOn {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Rule) DeepCopyInto(out *Rule) {
 	*out = *in
-	if in.Policies != nil {
-		in, out := &in.Policies, &out.Policies
-		*out = make([]Policy, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
+	in.Subject.DeepCopyInto(&out.Subject)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index f3be6180b2..70eb6381b0 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -68,30 +68,21 @@ spec:
                           - Deny
                           - Log
                           type: string
-                        policies:
-                          description: Policies contains the list of authorization
-                            policies.
-                          items:
-                            description: Policy defines the authorization policy.
-                            properties:
-                              subjects:
-                                description: |-
-                                  Subject contains the subject configuration.
-                                  If empty, all subjects are included.
-                                properties:
-                                  clientCIDR:
-                                    description: |-
-                                      ClientCIDR contains client cidr configuration.
-                                      Valid examples are "192.168.1.0/24" or "2001:db8::/64"
-                                    items:
-                                      type: string
-                                    type: array
-                                type: object
-                            type: object
-                          type: array
+                        subjects:
+                          description: |-
+                            Subject contains the subject configuration.
+                            If empty, all subjects are included.
+                          properties:
+                            clientCIDR:
+                              description: |-
+                                ClientCIDR contains client cidr configuration.
+                                Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                              items:
+                                type: string
+                              type: array
+                          type: object
                       required:
                       - action
-                      - policies
                       type: object
                     minItems: 1
                     type: array
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index f0e2203add..bb79768490 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -2248,20 +2248,6 @@ _Appears in:_
 | `backOff` | _[BackOffPolicy](#backoffpolicy)_ |  false  | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential<br />back-off algorithm for retries. For additional details,<br />see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries |
 
 
-#### Policy
-
-
-
-Policy defines the authorization policy.
-
-_Appears in:_
-- [Rule](#rule)
-
-| Field | Type | Required | Description |
-| ---   | ---  | ---      | ---         |
-| `subjects` | _[Subject](#subject)_ |  false  | Subject contains the subject configuration.<br />If empty, all subjects are included. |
-
-
 #### ProcessingModeOptions
 
 
@@ -2905,7 +2891,7 @@ _Appears in:_
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
 | `action` | _[RuleActionType](#ruleactiontype)_ |  true  | Action defines the action to be taken if the rule matches. |
-| `policies` | _[Policy](#policy) array_ |  true  | Policies contains the list of authorization policies. |
+| `subjects` | _[Subject](#subject)_ |  false  | Subject contains the subject configuration.<br />If empty, all subjects are included. |
 
 
 #### RuleActionType
@@ -3098,7 +3084,7 @@ _Appears in:_
 Subject contains the subject configuration.
 
 _Appears in:_
-- [Policy](#policy)
+- [Rule](#rule)
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |

From a7c0006801b0ef70d727af4fefbfa261d3b50104 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Thu, 9 May 2024 15:16:47 -0700
Subject: [PATCH 05/17] remove log action

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go             | 17 +++++++++++------
 .../gateway.envoyproxy.io_securitypolicies.yaml | 16 +++++++++++++---
 site/content/en/latest/api/extension_types.md   |  5 ++---
 3 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index f064985a9d..31e4eb348f 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -11,8 +11,15 @@ type Authorization struct {
 	// Rules are evaluated in order, the first matching rule will be applied,
 	// and the rest will be skipped.
 	//
+	// For example, if there are two rules, the first rule allows the request,
+	// and the second rule denies the request, the request will be allowed.
+	// If the first rule denies the request, and the second rule allows it,
+	// the request will be denied.
+	//
+	// If no rules match, the request will be denied.
+	//
 	// +kubebuilder:validation:MinItems=1
-	Rules []Rule `json:"rules,omitempty"`
+	Rules []Rule `json:"rules"`
 }
 
 // Rule defines the single authorization rule.
@@ -20,8 +27,8 @@ type Rule struct {
 	// Action defines the action to be taken if the rule matches.
 	Action RuleActionType `json:"action"`
 
-	// Subject contains the subject configuration.
-	// If empty, all subjects are included.
+	// Subject contains the subject of the rule.
+	// If empty, all subjects are matching.
 	//
 	// +optional
 	Subject Subject `json:"subjects,omitempty"`
@@ -43,7 +50,7 @@ type Subject struct {
 }
 
 // RuleActionType specifies the types of authorization rule action.
-// +kubebuilder:validation:Enum=Allow;Deny;Log
+// +kubebuilder:validation:Enum=Allow;Deny
 type RuleActionType string
 
 const (
@@ -51,6 +58,4 @@ const (
 	Allow RuleActionType = "Allow"
 	// Deny is the action to deny the request.
 	Deny RuleActionType = "Deny"
-	// Log is the action to log the request.
-	Log RuleActionType = "Log"
 )
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 70eb6381b0..ee1435abe1 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -57,6 +57,15 @@ spec:
                       Rules contains all the authorization rules.
                       Rules are evaluated in order, the first matching rule will be applied,
                       and the rest will be skipped.
+
+
+                      For example, if there are two rules, the first rule allows the request,
+                      and the second rule denies the request, the request will be allowed.
+                      If the first rule denies the request, and the second rule allows it,
+                      the request will be denied.
+
+
+                      If no rules match, the request will be denied.
                     items:
                       description: Rule defines the single authorization rule.
                       properties:
@@ -66,12 +75,11 @@ spec:
                           enum:
                           - Allow
                           - Deny
-                          - Log
                           type: string
                         subjects:
                           description: |-
-                            Subject contains the subject configuration.
-                            If empty, all subjects are included.
+                            Subject contains the subject of the rule.
+                            If empty, all subjects are matching.
                           properties:
                             clientCIDR:
                               description: |-
@@ -86,6 +94,8 @@ spec:
                       type: object
                     minItems: 1
                     type: array
+                required:
+                - rules
                 type: object
               basicAuth:
                 description: BasicAuth defines the configuration for the HTTP Basic
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index bb79768490..16fac65a9d 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -182,7 +182,7 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `rules` | _[Rule](#rule) array_ |  true  | Rules contains all the authorization rules.<br />Rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped. |
+| `rules` | _[Rule](#rule) array_ |  true  | Rules contains all the authorization rules.<br />Rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped.<br /><br />For example, if there are two rules, the first rule allows the request,<br />and the second rule denies the request, the request will be allowed.<br />If the first rule denies the request, and the second rule allows it,<br />the request will be denied.<br /><br />If no rules match, the request will be denied. |
 
 
 #### BackOffPolicy
@@ -2891,7 +2891,7 @@ _Appears in:_
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
 | `action` | _[RuleActionType](#ruleactiontype)_ |  true  | Action defines the action to be taken if the rule matches. |
-| `subjects` | _[Subject](#subject)_ |  false  | Subject contains the subject configuration.<br />If empty, all subjects are included. |
+| `subjects` | _[Subject](#subject)_ |  false  | Subject contains the subject of the rule.<br />If empty, all subjects are matching. |
 
 
 #### RuleActionType
@@ -2907,7 +2907,6 @@ _Appears in:_
 | ----- | ----------- |
 | `Allow` | Allow is the action to allow the request.<br /> | 
 | `Deny` | Deny is the action to deny the request.<br /> | 
-| `Log` | Log is the action to log the request.<br /> | 
 
 
 #### SecurityPolicy

From 6ab725c5ab759553990029aee7215e02b39f5bcd Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Thu, 9 May 2024 15:55:49 -0700
Subject: [PATCH 06/17] add default action

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go           | 16 +++++++-------
 api/v1alpha1/zz_generated.deepcopy.go         |  5 +++++
 ...ateway.envoyproxy.io_securitypolicies.yaml | 21 +++++++++++--------
 site/content/en/latest/api/extension_types.md |  8 ++++---
 4 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index 31e4eb348f..bc2537a257 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -16,10 +16,13 @@ type Authorization struct {
 	// If the first rule denies the request, and the second rule allows it,
 	// the request will be denied.
 	//
-	// If no rules match, the request will be denied.
-	//
-	// +kubebuilder:validation:MinItems=1
+	// +optional
 	Rules []Rule `json:"rules"`
+
+	// DefaultAction defines the default action to be taken if no rules match.
+	// If not specified, the default action is Deny.
+	// +optional
+	DefaultAction *RuleActionType `json:"defaultAction"`
 }
 
 // Rule defines the single authorization rule.
@@ -28,9 +31,6 @@ type Rule struct {
 	Action RuleActionType `json:"action"`
 
 	// Subject contains the subject of the rule.
-	// If empty, all subjects are matching.
-	//
-	// +optional
 	Subject Subject `json:"subjects,omitempty"`
 
 	// Permissions contains allowed HTTP methods.
@@ -45,8 +45,8 @@ type Subject struct {
 	// ClientCIDR contains client cidr configuration.
 	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
 	//
-	// +optional
-	ClientCIDR []string `json:"clientCIDR,omitempty"`
+	// +kubebuilder:validation:MinItems=1
+	ClientCIDR []string `json:"clientCIDR"`
 }
 
 // RuleActionType specifies the types of authorization rule action.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index ea4a3a5b3b..74131be480 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -161,6 +161,11 @@ func (in *Authorization) DeepCopyInto(out *Authorization) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.DefaultAction != nil {
+		in, out := &in.DefaultAction, &out.DefaultAction
+		*out = new(RuleActionType)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authorization.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index ee1435abe1..9a1c4451f4 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -52,6 +52,14 @@ spec:
               authorization:
                 description: Authorization defines the authorization configuration.
                 properties:
+                  defaultAction:
+                    description: |-
+                      DefaultAction defines the default action to be taken if no rules match.
+                      If not specified, the default action is Deny.
+                    enum:
+                    - Allow
+                    - Deny
+                    type: string
                   rules:
                     description: |-
                       Rules contains all the authorization rules.
@@ -63,9 +71,6 @@ spec:
                       and the second rule denies the request, the request will be allowed.
                       If the first rule denies the request, and the second rule allows it,
                       the request will be denied.
-
-
-                      If no rules match, the request will be denied.
                     items:
                       description: Rule defines the single authorization rule.
                       properties:
@@ -77,9 +82,7 @@ spec:
                           - Deny
                           type: string
                         subjects:
-                          description: |-
-                            Subject contains the subject of the rule.
-                            If empty, all subjects are matching.
+                          description: Subject contains the subject of the rule.
                           properties:
                             clientCIDR:
                               description: |-
@@ -87,15 +90,15 @@ spec:
                                 Valid examples are "192.168.1.0/24" or "2001:db8::/64"
                               items:
                                 type: string
+                              minItems: 1
                               type: array
+                          required:
+                          - clientCIDR
                           type: object
                       required:
                       - action
                       type: object
-                    minItems: 1
                     type: array
-                required:
-                - rules
                 type: object
               basicAuth:
                 description: BasicAuth defines the configuration for the HTTP Basic
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 16fac65a9d..a8ae61f676 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -182,7 +182,8 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `rules` | _[Rule](#rule) array_ |  true  | Rules contains all the authorization rules.<br />Rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped.<br /><br />For example, if there are two rules, the first rule allows the request,<br />and the second rule denies the request, the request will be allowed.<br />If the first rule denies the request, and the second rule allows it,<br />the request will be denied.<br /><br />If no rules match, the request will be denied. |
+| `rules` | _[Rule](#rule) array_ |  false  | Rules contains all the authorization rules.<br />Rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped.<br /><br />For example, if there are two rules, the first rule allows the request,<br />and the second rule denies the request, the request will be allowed.<br />If the first rule denies the request, and the second rule allows it,<br />the request will be denied. |
+| `defaultAction` | _[RuleActionType](#ruleactiontype)_ |  false  | DefaultAction defines the default action to be taken if no rules match.<br />If not specified, the default action is Deny. |
 
 
 #### BackOffPolicy
@@ -2891,7 +2892,7 @@ _Appears in:_
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
 | `action` | _[RuleActionType](#ruleactiontype)_ |  true  | Action defines the action to be taken if the rule matches. |
-| `subjects` | _[Subject](#subject)_ |  false  | Subject contains the subject of the rule.<br />If empty, all subjects are matching. |
+| `subjects` | _[Subject](#subject)_ |  true  | Subject contains the subject of the rule. |
 
 
 #### RuleActionType
@@ -2901,6 +2902,7 @@ _Underlying type:_ _string_
 RuleActionType specifies the types of authorization rule action.
 
 _Appears in:_
+- [Authorization](#authorization)
 - [Rule](#rule)
 
 | Value | Description |
@@ -3087,7 +3089,7 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `clientCIDR` | _string array_ |  false  | ClientCIDR contains client cidr configuration.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
+| `clientCIDR` | _string array_ |  true  | ClientCIDR contains client cidr configuration.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
 
 
 #### TCPActiveHealthChecker

From 6345f7b6d091f7532f530fe8bd25bac0405f9bf4 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Thu, 9 May 2024 16:54:32 -0700
Subject: [PATCH 07/17] add excluded client CIDR

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go               | 13 ++++++++-----
 api/v1alpha1/zz_generated.deepcopy.go             |  5 +++++
 .../gateway.envoyproxy.io_securitypolicies.yaml   | 15 +++++++++++----
 site/content/en/latest/api/extension_types.md     |  5 +++--
 4 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index bc2537a257..e73f9ec602 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -40,13 +40,16 @@ type Rule struct {
 	// Permissions []string `json:"permissions,omitempty"`
 }
 
-// Subject contains the subject configuration.
+// Subject is the subject of the rule.
+// +kubebuilder:validation:XValidation:rule="has(self.clientCIDR) || has(self.notClientCIDR)",message="subject must not be empty"
 type Subject struct {
-	// ClientCIDR contains client cidr configuration.
+	// ClientCIDR is the IP CIDR range of the client.
 	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
-	//
-	// +kubebuilder:validation:MinItems=1
-	ClientCIDR []string `json:"clientCIDR"`
+	ClientCIDR []string `json:"clientCIDR,omitempty"`
+
+	// NotClientCIDR is the IP CIDR range of the client that should not match.
+	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+	NotClientCIDR []string `json:"notClientCIDR,omitempty"`
 }
 
 // RuleActionType specifies the types of authorization rule action.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 74131be480..c95d911627 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -4047,6 +4047,11 @@ func (in *Subject) DeepCopyInto(out *Subject) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.NotClientCIDR != nil {
+		in, out := &in.NotClientCIDR, &out.NotClientCIDR
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Subject.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 9a1c4451f4..ce5f64c18d 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -86,15 +86,22 @@ spec:
                           properties:
                             clientCIDR:
                               description: |-
-                                ClientCIDR contains client cidr configuration.
+                                ClientCIDR is the IP CIDR range of the client.
+                                Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                              items:
+                                type: string
+                              type: array
+                            notClientCIDR:
+                              description: |-
+                                NotClientCIDR is the IP CIDR range of the client that should not match.
                                 Valid examples are "192.168.1.0/24" or "2001:db8::/64"
                               items:
                                 type: string
-                              minItems: 1
                               type: array
-                          required:
-                          - clientCIDR
                           type: object
+                          x-kubernetes-validations:
+                          - message: subject must not be empty
+                            rule: has(self.clientCIDR) || has(self.notClientCIDR)
                       required:
                       - action
                       type: object
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index a8ae61f676..ba4fc0cec1 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -3082,14 +3082,15 @@ _Appears in:_
 
 
 
-Subject contains the subject configuration.
+Subject is the subject of the rule.
 
 _Appears in:_
 - [Rule](#rule)
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `clientCIDR` | _string array_ |  true  | ClientCIDR contains client cidr configuration.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
+| `clientCIDR` | _string array_ |  true  | ClientCIDR is the IP CIDR range of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
+| `notClientCIDR` | _string array_ |  true  | NotClientCIDR is the IP CIDR range of the client that should not match.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
 
 
 #### TCPActiveHealthChecker

From 7cf916d7d2d761dc5157af5dc709661c4276bb56 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Thu, 9 May 2024 17:08:06 -0700
Subject: [PATCH 08/17] hide api

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index e73f9ec602..2155bea0f5 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -6,6 +6,7 @@
 package v1alpha1
 
 // Authorization defines the authorization configuration.
+// +notImplementedHide
 type Authorization struct {
 	// Rules contains all the authorization rules.
 	// Rules are evaluated in order, the first matching rule will be applied,
@@ -26,6 +27,7 @@ type Authorization struct {
 }
 
 // Rule defines the single authorization rule.
+// +notImplementedHide
 type Rule struct {
 	// Action defines the action to be taken if the rule matches.
 	Action RuleActionType `json:"action"`
@@ -42,6 +44,7 @@ type Rule struct {
 
 // Subject is the subject of the rule.
 // +kubebuilder:validation:XValidation:rule="has(self.clientCIDR) || has(self.notClientCIDR)",message="subject must not be empty"
+// +notImplementedHide
 type Subject struct {
 	// ClientCIDR is the IP CIDR range of the client.
 	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
@@ -54,6 +57,7 @@ type Subject struct {
 
 // RuleActionType specifies the types of authorization rule action.
 // +kubebuilder:validation:Enum=Allow;Deny
+// +notImplementedHide
 type RuleActionType string
 
 const (

From 03707b3461da2308980e6597202486633f7527ce Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Fri, 10 May 2024 08:31:55 -0700
Subject: [PATCH 09/17] minor wording

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index 2155bea0f5..7ac3edf63a 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -42,7 +42,7 @@ type Rule struct {
 	// Permissions []string `json:"permissions,omitempty"`
 }
 
-// Subject is the subject of the rule.
+// Subject specifies the client identity of a request.
 // +kubebuilder:validation:XValidation:rule="has(self.clientCIDR) || has(self.notClientCIDR)",message="subject must not be empty"
 // +notImplementedHide
 type Subject struct {

From 06433977e9e892968386fd9b29a12321d8e19085 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Fri, 10 May 2024 08:53:29 -0700
Subject: [PATCH 10/17] remove exclude ip range in the first run

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go           | 7 +------
 site/content/en/latest/api/extension_types.md | 2 +-
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index 7ac3edf63a..24cd6024a7 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -32,7 +32,7 @@ type Rule struct {
 	// Action defines the action to be taken if the rule matches.
 	Action RuleActionType `json:"action"`
 
-	// Subject contains the subject of the rule.
+	// Subject specifies the client identity of a request.
 	Subject Subject `json:"subjects,omitempty"`
 
 	// Permissions contains allowed HTTP methods.
@@ -43,16 +43,11 @@ type Rule struct {
 }
 
 // Subject specifies the client identity of a request.
-// +kubebuilder:validation:XValidation:rule="has(self.clientCIDR) || has(self.notClientCIDR)",message="subject must not be empty"
 // +notImplementedHide
 type Subject struct {
 	// ClientCIDR is the IP CIDR range of the client.
 	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
 	ClientCIDR []string `json:"clientCIDR,omitempty"`
-
-	// NotClientCIDR is the IP CIDR range of the client that should not match.
-	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
-	NotClientCIDR []string `json:"notClientCIDR,omitempty"`
 }
 
 // RuleActionType specifies the types of authorization rule action.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index ba4fc0cec1..b52aa5f568 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -3082,7 +3082,7 @@ _Appears in:_
 
 
 
-Subject is the subject of the rule.
+Subject specifies the client identity of a request.
 
 _Appears in:_
 - [Rule](#rule)

From 2335a92d90d12fb83f2e1bcfb7fc9ea4f09eb067 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Fri, 10 May 2024 10:13:18 -0700
Subject: [PATCH 11/17] change subject to principal: align with Envoy and the
 AWS RBAC term

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go           | 18 +++----
 api/v1alpha1/clienttrafficpolicy_types.go     |  2 +-
 api/v1alpha1/zz_generated.deepcopy.go         | 47 +++++++++----------
 ...y.envoyproxy.io_clienttrafficpolicies.yaml |  2 +-
 ...ateway.envoyproxy.io_securitypolicies.yaml | 27 +++++------
 site/content/en/latest/api/extension_types.md | 35 +++++++-------
 6 files changed, 61 insertions(+), 70 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index 24cd6024a7..b81b5d4fa5 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -12,10 +12,8 @@ type Authorization struct {
 	// Rules are evaluated in order, the first matching rule will be applied,
 	// and the rest will be skipped.
 	//
-	// For example, if there are two rules, the first rule allows the request,
-	// and the second rule denies the request, the request will be allowed.
-	// If the first rule denies the request, and the second rule allows it,
-	// the request will be denied.
+	// For example, if there are two rules: the first rule allows the request
+	// and the second rule denies it, when a request matches both rules, it will be allowed.
 	//
 	// +optional
 	Rules []Rule `json:"rules"`
@@ -32,8 +30,8 @@ type Rule struct {
 	// Action defines the action to be taken if the rule matches.
 	Action RuleActionType `json:"action"`
 
-	// Subject specifies the client identity of a request.
-	Subject Subject `json:"subjects,omitempty"`
+	// Principal specifies the client identity of a request.
+	Principal Principal `json:"principal"`
 
 	// Permissions contains allowed HTTP methods.
 	// If empty, all methods are matching.
@@ -42,11 +40,15 @@ type Rule struct {
 	// Permissions []string `json:"permissions,omitempty"`
 }
 
-// Subject specifies the client identity of a request.
+// Principal specifies the client identity of a request.
 // +notImplementedHide
-type Subject struct {
+type Principal struct {
 	// ClientCIDR is the IP CIDR range of the client.
 	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+	//
+	// By default, the client IP is inferred from the x-forwarder-for header and proxy protocol.
+	// You can use the `EnableProxyProtocol` and `ClientIPDetection` options in
+	// the `ClientTrafficPolicy` to configure how the client IP is detected.
 	ClientCIDR []string `json:"clientCIDR,omitempty"`
 }
 
diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
index 8f85d0617c..08692965af 100644
--- a/api/v1alpha1/clienttrafficpolicy_types.go
+++ b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -136,7 +136,7 @@ type ClientIPDetectionSettings struct {
 	// +optional
 	XForwardedFor *XForwardedForSettings `json:"xForwardedFor,omitempty"`
 	// CustomHeader provides configuration for determining the client IP address for a request based on
-	// a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+	// a trusted custom HTTP header. This uses the custom_header original IP detection extension.
 	// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
 	// for more details.
 	//
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index c95d911627..d43122bbed 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -3124,6 +3124,26 @@ func (in *PerRetryPolicy) DeepCopy() *PerRetryPolicy {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Principal) DeepCopyInto(out *Principal) {
+	*out = *in
+	if in.ClientCIDR != nil {
+		in, out := &in.ClientCIDR, &out.ClientCIDR
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Principal.
+func (in *Principal) DeepCopy() *Principal {
+	if in == nil {
+		return nil
+	}
+	out := new(Principal)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessingModeOptions) DeepCopyInto(out *ProcessingModeOptions) {
 	*out = *in
@@ -3836,7 +3856,7 @@ func (in *RetryOn) DeepCopy() *RetryOn {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Rule) DeepCopyInto(out *Rule) {
 	*out = *in
-	in.Subject.DeepCopyInto(&out.Subject)
+	in.Principal.DeepCopyInto(&out.Principal)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
@@ -4039,31 +4059,6 @@ func (in *StringMatch) DeepCopy() *StringMatch {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Subject) DeepCopyInto(out *Subject) {
-	*out = *in
-	if in.ClientCIDR != nil {
-		in, out := &in.ClientCIDR, &out.ClientCIDR
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.NotClientCIDR != nil {
-		in, out := &in.NotClientCIDR, &out.NotClientCIDR
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Subject.
-func (in *Subject) DeepCopy() *Subject {
-	if in == nil {
-		return nil
-	}
-	out := new(Subject)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPActiveHealthChecker) DeepCopyInto(out *TCPActiveHealthChecker) {
 	*out = *in
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
index e82d67b932..5eb7710421 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -56,7 +56,7 @@ spec:
                   customHeader:
                     description: |-
                       CustomHeader provides configuration for determining the client IP address for a request based on
-                      a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+                      a trusted custom HTTP header. This uses the custom_header original IP detection extension.
                       Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
                       for more details.
                     properties:
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index ce5f64c18d..36d239cae4 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -67,10 +67,8 @@ spec:
                       and the rest will be skipped.
 
 
-                      For example, if there are two rules, the first rule allows the request,
-                      and the second rule denies the request, the request will be allowed.
-                      If the first rule denies the request, and the second rule allows it,
-                      the request will be denied.
+                      For example, if there are two rules: the first rule allows the request
+                      and the second rule denies it, when a request matches both rules, it will be allowed.
                     items:
                       description: Rule defines the single authorization rule.
                       properties:
@@ -81,29 +79,26 @@ spec:
                           - Allow
                           - Deny
                           type: string
-                        subjects:
-                          description: Subject contains the subject of the rule.
+                        principal:
+                          description: Principal specifies the client identity of
+                            a request.
                           properties:
                             clientCIDR:
                               description: |-
                                 ClientCIDR is the IP CIDR range of the client.
                                 Valid examples are "192.168.1.0/24" or "2001:db8::/64"
-                              items:
-                                type: string
-                              type: array
-                            notClientCIDR:
-                              description: |-
-                                NotClientCIDR is the IP CIDR range of the client that should not match.
-                                Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+
+
+                                By default, the client IP is inferred from the x-forwarder-for header and proxy protocol.
+                                You can use the `EnableProxyProtocol` and `ClientIPDetection` options in
+                                the `ClientTrafficPolicy` to configure how the client IP is detected.
                               items:
                                 type: string
                               type: array
                           type: object
-                          x-kubernetes-validations:
-                          - message: subject must not be empty
-                            rule: has(self.clientCIDR) || has(self.notClientCIDR)
                       required:
                       - action
+                      - principal
                       type: object
                     type: array
                 type: object
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index b52aa5f568..dac1b13834 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -182,7 +182,7 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `rules` | _[Rule](#rule) array_ |  false  | Rules contains all the authorization rules.<br />Rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped.<br /><br />For example, if there are two rules, the first rule allows the request,<br />and the second rule denies the request, the request will be allowed.<br />If the first rule denies the request, and the second rule allows it,<br />the request will be denied. |
+| `rules` | _[Rule](#rule) array_ |  false  | Rules contains all the authorization rules.<br />Rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped.<br /><br />For example, if there are two rules: the first rule allows the request<br />and the second rule denies it, when a request matches both rules, it will be allowed. |
 | `defaultAction` | _[RuleActionType](#ruleactiontype)_ |  false  | DefaultAction defines the default action to be taken if no rules match.<br />If not specified, the default action is Deny. |
 
 
@@ -394,7 +394,7 @@ _Appears in:_
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
 | `xForwardedFor` | _[XForwardedForSettings](#xforwardedforsettings)_ |  false  | XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. |
-| `customHeader` | _[CustomHeaderExtensionSettings](#customheaderextensionsettings)_ |  false  | CustomHeader provides configuration for determining the client IP address for a request based on<br />a trusted custom HTTP header. This uses the the custom_header original IP detection extension.<br />Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto<br />for more details. |
+| `customHeader` | _[CustomHeaderExtensionSettings](#customheaderextensionsettings)_ |  false  | CustomHeader provides configuration for determining the client IP address for a request based on<br />a trusted custom HTTP header. This uses the custom_header original IP detection extension.<br />Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto<br />for more details. |
 
 
 #### ClientTLSSettings
@@ -2249,6 +2249,20 @@ _Appears in:_
 | `backOff` | _[BackOffPolicy](#backoffpolicy)_ |  false  | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential<br />back-off algorithm for retries. For additional details,<br />see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries |
 
 
+#### Principal
+
+
+
+Principal specifies the client identity of a request.
+
+_Appears in:_
+- [Rule](#rule)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `clientCIDR` | _string array_ |  true  | ClientCIDR is the IP CIDR range of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />By default, the client IP is inferred from the x-forwarder-for header and proxy protocol.<br />You can use the `EnableProxyProtocol` and `ClientIPDetection` options in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |
+
+
 #### ProcessingModeOptions
 
 
@@ -2892,7 +2906,7 @@ _Appears in:_
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
 | `action` | _[RuleActionType](#ruleactiontype)_ |  true  | Action defines the action to be taken if the rule matches. |
-| `subjects` | _[Subject](#subject)_ |  true  | Subject contains the subject of the rule. |
+| `principal` | _[Principal](#principal)_ |  true  | Principal specifies the client identity of a request. |
 
 
 #### RuleActionType
@@ -3078,21 +3092,6 @@ _Appears in:_
 | `RegularExpression` | StringMatchRegularExpression :The input string must match the regular expression<br />specified in the match value.<br />The regex string must adhere to the syntax documented in<br />https://github.com/google/re2/wiki/Syntax.<br /> | 
 
 
-#### Subject
-
-
-
-Subject specifies the client identity of a request.
-
-_Appears in:_
-- [Rule](#rule)
-
-| Field | Type | Required | Description |
-| ---   | ---  | ---      | ---         |
-| `clientCIDR` | _string array_ |  true  | ClientCIDR is the IP CIDR range of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
-| `notClientCIDR` | _string array_ |  true  | NotClientCIDR is the IP CIDR range of the client that should not match.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
-
-
 #### TCPActiveHealthChecker
 
 

From 3293ec26054a69d9c0c762b44458a43c04bfbf37 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Fri, 10 May 2024 10:24:24 -0700
Subject: [PATCH 12/17] add Name field to a Rule

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index b81b5d4fa5..774b4260f7 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -27,6 +27,9 @@ type Authorization struct {
 // Rule defines the single authorization rule.
 // +notImplementedHide
 type Rule struct {
+	// Name is an uer-friendly name for the rule.
+	Name string `json:"name"`
+
 	// Action defines the action to be taken if the rule matches.
 	Action RuleActionType `json:"action"`
 

From f84a49c5df8be5f00e8fa8093f6bb5afdeafef18 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Fri, 10 May 2024 10:41:50 -0700
Subject: [PATCH 13/17] remove name field for now

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index 774b4260f7..b81b5d4fa5 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -27,9 +27,6 @@ type Authorization struct {
 // Rule defines the single authorization rule.
 // +notImplementedHide
 type Rule struct {
-	// Name is an uer-friendly name for the rule.
-	Name string `json:"name"`
-
 	// Action defines the action to be taken if the rule matches.
 	Action RuleActionType `json:"action"`
 

From 1f8bd80a80473d94aad63e6cdae3962e46a5e3ae Mon Sep 17 00:00:00 2001
From: Huabing Zhao <zhaohuabing@gmail.com>
Date: Fri, 10 May 2024 11:06:42 -0700
Subject: [PATCH 14/17] Update api/v1alpha1/authorization_types.go

Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index b81b5d4fa5..12aad80dc6 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -16,7 +16,7 @@ type Authorization struct {
 	// and the second rule denies it, when a request matches both rules, it will be allowed.
 	//
 	// +optional
-	Rules []Rule `json:"rules"`
+	Rules []Rule `json:"rules, omitempty"`
 
 	// DefaultAction defines the default action to be taken if no rules match.
 	// If not specified, the default action is Deny.

From d7fbe4ea2f856dfd53396fca51e13edbd2a0ebcf Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Fri, 10 May 2024 11:09:23 -0700
Subject: [PATCH 15/17] fix docs

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index 12aad80dc6..29a713f73c 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -16,7 +16,7 @@ type Authorization struct {
 	// and the second rule denies it, when a request matches both rules, it will be allowed.
 	//
 	// +optional
-	Rules []Rule `json:"rules, omitempty"`
+	Rules []Rule `json:"rules,omitempty"`
 
 	// DefaultAction defines the default action to be taken if no rules match.
 	// If not specified, the default action is Deny.

From 882a52cbfbbb1d191835862ba9aa02d8fb258af0 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Fri, 10 May 2024 11:13:20 -0700
Subject: [PATCH 16/17] minor wording

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go                        | 7 ++++---
 .../generated/gateway.envoyproxy.io_securitypolicies.yaml  | 7 ++++---
 site/content/en/latest/api/extension_types.md              | 2 +-
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index 29a713f73c..5550498c2d 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -8,12 +8,13 @@ package v1alpha1
 // Authorization defines the authorization configuration.
 // +notImplementedHide
 type Authorization struct {
-	// Rules contains all the authorization rules.
-	// Rules are evaluated in order, the first matching rule will be applied,
+	// Rules defines a list of authorization rules.
+	// These rules are evaluated in order, the first matching rule will be applied,
 	// and the rest will be skipped.
 	//
 	// For example, if there are two rules: the first rule allows the request
-	// and the second rule denies it, when a request matches both rules, it will be allowed.
+	// and the second rule denies it,
+	//when a request matches both rules, it will be allowed.
 	//
 	// +optional
 	Rules []Rule `json:"rules,omitempty"`
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 36d239cae4..48ba4c0bdb 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -62,13 +62,14 @@ spec:
                     type: string
                   rules:
                     description: |-
-                      Rules contains all the authorization rules.
-                      Rules are evaluated in order, the first matching rule will be applied,
+                      Rules defines a list of authorization rules.
+                      These rules are evaluated in order, the first matching rule will be applied,
                       and the rest will be skipped.
 
 
                       For example, if there are two rules: the first rule allows the request
-                      and the second rule denies it, when a request matches both rules, it will be allowed.
+                      and the second rule denies it,
+                      when a request matches both rules, it will be allowed.
                     items:
                       description: Rule defines the single authorization rule.
                       properties:
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index dac1b13834..4571932d05 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -182,7 +182,7 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `rules` | _[Rule](#rule) array_ |  false  | Rules contains all the authorization rules.<br />Rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped.<br /><br />For example, if there are two rules: the first rule allows the request<br />and the second rule denies it, when a request matches both rules, it will be allowed. |
+| `rules` | _[Rule](#rule) array_ |  false  | Rules defines a list of authorization rules.<br />These rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped.<br /><br />For example, if there are two rules: the first rule allows the request<br />and the second rule denies it,<br />when a request matches both rules, it will be allowed. |
 | `defaultAction` | _[RuleActionType](#ruleactiontype)_ |  false  | DefaultAction defines the default action to be taken if no rules match.<br />If not specified, the default action is Deny. |
 
 

From 387951bf90bcec67277ca495ad63fac1235eb5af Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Fri, 10 May 2024 11:28:51 -0700
Subject: [PATCH 17/17] fix lint

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go                            | 3 +--
 .../crds/generated/gateway.envoyproxy.io_securitypolicies.yaml | 3 +--
 site/content/en/latest/api/extension_types.md                  | 2 +-
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index 5550498c2d..c52a2063b3 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -13,8 +13,7 @@ type Authorization struct {
 	// and the rest will be skipped.
 	//
 	// For example, if there are two rules: the first rule allows the request
-	// and the second rule denies it,
-	//when a request matches both rules, it will be allowed.
+	// and the second rule denies it, when a request matches both rules, it will be allowed.
 	//
 	// +optional
 	Rules []Rule `json:"rules,omitempty"`
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 48ba4c0bdb..9d3a7db511 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -68,8 +68,7 @@ spec:
 
 
                       For example, if there are two rules: the first rule allows the request
-                      and the second rule denies it,
-                      when a request matches both rules, it will be allowed.
+                      and the second rule denies it, when a request matches both rules, it will be allowed.
                     items:
                       description: Rule defines the single authorization rule.
                       properties:
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 4571932d05..b98e2d2d7e 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -182,7 +182,7 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `rules` | _[Rule](#rule) array_ |  false  | Rules defines a list of authorization rules.<br />These rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped.<br /><br />For example, if there are two rules: the first rule allows the request<br />and the second rule denies it,<br />when a request matches both rules, it will be allowed. |
+| `rules` | _[Rule](#rule) array_ |  false  | Rules defines a list of authorization rules.<br />These rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped.<br /><br />For example, if there are two rules: the first rule allows the request<br />and the second rule denies it, when a request matches both rules, it will be allowed. |
 | `defaultAction` | _[RuleActionType](#ruleactiontype)_ |  false  | DefaultAction defines the default action to be taken if no rules match.<br />If not specified, the default action is Deny. |