Allow_websockets

Support
1

What happened?
WebSocket connections are blocked with 403 upgrade_failed when using Pomerium Gateway API mode. Terminals and kernels in JupyterLab are completely non-functional.

What did you expect to happen?
WebSocket connections should be allowed just like they were with the Ingress controller using ingress.pomerium.io/allow_websockets: "true" annotation.

How’d it happen?

  1. Migrated from Pomerium Ingress to Gateway API using PolicyFilter
  2. Accessed JupyterLab via https://gxxxx.staging.kenya.co/lab
  3. Terminal and kernel connections fail with 403 upgrade_failed in Pomerium logs

What’s your environment like?

    1. Pomerium version: v0.32.8 installed via kubectl apply -k "github.com/pomerium/ingress-controller/config/gateway-api?ref=v0.32.8"
    2. Server: Azure Kubernetes Service (AKS), Ubuntu, southafricanorth region
    3. Gateway API CRDs: v1.5.1
    4. Envoy Gateway: v1.8.0

What’s your config.yaml?

apiVersion: ingress.pomerium.io/v1
kind: Pomerium
metadata:
  name: global
  namespace: pomerium
spec:
  secrets: pomerium/bootstrap
  authenticate:
    url: "https://xxx.pomerium.staging.kenya.co"
  identityProvider:
    provider: azure
    secret: pomerium/idp-azure
  certificates:
    - pomerium/production-kenya-coapiVersion: 


gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: xxx-httproute
  namespace: staging
spec:
  parentRefs:
    - name: pomerium
      namespace: pomerium
  hostnames:
    - xxxxx.staging.kenya.co
  rules:
    - backendRefs:
        - name: applications-0-service
          port: 8888
      filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.pomerium.io
            kind: PolicyFilter
            name: xxx-policy

apiVersion: gateway.pomerium.io/v1alpha1
kind: PolicyFilter
metadata:
  name: xxx-policy
  namespace: staging
spec:
  ppl: |
    allow:
      or:
        - email:
            is: user@example.com

What did you see in the logs?

{"level":"info","service":"envoy","method":"GET",
"path":"/terminals/websocket/4",
"response-code":403,
"response-code-details":"upgrade_failed",
"time":"2026-06-05T08:53:22Z","message":"http-request"}

Additional context

What I tried:

  1. Adding allow_websockets: true to PolicyFilter spec:
Error: unknown field "spec.allowWebsockets"
  1. Adding allow_websockets: true as PPL action:
couldn't parse policy: invalid rules in policy: 
invalid action in rule: unsupported action: "allow_websockets"
  1. Adding spec.policy to Pomerium global config:
Error: unknown field "spec.policy"

Additional context

With Ingress controller, WebSocket worked perfectly using:

yaml

annotations:
  ingress.pomerium.io/allow_websockets: "true"

There appears to be no equivalent for this in Gateway API mode. Is allow_websockets supported in Gateway API PolicyFilter? If not, is it on the roadmap?

This is a blocker for migrating WebSocket-heavy applications like JupyterLab from Ingress to Gateway API.

2

Hi @franklin ,

This is currently not implemented with the Gateway controller. I will add an issue to our backlog to look into this. I believe it would entail a new CRD object that would be referenced as an ExtensionRef filter, rather than the existing PolicyFilter.

Thanks,
Caleb

3

Hi Caleb,

Thanks for your feedback. Once it’s added you can let me know. I’ll appreciate.