From 8eb1f4b1b522c9f5f18ed6de5850c0bb5bc2658d Mon Sep 17 00:00:00 2001
From: Istio Automation <istio-testing-bot@google.com>
Date: Thu, 16 May 2024 16:15:28 -0400
Subject: [PATCH] Adds Service Type to PolicyTargetReference API Docs (#3203)

Previously, only a Gateway resource was defined as a supported
attachment type. This PR updates the API docs to include a Service
as a supported type and also fixes an incorrect link to Gateway API
documentation.

Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io>
Co-authored-by: Daneyon Hansen <daneyon.hansen@solo.io>
---
 extensions/v1alpha1/wasm.pb.go                  |  7 ++++---
 extensions/v1alpha1/wasm.pb.html                |  7 ++++---
 extensions/v1alpha1/wasm.proto                  |  7 ++++---
 networking/v1alpha3/envoy_filter.pb.go          |  7 ++++---
 networking/v1alpha3/envoy_filter.pb.html        |  7 ++++---
 networking/v1alpha3/envoy_filter.proto          |  7 ++++---
 security/v1/authorization_policy.pb.go          |  7 ++++---
 security/v1/authorization_policy.proto          |  7 ++++---
 security/v1/request_authentication.pb.go        |  7 ++++---
 security/v1/request_authentication.proto        |  7 ++++---
 security/v1beta1/authorization_policy.pb.go     |  7 ++++---
 security/v1beta1/authorization_policy.pb.html   |  7 ++++---
 security/v1beta1/authorization_policy.proto     |  7 ++++---
 security/v1beta1/request_authentication.pb.go   |  7 ++++---
 security/v1beta1/request_authentication.pb.html |  7 ++++---
 security/v1beta1/request_authentication.proto   |  7 ++++---
 telemetry/v1/telemetry.pb.go                    |  7 ++++---
 telemetry/v1/telemetry.proto                    |  7 ++++---
 telemetry/v1alpha1/telemetry.pb.go              |  7 ++++---
 telemetry/v1alpha1/telemetry.pb.html            |  7 ++++---
 telemetry/v1alpha1/telemetry.proto              |  7 ++++---
 type/v1beta1/selector.pb.go                     | 10 +++++-----
 type/v1beta1/selector.pb.html                   | 10 +++++-----
 type/v1beta1/selector.proto                     | 10 +++++-----
 24 files changed, 99 insertions(+), 78 deletions(-)

diff --git a/extensions/v1alpha1/wasm.pb.go b/extensions/v1alpha1/wasm.pb.go
index aec85e86481..72458ea6746 100644
--- a/extensions/v1alpha1/wasm.pb.go
+++ b/extensions/v1alpha1/wasm.pb.go
@@ -554,12 +554,13 @@ type WasmPlugin struct {
 	Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
 	// $hide_from_docs
 	TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,15,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
-	// Optional. The targetRef specifies the gateway the policy should be
-	// applied to. The targeted resource specified will determine which
-	// workloads the policy applies to.
+	// Optional. The targetRefs specifies a list of resources the policy should be
+	// applied to. The targeted resources specified will determine which workloads
+	// the policy applies to.
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+	// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
diff --git a/extensions/v1alpha1/wasm.pb.html b/extensions/v1alpha1/wasm.pb.html
index ea691da7841..42eb5fda6fd 100644
--- a/extensions/v1alpha1/wasm.pb.html
+++ b/extensions/v1alpha1/wasm.pb.html
@@ -203,12 +203,13 @@ <h2 id="WasmPlugin">WasmPlugin</h2>
 <td><code>targetRefs</code></td>
 <td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
 <td>
-<p>Optional. The targetRef specifies the gateway the policy should be
-applied to. The targeted resource specified will determine which
-workloads the policy applies to.</p>
+<p>Optional. The targetRefs specifies a list of resources the policy should be
+applied to. The targeted resources specified will determine which workloads
+the policy applies to.</p>
 <p>Currently, the following resource attachment types are supported:</p>
 <ul>
 <li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
+<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
 </ul>
 <p>If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.</p>
diff --git a/extensions/v1alpha1/wasm.proto b/extensions/v1alpha1/wasm.proto
index 83e7d2c36d4..7e0cb51092b 100644
--- a/extensions/v1alpha1/wasm.proto
+++ b/extensions/v1alpha1/wasm.proto
@@ -249,12 +249,13 @@ message WasmPlugin {
   // $hide_from_docs
   istio.type.v1beta1.PolicyTargetReference targetRef = 15;
 
-  // Optional. The targetRef specifies the gateway the policy should be
-  // applied to. The targeted resource specified will determine which
-  // workloads the policy applies to.
+  // Optional. The targetRefs specifies a list of resources the policy should be
+  // applied to. The targeted resources specified will determine which workloads
+  // the policy applies to.
   //
   // Currently, the following resource attachment types are supported:
   // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+  // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRefs can be set.
diff --git a/networking/v1alpha3/envoy_filter.pb.go b/networking/v1alpha3/envoy_filter.pb.go
index 84083a42f0f..978e49f6c88 100644
--- a/networking/v1alpha3/envoy_filter.pb.go
+++ b/networking/v1alpha3/envoy_filter.pb.go
@@ -833,12 +833,13 @@ type EnvoyFilter struct {
 	// in the config root namespace, it will be applied to all applicable
 	// workloads in any namespace.
 	WorkloadSelector *WorkloadSelector `protobuf:"bytes,3,opt,name=workload_selector,json=workloadSelector,proto3" json:"workload_selector,omitempty"`
-	// Optional. The targetRef specifies the gateway the policy should be
-	// applied to. The targeted resource specified will determine which
-	// workloads the policy applies to.
+	// Optional. The targetRefs specifies a list of resources the policy should be
+	// applied to. The targeted resources specified will determine which workloads
+	// the policy applies to.
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+	// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
diff --git a/networking/v1alpha3/envoy_filter.pb.html b/networking/v1alpha3/envoy_filter.pb.html
index 62afad254c4..2abc80bef9e 100644
--- a/networking/v1alpha3/envoy_filter.pb.html
+++ b/networking/v1alpha3/envoy_filter.pb.html
@@ -387,12 +387,13 @@ <h2 id="EnvoyFilter">EnvoyFilter</h2>
 <td><code>targetRefs</code></td>
 <td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
 <td>
-<p>Optional. The targetRef specifies the gateway the policy should be
-applied to. The targeted resource specified will determine which
-workloads the policy applies to.</p>
+<p>Optional. The targetRefs specifies a list of resources the policy should be
+applied to. The targeted resources specified will determine which workloads
+the policy applies to.</p>
 <p>Currently, the following resource attachment types are supported:</p>
 <ul>
 <li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
+<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
 </ul>
 <p>If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.</p>
diff --git a/networking/v1alpha3/envoy_filter.proto b/networking/v1alpha3/envoy_filter.proto
index d717ba219dd..8fbc0bbb7a7 100644
--- a/networking/v1alpha3/envoy_filter.proto
+++ b/networking/v1alpha3/envoy_filter.proto
@@ -848,12 +848,13 @@ message EnvoyFilter {
   // workloads in any namespace.
   WorkloadSelector workload_selector = 3;
 
-  // Optional. The targetRef specifies the gateway the policy should be
-  // applied to. The targeted resource specified will determine which
-  // workloads the policy applies to.
+  // Optional. The targetRefs specifies a list of resources the policy should be
+  // applied to. The targeted resources specified will determine which workloads
+  // the policy applies to.
   //
   // Currently, the following resource attachment types are supported:
   // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+  // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRefs can be set.
diff --git a/security/v1/authorization_policy.pb.go b/security/v1/authorization_policy.pb.go
index b35ef28bd51..5dacd61d088 100644
--- a/security/v1/authorization_policy.pb.go
+++ b/security/v1/authorization_policy.pb.go
@@ -397,12 +397,13 @@ type AuthorizationPolicy struct {
 	Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
 	// $hide_from_docs
 	TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
-	// Optional. The targetRef specifies the gateway the policy should be
-	// applied to. The targeted resource specified will determine which
-	// workloads the policy applies to.
+	// Optional. The targetRefs specifies a list of resources the policy should be
+	// applied to. The targeted resources specified will determine which workloads
+	// the policy applies to.
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+	// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
diff --git a/security/v1/authorization_policy.proto b/security/v1/authorization_policy.proto
index 3acc326e35d..79834034cf5 100644
--- a/security/v1/authorization_policy.proto
+++ b/security/v1/authorization_policy.proto
@@ -288,12 +288,13 @@ message AuthorizationPolicy {
   // $hide_from_docs
   istio.type.v1beta1.PolicyTargetReference targetRef = 5;
 
-  // Optional. The targetRef specifies the gateway the policy should be
-  // applied to. The targeted resource specified will determine which
-  // workloads the policy applies to.
+  // Optional. The targetRefs specifies a list of resources the policy should be
+  // applied to. The targeted resources specified will determine which workloads
+  // the policy applies to.
   //
   // Currently, the following resource attachment types are supported:
   // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+  // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRefs can be set.
diff --git a/security/v1/request_authentication.pb.go b/security/v1/request_authentication.pb.go
index d74fd5dc73b..17983596781 100644
--- a/security/v1/request_authentication.pb.go
+++ b/security/v1/request_authentication.pb.go
@@ -316,12 +316,13 @@ type RequestAuthentication struct {
 	Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
 	// $hide_from_docs
 	TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,3,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
-	// Optional. The targetRef specifies the gateway the policy should be
-	// applied to. The targeted resource specified will determine which
-	// workloads the policy applies to.
+	// Optional. The targetRefs specifies a list of resources the policy should be
+	// applied to. The targeted resources specified will determine which workloads
+	// the policy applies to.
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+	// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
diff --git a/security/v1/request_authentication.proto b/security/v1/request_authentication.proto
index c422d3657e9..3e662c278d9 100644
--- a/security/v1/request_authentication.proto
+++ b/security/v1/request_authentication.proto
@@ -259,12 +259,13 @@ message RequestAuthentication {
   // $hide_from_docs
   istio.type.v1beta1.PolicyTargetReference targetRef = 3;
 
-  // Optional. The targetRef specifies the gateway the policy should be
-  // applied to. The targeted resource specified will determine which
-  // workloads the policy applies to.
+  // Optional. The targetRefs specifies a list of resources the policy should be
+  // applied to. The targeted resources specified will determine which workloads
+  // the policy applies to.
   //
   // Currently, the following resource attachment types are supported:
   // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+  // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRefs can be set.
diff --git a/security/v1beta1/authorization_policy.pb.go b/security/v1beta1/authorization_policy.pb.go
index c676eeaba1e..68e633ae8bd 100644
--- a/security/v1beta1/authorization_policy.pb.go
+++ b/security/v1beta1/authorization_policy.pb.go
@@ -396,12 +396,13 @@ type AuthorizationPolicy struct {
 	Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
 	// $hide_from_docs
 	TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
-	// Optional. The targetRef specifies the gateway the policy should be
-	// applied to. The targeted resource specified will determine which
-	// workloads the policy applies to.
+	// Optional. The targetRefs specifies a list of resources the policy should be
+	// applied to. The targeted resources specified will determine which workloads
+	// the policy applies to.
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+	// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
diff --git a/security/v1beta1/authorization_policy.pb.html b/security/v1beta1/authorization_policy.pb.html
index edac3f5a1f9..cfe35835f70 100644
--- a/security/v1beta1/authorization_policy.pb.html
+++ b/security/v1beta1/authorization_policy.pb.html
@@ -228,12 +228,13 @@ <h2 id="AuthorizationPolicy">AuthorizationPolicy</h2>
 <td><code>targetRefs</code></td>
 <td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
 <td>
-<p>Optional. The targetRef specifies the gateway the policy should be
-applied to. The targeted resource specified will determine which
-workloads the policy applies to.</p>
+<p>Optional. The targetRefs specifies a list of resources the policy should be
+applied to. The targeted resources specified will determine which workloads
+the policy applies to.</p>
 <p>Currently, the following resource attachment types are supported:</p>
 <ul>
 <li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
+<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
 </ul>
 <p>If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.</p>
diff --git a/security/v1beta1/authorization_policy.proto b/security/v1beta1/authorization_policy.proto
index 20fd3619cae..fb144f56c3f 100644
--- a/security/v1beta1/authorization_policy.proto
+++ b/security/v1beta1/authorization_policy.proto
@@ -287,12 +287,13 @@ message AuthorizationPolicy {
   // $hide_from_docs
   istio.type.v1beta1.PolicyTargetReference targetRef = 5;
 
-  // Optional. The targetRef specifies the gateway the policy should be
-  // applied to. The targeted resource specified will determine which
-  // workloads the policy applies to.
+  // Optional. The targetRefs specifies a list of resources the policy should be
+  // applied to. The targeted resources specified will determine which workloads
+  // the policy applies to.
   //
   // Currently, the following resource attachment types are supported:
   // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+  // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRefs can be set.
diff --git a/security/v1beta1/request_authentication.pb.go b/security/v1beta1/request_authentication.pb.go
index 83f4a20df10..a53d5f6b90f 100644
--- a/security/v1beta1/request_authentication.pb.go
+++ b/security/v1beta1/request_authentication.pb.go
@@ -316,12 +316,13 @@ type RequestAuthentication struct {
 	Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
 	// $hide_from_docs
 	TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,3,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
-	// Optional. The targetRef specifies the gateway the policy should be
-	// applied to. The targeted resource specified will determine which
-	// workloads the policy applies to.
+	// Optional. The targetRefs specifies a list of resources the policy should be
+	// applied to. The targeted resources specified will determine which workloads
+	// the policy applies to.
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+	// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
diff --git a/security/v1beta1/request_authentication.pb.html b/security/v1beta1/request_authentication.pb.html
index 1776c546891..267b81b08aa 100644
--- a/security/v1beta1/request_authentication.pb.html
+++ b/security/v1beta1/request_authentication.pb.html
@@ -232,12 +232,13 @@ <h2 id="RequestAuthentication">RequestAuthentication</h2>
 <td><code>targetRefs</code></td>
 <td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
 <td>
-<p>Optional. The targetRef specifies the gateway the policy should be
-applied to. The targeted resource specified will determine which
-workloads the policy applies to.</p>
+<p>Optional. The targetRefs specifies a list of resources the policy should be
+applied to. The targeted resources specified will determine which workloads
+the policy applies to.</p>
 <p>Currently, the following resource attachment types are supported:</p>
 <ul>
 <li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
+<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
 </ul>
 <p>If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.</p>
diff --git a/security/v1beta1/request_authentication.proto b/security/v1beta1/request_authentication.proto
index 5b2e3a1a9c7..e0096c55c28 100644
--- a/security/v1beta1/request_authentication.proto
+++ b/security/v1beta1/request_authentication.proto
@@ -259,12 +259,13 @@ message RequestAuthentication {
   // $hide_from_docs
   istio.type.v1beta1.PolicyTargetReference targetRef = 3;
 
-  // Optional. The targetRef specifies the gateway the policy should be
-  // applied to. The targeted resource specified will determine which
-  // workloads the policy applies to.
+  // Optional. The targetRefs specifies a list of resources the policy should be
+  // applied to. The targeted resources specified will determine which workloads
+  // the policy applies to.
   //
   // Currently, the following resource attachment types are supported:
   // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+  // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRefs can be set.
diff --git a/telemetry/v1/telemetry.pb.go b/telemetry/v1/telemetry.pb.go
index 242aad5479c..0e2bb048b1c 100644
--- a/telemetry/v1/telemetry.pb.go
+++ b/telemetry/v1/telemetry.pb.go
@@ -562,12 +562,13 @@ type Telemetry struct {
 	Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
 	// $hide_from_docs
 	TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
-	// Optional. The targetRef specifies the gateway the policy should be
-	// applied to. The targeted resource specified will determine which
-	// workloads the policy applies to.
+	// Optional. The targetRefs specifies a list of resources the policy should be
+	// applied to. The targeted resources specified will determine which workloads
+	// the policy applies to.
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+	// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
diff --git a/telemetry/v1/telemetry.proto b/telemetry/v1/telemetry.proto
index b3a57e1a77e..2972c54502d 100644
--- a/telemetry/v1/telemetry.proto
+++ b/telemetry/v1/telemetry.proto
@@ -274,12 +274,13 @@ message Telemetry {
   // $hide_from_docs
   istio.type.v1beta1.PolicyTargetReference targetRef = 5;
 
-  // Optional. The targetRef specifies the gateway the policy should be
-  // applied to. The targeted resource specified will determine which
-  // workloads the policy applies to.
+  // Optional. The targetRefs specifies a list of resources the policy should be
+  // applied to. The targeted resources specified will determine which workloads
+  // the policy applies to.
   //
   // Currently, the following resource attachment types are supported:
   // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+  // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRefs can be set.
diff --git a/telemetry/v1alpha1/telemetry.pb.go b/telemetry/v1alpha1/telemetry.pb.go
index 3b9b1a8e617..9a591a5e6d4 100644
--- a/telemetry/v1alpha1/telemetry.pb.go
+++ b/telemetry/v1alpha1/telemetry.pb.go
@@ -560,12 +560,13 @@ type Telemetry struct {
 	Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
 	// $hide_from_docs
 	TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
-	// Optional. The targetRef specifies the gateway the policy should be
-	// applied to. The targeted resource specified will determine which
-	// workloads the policy applies to.
+	// Optional. The targetRefs specifies a list of resources the policy should be
+	// applied to. The targeted resources specified will determine which workloads
+	// the policy applies to.
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+	// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
diff --git a/telemetry/v1alpha1/telemetry.pb.html b/telemetry/v1alpha1/telemetry.pb.html
index 57ae0546536..64a1b54f6fa 100644
--- a/telemetry/v1alpha1/telemetry.pb.html
+++ b/telemetry/v1alpha1/telemetry.pb.html
@@ -221,12 +221,13 @@ <h2 id="Telemetry">Telemetry</h2>
 <td><code>targetRefs</code></td>
 <td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
 <td>
-<p>Optional. The targetRef specifies the gateway the policy should be
-applied to. The targeted resource specified will determine which
-workloads the policy applies to.</p>
+<p>Optional. The targetRefs specifies a list of resources the policy should be
+applied to. The targeted resources specified will determine which workloads
+the policy applies to.</p>
 <p>Currently, the following resource attachment types are supported:</p>
 <ul>
 <li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
+<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
 </ul>
 <p>If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.</p>
diff --git a/telemetry/v1alpha1/telemetry.proto b/telemetry/v1alpha1/telemetry.proto
index 707418ec536..c162398e2b6 100644
--- a/telemetry/v1alpha1/telemetry.proto
+++ b/telemetry/v1alpha1/telemetry.proto
@@ -272,12 +272,13 @@ message Telemetry {
   // $hide_from_docs
   istio.type.v1beta1.PolicyTargetReference targetRef = 5;
 
-  // Optional. The targetRef specifies the gateway the policy should be
-  // applied to. The targeted resource specified will determine which
-  // workloads the policy applies to.
+  // Optional. The targetRefs specifies a list of resources the policy should be
+  // applied to. The targeted resources specified will determine which workloads
+  // the policy applies to.
   //
   // Currently, the following resource attachment types are supported:
   // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+  // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRefs can be set.
diff --git a/type/v1beta1/selector.pb.go b/type/v1beta1/selector.pb.go
index 18566ca1f8a..6ef08d55cbd 100644
--- a/type/v1beta1/selector.pb.go
+++ b/type/v1beta1/selector.pb.go
@@ -213,10 +213,10 @@ func (x *PortSelector) GetNumber() uint32 {
 	return 0
 }
 
-// PolicyTargetReference format as defined by [GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api).
+// PolicyTargetReference format as defined by [GEP-2648](https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules).
 //
-// PolicyTargetReferences specifies the targeted resource which the policy
-// can be applied to. It must only target a single resource at a time, but it
+// PolicyTargetReference specifies the targeted resource which the policy
+// should be applied to. It must only target a single resource at a time, but it
 // can be used to target larger resources such as Gateways that may apply to
 // multiple child resources. The PolicyTargetReference will be used instead of
 // a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy,
@@ -237,8 +237,8 @@ func (x *PortSelector) GetNumber() uint32 {
 //
 // spec:
 //
-//	targetRef:
-//	  name: waypoint
+//	targetRefs:
+//	- name: waypoint
 //	  kind: Gateway
 //	  group: gateway.networking.k8s.io
 //	action: DENY
diff --git a/type/v1beta1/selector.pb.html b/type/v1beta1/selector.pb.html
index 387eb86d690..62da10a22ce 100644
--- a/type/v1beta1/selector.pb.html
+++ b/type/v1beta1/selector.pb.html
@@ -72,9 +72,9 @@ <h2 id="PortSelector">PortSelector</h2>
 </section>
 <h2 id="PolicyTargetReference">PolicyTargetReference</h2>
 <section>
-<p>PolicyTargetReference format as defined by <a href="https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api">GEP-713</a>.</p>
-<p>PolicyTargetReferences specifies the targeted resource which the policy
-can be applied to. It must only target a single resource at a time, but it
+<p>PolicyTargetReference format as defined by <a href="https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules">GEP-2648</a>.</p>
+<p>PolicyTargetReference specifies the targeted resource which the policy
+should be applied to. It must only target a single resource at a time, but it
 can be used to target larger resources such as Gateways that may apply to
 multiple child resources. The PolicyTargetReference will be used instead of
 a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy,
@@ -89,8 +89,8 @@ <h2 id="PolicyTargetReference">PolicyTargetReference</h2>
   name: httpbin
   namespace: foo
 spec:
-  targetRef:
-    name: waypoint
+  targetRefs:
+  - name: waypoint
     kind: Gateway
     group: gateway.networking.k8s.io
   action: DENY
diff --git a/type/v1beta1/selector.proto b/type/v1beta1/selector.proto
index a605312c6a3..36dcfc90554 100644
--- a/type/v1beta1/selector.proto
+++ b/type/v1beta1/selector.proto
@@ -69,10 +69,10 @@ enum WorkloadMode {
   CLIENT_AND_SERVER = 3;
 }
 
-// PolicyTargetReference format as defined by [GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api).
+// PolicyTargetReference format as defined by [GEP-2648](https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules).
 //
-// PolicyTargetReferences specifies the targeted resource which the policy
-// can be applied to. It must only target a single resource at a time, but it
+// PolicyTargetReference specifies the targeted resource which the policy
+// should be applied to. It must only target a single resource at a time, but it
 // can be used to target larger resources such as Gateways that may apply to
 // multiple child resources. The PolicyTargetReference will be used instead of
 // a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy,
@@ -90,8 +90,8 @@ enum WorkloadMode {
 //   name: httpbin
 //   namespace: foo
 // spec:
-//   targetRef:
-//     name: waypoint
+//   targetRefs:
+//   - name: waypoint
 //     kind: Gateway
 //     group: gateway.networking.k8s.io
 //   action: DENY