feat: add admission control to BackendTrafficPolicy

[jukie]

What this PR does / why we need it:

This carries forward #7529 from @aburan28

This PR adds support for Envoy's Admission Control filter to Envoy Gateway by exposing it through BackendTrafficPolicy.

Admission control probabilistically rejects requests based on the historical success rate of upstream requests within a configurable sliding time window. This provides client-side load shedding for overloaded or degraded backends and complements circuit breaking and retry policies.

Changes include

• API types: adds AdmissionControl with configurable samplingWindow, successRateThreshold, aggression, rpsThreshold, maxRejectionProbability, and success criteria for HTTP and gRPC.
• BackendTrafficPolicy API: adds the optional admissionControl field.
• Gateway API translation: translates admission-control policy config into XDS IR traffic features.
• XDS translation: configures Envoy's envoy.filters.http.admission_control as an upstream HTTP filter on generated clusters.
• EnvoyFilter registration: registers envoy.filters.http.admission_control as a known Envoy filter.
• Generated artifacts: updates CRDs, deepcopy methods, Helm golden output, and API docs.
• Tests and examples: adds xDS translator coverage, Gateway API testdata, and a Kubernetes example manifest.

Release Notes: Yes

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 ready!

Name	Link
🔨 Latest commit	d9e91ff
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69efe4562163490008b0cda3
😎 Deploy Preview	https://deploy-preview-8872--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d59ae24657

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[codecov]

Codecov Report

❌ Patch coverage is 93.61702% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.39%. Comparing base (8570285) to head (d9e91ff).

Files with missing lines	Patch %	Lines
internal/gatewayapi/backendtrafficpolicy.go	93.33%	1 Missing and 1 partial ⚠️
internal/xds/translator/admission_control.go	96.42%	1 Missing and 1 partial ⚠️
internal/xds/translator/cluster.go	71.42%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8872      +/-   ##
==========================================
+ Coverage   74.36%   74.39%   +0.02%     
==========================================
  Files         246      247       +1     
  Lines       39292    39385      +93     
==========================================
+ Hits        29221    29300      +79     
- Misses       8041     8049       +8     
- Partials     2030     2036       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jukie]

@codex

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[zhaohuabing]

Non-blocking nit: the comments could be made clearer to make them easier for users to understand.

Suggested change

	// AdmissionControl defines the admission control policy to be applied.
	// AdmissionControl configures health-based load shedding for upstream backends.
	//
	// Envoy tracks recent upstream responses over a sliding sampling window. When the
	// observed success rate drops below the configured threshold, Envoy
	// probabilistically rejects new requests before forwarding them upstream. This can
	// reduce pressure on degraded backends and give them time to recover.
	//
	// All fields are optional. When omitted, Envoy's admission control defaults are used.

[zhaohuabing]

Nit: A more explicit name like minTrafficThreshold is easier to understand for a user-facing API.

[zhaohuabing]

This API is flat, and some of the field names inherited from the Envoy config aren’t very intuitive, which makes it a bit harder to read. How about(the names are not final, just for discussion):

admissionControl:
  samplingWindow: 30s
  minRequestRate: 10
  successRateThreshold: 90
  rejection:
    maxRejectionPercent: 80
    rampFactor: 2
  successCriteria:
    http:
      statusCodes:
      - 200
      - 201
      - 204
    grpc:
      statusCodes:
      - OK
      - UNAVAILABLE

[jukie]

Do we have any existing fields you feel would be closer to the aggression Envoy description? I didn't see any How about rejectionSensitivity?

This would add a nested layer for just two fields so I'd prefer just keeping flat here but I'm willing to change it.

[zhaohuabing]

Raised by codex: samplingWindow accepts values like 0s and 500ms, and the translator forwards them to Envoy. Envoy truncates the configured window to whole seconds and later divides request count by that second count in admission-control RPS calculation, so these accepted values can produce a zero-second denominator after traffic is recorded. Add validation requiring at least 1s, with CEL coverage for 0s and a sub-second value.

[zhaohuabing]

The AdmissionControl filter should not be exposed here. It's used as an upstream filter, and it can't be reordered like other HCM filters.