API Specification¶
This page contains the API field specification for Gateway API.
Packages:
- gateway.networking.k8s.io/v1
- gateway.networking.k8s.io/v1beta1
- gateway.networking.k8s.io/v1alpha3
- gateway.networking.k8s.io/v1alpha2
gateway.networking.k8s.io/v1
Package v1 contains API Schema definitions for the gateway.networking.k8s.io API group.
Resource Types:GRPCRoute ¶
GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed.
GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word “MUST” indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated.
Implementations supporting GRPCRoute
with the HTTPS
ProtocolType
MUST
accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
ALPN. If the implementation does not support this, then it MUST set the
“Accepted” condition to “False” for the affected listener with a reason of
“UnsupportedProtocol”. Implementations MAY also accept HTTP/2 connections
with an upgrade from HTTP/1.
Implementations supporting GRPCRoute
with the HTTP
ProtocolType
MUST
support HTTP/2 over cleartext TCP (h2c,
https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
upgrade from HTTP/1.1, i.e. with prior knowledge
(https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
does not support this, then it MUST set the “Accepted” condition to “False”
for the affected listener with a reason of “UnsupportedProtocol”.
Implementations MAY also accept HTTP/2 connections with an upgrade from
HTTP/1, i.e. without prior knowledge.
Field | Description | ||||||
---|---|---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1
|
||||||
kind
string
|
GRPCRoute |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
GRPCRouteSpec
|
Spec defines the desired state of GRPCRoute.
|
||||||
status
GRPCRouteStatus
|
Status defines the current state of GRPCRoute. |
Gateway ¶
Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses.
Field | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1
|
||||||||||
kind
string
|
Gateway |
||||||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||
spec
GatewaySpec
|
Spec defines the desired state of Gateway.
|
||||||||||
status
GatewayStatus
|
Status defines the current state of Gateway. |
GatewayClass ¶
GatewayClass describes a class of Gateways available to the user for creating Gateway resources.
It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation.
Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
add the gateway-exists-finalizer.gateway.networking.k8s.io
finalizer on the
associated GatewayClass. This ensures that a GatewayClass associated with a
Gateway is not deleted while in use.
GatewayClass is a Cluster level resource.
Field | Description | ||||||
---|---|---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1
|
||||||
kind
string
|
GatewayClass |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
GatewayClassSpec
|
Spec defines the desired state of GatewayClass.
|
||||||
status
GatewayClassStatus
|
Status defines the current state of GatewayClass. Implementations MUST populate status on all GatewayClass resources which specify their controller name. |
HTTPRoute ¶
HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.
Field | Description | ||||||
---|---|---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1
|
||||||
kind
string
|
HTTPRoute |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
HTTPRouteSpec
|
Spec defines the desired state of HTTPRoute.
|
||||||
status
HTTPRouteStatus
|
Status defines the current state of HTTPRoute. |
AbsoluteURI
(string
alias)¶
(Appears on: SubjectAltName)
The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The AbsoluteURI MUST include both a scheme (e.g., “http” or “spiffe”) and a scheme-specific-part. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. gateway:util:excludeFromCRD The below regex is taken from the regex section in RFC 3986 with a slight modification to enforce a full URI and not relative. /gateway:util:excludeFromCRD
AddressType
(string
alias)¶
(Appears on: GatewayAddress, GatewayStatusAddress)
AddressType defines how a network address is represented as a text string. This may take two possible forms:
- A predefined CamelCase string identifier (currently limited to
IPAddress
orHostname
) - A domain-prefixed string identifier (like
acme.io/CustomAddressType
)
Values IPAddress
and Hostname
have Extended support.
The NamedAddress
value has been deprecated in favor of implementation
specific domain-prefixed strings.
All other values, including domain-prefixed values have Implementation-specific support, which are used in implementation-specific behaviors. Support for additional predefined CamelCase identifiers may be added in future releases.
Value | Description |
---|---|
"Hostname" |
A Hostname represents a DNS based ingress point. This is similar to the corresponding hostname field in Kubernetes load balancer status. For example, this concept may be used for cloud load balancers where a DNS name is used to expose a load balancer. Support: Extended |
"IPAddress" |
A textual representation of a numeric IP address. IPv4 addresses must be in dotted-decimal form. IPv6 addresses must be in a standard IPv6 text representation (see RFC 5952). This type is intended for specific addresses. Address ranges are not supported (e.g. you can not use a CIDR range like 127.0.0.0/24 as an IPAddress). Support: Extended |
"NamedAddress" |
A NamedAddress provides a way to reference a specific IP address by name. For example, this may be a name or other unique identifier that refers to a resource on a cloud provider such as a static IP. The Support: Implementation-specific |
AllowedRoutes ¶
(Appears on: Listener)
AllowedRoutes defines which Routes may be attached to this Listener.
Field | Description |
---|---|
namespaces
RouteNamespaces
|
(Optional)
Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. Support: Core |
kinds
[]RouteGroupKind
|
(Optional)
Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener’s Protocol field. If an implementation does not support or recognize this resource type, it MUST set the “ResolvedRefs” condition to False for this Listener with the “InvalidRouteKinds” reason. Support: Core |
AnnotationKey
(string
alias)¶
AnnotationKey is the key of an annotation in Gateway API. This is used for validation of maps such as TLS options. This matches the Kubernetes “qualified name” validation that is used for annotations and other common values.
Valid values include:
- example
- example.com
- example.com/path
- example.com/path.html
Invalid values include:
- example~ - “~” is an invalid character
- example.com. - can not start or end with “.”
AnnotationValue
(string
alias)¶
(Appears on: GatewayInfrastructure, GatewayTLSConfig, BackendTLSPolicySpec)
AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct.
BackendObjectReference ¶
(Appears on: BackendRef, HTTPRequestMirrorFilter)
BackendObjectReference defines how an ObjectReference that is specific to BackendRef. It includes a few additional fields and features than a regular ObjectReference.
Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.
The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.
References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.
Field | Description |
---|---|
group
Group
|
(Optional)
Group is the group of the referent. For example, “gateway.networking.k8s.io”. When unspecified or empty string, core API group is inferred. |
kind
Kind
|
(Optional)
Kind is the Kubernetes resource kind of the referent. For example “Service”. Defaults to “Service” when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName) |
name
ObjectName
|
Name is the name of the referent. |
namespace
Namespace
|
(Optional)
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core |
port
PortNumber
|
(Optional)
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. |
BackendRef ¶
(Appears on: GRPCBackendRef, HTTPBackendRef, TCPRouteRule, TLSRouteRule, UDPRouteRule)
BackendRef defines how a Route should forward a request to a Kubernetes resource.
Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.
Field | Description |
---|---|
BackendObjectReference
BackendObjectReference
|
(Members of BackendObjectReference references a Kubernetes object. |
weight
int32
|
(Optional)
Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. Support for this field varies based on the context where used. |
CommonRouteSpec ¶
(Appears on: GRPCRouteSpec, HTTPRouteSpec, TCPRouteSpec, TLSRouteSpec, UDPRouteSpec)
CommonRouteSpec defines the common attributes that all Routes MUST include within their spec.
Field | Description |
---|---|
parentRefs
[]ParentReference
|
(Optional)
ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. For Services, that means the Service must either be in the same namespace for a “producer” route, or the mesh implementation must support and allow “consumer” routes for the referenced Service. ReferenceGrant is not applicable for governing ParentRefs to Services - it is not possible to create a “producer” route for a Service in a different namespace from the Route. There are two kinds of parent resources with “Core” support:
This API may be extended in the future to support additional kinds of parent resources. ParentRefs must be distinct. This means either that:
Some examples:
It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable other kinds of cross-namespace reference. gateway:experimental:description ParentRefs from a Route to a Service in the same namespace are “producer” routes, which apply default routing rules to inbound connections from any namespace to the Service. ParentRefs from a Route to a Service in a different namespace are “consumer” routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. /gateway:experimental:description |
CookieConfig ¶
(Appears on: SessionPersistence)
CookieConfig defines the configuration for cookie-based session persistence.
Field | Description |
---|---|
lifetimeType
CookieLifetimeType
|
(Optional)
LifetimeType specifies whether the cookie has a permanent or session-based lifetime. A permanent cookie persists until its specified expiry time, defined by the Expires or Max-Age cookie attributes, while a session cookie is deleted when the current session ends. When set to “Permanent”, AbsoluteTimeout indicates the cookie’s lifetime via the Expires or Max-Age cookie attributes and is required. When set to “Session”, AbsoluteTimeout indicates the absolute lifetime of the cookie tracked by the gateway and is optional. Support: Core for “Session” type Support: Extended for “Permanent” type |
CookieLifetimeType
(string
alias)¶
(Appears on: CookieConfig)
Value | Description |
---|---|
"Permanent" |
PermanentCookieLifetimeType specifies the type for a permanent cookie. Support: Extended |
"Session" |
SessionCookieLifetimeType specifies the type for a session cookie. Support: Core |
Duration
(string
alias)¶
(Appears on: HTTPRouteRetry, HTTPRouteTimeouts, SessionPersistence)
Duration is a string value representing a duration in time. The format is as specified in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
FeatureName
(string
alias)¶
(Appears on: SupportedFeature)
FeatureName is used to describe distinct features that are covered by conformance tests.
Fraction ¶
(Appears on: HTTPRequestMirrorFilter)
Field | Description |
---|---|
numerator
int32
|
|
denominator
int32
|
(Optional) |
FromNamespaces
(string
alias)¶
(Appears on: RouteNamespaces)
FromNamespaces specifies namespace from which Routes may be attached to a Gateway.
Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.
Unknown values here must result in the implementation setting the
Ready Condition for the Listener to status: False
, with a
Reason of Invalid
.
Value | Description |
---|---|
"All" |
Routes in all namespaces may be attached to this Gateway. |
"Same" |
Only Routes in the same namespace as the Gateway may be attached to this Gateway. |
"Selector" |
Only Routes in namespaces selected by the selector may be attached to this Gateway. |
FrontendTLSValidation ¶
(Appears on: GatewayTLSConfig)
FrontendTLSValidation holds configuration information that can be used to validate the frontend initiating the TLS connection
Field | Description |
---|---|
caCertificateRefs
[]ObjectReference
|
CACertificateRefs contains one or more references to Kubernetes objects that contain TLS certificates of the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client. A single CA certificate reference to a Kubernetes ConfigMap has “Core” support. Implementations MAY choose to support attaching multiple CA certificates to a Listener, but this behavior is implementation-specific. Support: Core - A single reference to a Kubernetes ConfigMap
with the CA certificate in a key named Support: Implementation-specific (More than one reference, or other kinds of resources). References to a resource in a different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the “ResolvedRefs” condition MUST be set to False for this listener with the “RefNotPermitted” reason. |
GRPCBackendRef ¶
(Appears on: GRPCRouteRule)
GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.
gateway:experimental:description
When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port.
Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726.
If a Service appProtocol isn’t specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service.
If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the “ResolvedRefs” condition to “False” with the “UnsupportedProtocol” reason.
/gateway:experimental:description
Field | Description |
---|---|
BackendRef
BackendRef
|
(Members of BackendRef is a reference to a backend to forward matched requests to. A BackendRef can be invalid for the following reasons. In all cases, the
implementation MUST ensure the A BackendRef is invalid if:
Support: Core for Kubernetes Service Support: Extended for Kubernetes ServiceImport Support: Implementation-specific for any other resource Support for weight: Core |
filters
[]GRPCRouteFilter
|
(Optional)
Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.) |
GRPCHeaderMatch ¶
(Appears on: GRPCRouteMatch)
GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers.
Field | Description |
---|---|
type
GRPCHeaderMatchType
|
(Optional)
Type specifies how to match against the value of the header. |
name
GRPCHeaderName
|
Name is the name of the gRPC Header to be matched. If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, “foo” and “Foo” are considered equivalent. |
value
string
|
Value is the value of the gRPC Header to be matched. |
GRPCHeaderMatchType
(string
alias)¶
(Appears on: GRPCHeaderMatch)
GRPCHeaderMatchType specifies the semantics of how GRPC header values should be compared. Valid GRPCHeaderMatchType values, along with their conformance levels, are:
- “Exact” - Core
- “RegularExpression” - Implementation Specific
Note that new values may be added to this enum in future releases of the API, implementations MUST ensure that unknown values will not cause a crash.
Unknown values here MUST result in the implementation setting the Accepted
Condition for the Route to status: False
, with a Reason of
UnsupportedValue
.
Value | Description |
---|---|
"Exact" |
|
"RegularExpression" |
GRPCHeaderName
(string
alias)¶
(Appears on: GRPCHeaderMatch)
GRPCMethodMatch ¶
(Appears on: GRPCRouteMatch)
GRPCMethodMatch describes how to select a gRPC route by matching the gRPC request service and/or method.
At least one of Service and Method MUST be a non-empty string.
Field | Description |
---|---|
type
GRPCMethodMatchType
|
(Optional)
Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) Support: Implementation-specific (Exact with method specified but no service specified) Support: Implementation-specific (RegularExpression) |
service
string
|
(Optional)
Value of the service to match against. If left empty or omitted, will match any service. At least one of Service and Method MUST be a non-empty string. |
method
string
|
(Optional)
Value of the method to match against. If left empty or omitted, will match all services. At least one of Service and Method MUST be a non-empty string. |
GRPCMethodMatchType
(string
alias)¶
(Appears on: GRPCMethodMatch)
MethodMatchType specifies the semantics of how gRPC methods and services are compared. Valid MethodMatchType values, along with their conformance levels, are:
- “Exact” - Core
- “RegularExpression” - Implementation Specific
Exact methods MUST be syntactically valid:
- Must not contain
/
character
Value | Description |
---|---|
"Exact" |
Matches the method or service exactly and with case sensitivity. |
"RegularExpression" |
Matches if the method or service matches the given regular expression with case sensitivity. Since |
GRPCRouteFilter ¶
(Appears on: GRPCBackendRef, GRPCRouteRule)
GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.
Field | Description |
---|---|
type
GRPCRouteFilterType
|
Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels:
Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. |
requestHeaderModifier
HTTPHeaderFilter
|
(Optional)
RequestHeaderModifier defines a schema for a filter that modifies request headers. Support: Core |
responseHeaderModifier
HTTPHeaderFilter
|
(Optional)
ResponseHeaderModifier defines a schema for a filter that modifies response headers. Support: Extended |
requestMirror
HTTPRequestMirrorFilter
|
(Optional)
RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. Support: Extended |
extensionRef
LocalObjectReference
|
(Optional)
ExtensionRef is an optional, implementation-specific extension to the “filter” behavior. For example, resource “myroutefilter” in group “networking.example.net”). ExtensionRef MUST NOT be used for core and extended filters. Support: Implementation-specific This filter can be used multiple times within the same rule. |
GRPCRouteFilterType
(string
alias)¶
(Appears on: GRPCRouteFilter)
GRPCRouteFilterType identifies a type of GRPCRoute filter.
Value | Description |
---|---|
"ExtensionRef" |
GRPCRouteFilterExtensionRef should be used for configuring custom gRPC filters. Support in GRPCRouteRule: Implementation-specific Support in GRPCBackendRef: Implementation-specific |
"RequestHeaderModifier" |
GRPCRouteFilterRequestHeaderModifier can be used to add or remove a gRPC header from a gRPC request before it is sent to the upstream target. Support in GRPCRouteRule: Core Support in GRPCBackendRef: Extended |
"RequestMirror" |
GRPCRouteFilterRequestMirror can be used to mirror gRPC requests to a different backend. The responses from this backend MUST be ignored by the Gateway. Support in GRPCRouteRule: Extended Support in GRPCBackendRef: Extended |
"ResponseHeaderModifier" |
GRPCRouteFilterRequestHeaderModifier can be used to add or remove a gRPC header from a gRPC response before it is sent to the client. Support in GRPCRouteRule: Core Support in GRPCBackendRef: Extended |
GRPCRouteMatch ¶
(Appears on: GRPCRouteRule)
GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied.
For example, the match below will match a gRPC request only if its service
is foo
AND it contains the version: v1
header:
matches:
- method:
type: Exact
service: "foo"
headers:
- name: "version"
value "v1"
Field | Description |
---|---|
method
GRPCMethodMatch
|
(Optional)
Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. |
headers
[]GRPCHeaderMatch
|
(Optional)
Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. |
GRPCRouteRule ¶
(Appears on: GRPCRouteSpec)
GRPCRouteRule defines the semantics for matching a gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs).
Field | Description |
---|---|
name
SectionName
|
(Optional)
Name is the name of the route rule. This name MUST be unique within a Route if it is set. Support: Extended gateway:experimental |
matches
[]GRPCRouteMatch
|
(Optional)
Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied. For example, take the following matches configuration:
For a request to match against this rule, it MUST satisfy EITHER of the two conditions:
See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. If no matches are specified, the implementation MUST match every gRPC request. Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of:
If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties:
If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria. |
filters
[]GRPCRouteFilter
|
(Optional)
Filters define the filters that are applied to requests that match this rule. The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. Conformance-levels at this level are defined based on the type of filter:
Specifying the same filter multiple times is not supported unless explicitly indicated in the filter. If an implementation can not support a combination of filters, it must clearly
document that limitation. In cases where incompatible or unsupported
filters are specified and cause the Support: Core |
backendRefs
[]GRPCBackendRef
|
(Optional)
BackendRefs defines the backend(s) where matching requests should be sent. Failure behavior here depends on how many BackendRefs are specified and how many are invalid. If all entries in BackendRefs are invalid, and there are also no filters
specified in this route rule, all traffic which matches this rule MUST
receive an See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. When a GRPCBackendRef is invalid, For example, if two backends are specified with equal weights, and one is
invalid, 50 percent of traffic MUST receive an Support: Core for Kubernetes Service Support: Implementation-specific for any other resource Support for weight: Core |
sessionPersistence
SessionPersistence
|
(Optional)
SessionPersistence defines and configures session persistence for the route rule. Support: Extended |
GRPCRouteSpec ¶
(Appears on: GRPCRoute, GRPCRoute)
GRPCRouteSpec defines the desired state of GRPCRoute
Field | Description |
---|---|
CommonRouteSpec
CommonRouteSpec
|
(Members of |
hostnames
[]Hostname
|
(Optional)
Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions:
If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example:
Hostnames that are prefixed with a wildcard label ( If both the Listener and GRPCRoute have specified hostnames, any
GRPCRoute hostnames that do not match the Listener hostname MUST be
ignored. For example, if a Listener specified If both the Listener and GRPCRoute have specified hostnames, and none
match with the criteria above, then the GRPCRoute MUST NOT be accepted by
the implementation. The implementation MUST raise an ‘Accepted’ Condition
with a status of If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order:
The rejected Route MUST raise an ‘Accepted’ condition with a status of ‘False’ in the corresponding RouteParentStatus. Support: Core |
rules
[]GRPCRouteRule
|
(Optional)
Rules are a list of GRPC matchers, filters and actions. |
GRPCRouteStatus ¶
(Appears on: GRPCRoute, GRPCRoute)
GRPCRouteStatus defines the observed state of GRPCRoute.
Field | Description |
---|---|
RouteStatus
RouteStatus
|
(Members of |
GatewayAddress ¶
(Appears on: GatewaySpec)
GatewayAddress describes an address that can be bound to a Gateway.
Field | Description |
---|---|
type
AddressType
|
(Optional)
Type of the address. |
value
string
|
Value of the address. The validity of the values will depend on the type and support by the controller. Examples: |
GatewayBackendTLS ¶
(Appears on: GatewaySpec)
GatewayBackendTLS describes backend TLS configuration for gateway.
Field | Description |
---|---|
clientCertificateRef
SecretObjectReference
|
(Optional)
ClientCertificateRef is a reference to an object that contains a Client Certificate and the associated private key. References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the “ResolvedRefs” condition MUST be set to False for this listener with the “RefNotPermitted” reason. ClientCertificateRef can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. This setting can be overridden on the service level by use of BackendTLSPolicy. Support: Core |
GatewayClassConditionReason
(string
alias)¶
GatewayClassConditionReason defines the set of reasons that explain why a particular GatewayClass condition type has been raised.
Value | Description |
---|---|
"Accepted" |
This reason is used with the “Accepted” condition when the condition is true. |
"InvalidParameters" |
This reason is used with the “Accepted” condition when the GatewayClass was not accepted because the parametersRef field refers to a nonexistent or unsupported resource or kind, or when the data within that resource is malformed. |
"Pending" |
This reason is used with the “Accepted” condition when the requested controller has not yet made a decision about whether to admit the GatewayClass. It is the default Reason on a new GatewayClass. |
"SupportedVersion" |
This reason is used with the “SupportedVersion” condition when the condition is true. |
"Unsupported" |
This reason is used with the “Accepted” condition when the GatewayClass was not accepted because the implementation does not support a user-defined GatewayClass. |
"UnsupportedVersion" |
This reason is used with the “SupportedVersion” or “Accepted” condition when the condition is false. A message SHOULD be included in this condition that includes the detected CRD version(s) present in the cluster and the CRD version(s) that are supported by the GatewayClass. |
"Waiting" |
Deprecated: Use “Pending” instead. |
GatewayClassConditionType
(string
alias)¶
GatewayClassConditionType is the type for status conditions on Gateway resources. This type should be used with the GatewayClassStatus.Conditions field.
Value | Description |
---|---|
"Accepted" |
This condition indicates whether the GatewayClass has been accepted by
the controller requested in the This condition defaults to Unknown, and MUST be set by a controller when it sees a GatewayClass using its controller string. The status of this condition MUST be set to True if the controller will support provisioning Gateways using this class. Otherwise, this status MUST be set to False. If the status is set to False, the controller SHOULD set a Message and Reason as an explanation. Possible reasons for this condition to be true are:
Possible reasons for this condition to be False are:
Possible reasons for this condition to be Unknown are:
Controllers should prefer to use the values of GatewayClassConditionReason for the corresponding Reason, where appropriate. |
"SupportedVersion" |
This condition indicates whether the GatewayClass supports the version(s) of Gateway API CRDs present in the cluster. This condition MUST be set by a controller when it marks a GatewayClass “Accepted”. The version of a Gateway API CRD is defined by the gateway.networking.k8s.io/bundle-version annotation on the CRD. If implementations detect any Gateway API CRDs that either do not have this annotation set, or have it set to a version that is not recognized or supported by the implementation, this condition MUST be set to false. Implementations MAY choose to either provide “best effort” support when an unrecognized CRD version is present. This would be communicated by setting the “Accepted” condition to true and the “SupportedVersion” condition to false. Alternatively, implementations MAY choose not to support CRDs with unrecognized versions. This would be communicated by setting the “Accepted” condition to false with the reason “UnsupportedVersions”. Possible reasons for this condition to be true are:
Possible reasons for this condition to be False are:
Controllers should prefer to use the values of GatewayClassConditionReason for the corresponding Reason, where appropriate. |
GatewayClassSpec ¶
(Appears on: GatewayClass, GatewayClass)
GatewayClassSpec reflects the configuration of a class of Gateways.
Field | Description |
---|---|
controllerName
GatewayController
|
ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. Example: “example.net/gateway-controller”. This field is not mutable and cannot be empty. Support: Core |
parametersRef
ParametersReference
|
(Optional)
ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. If the referent cannot be found, refers to an unsupported kind, or when the data within that resource is malformed, the GatewayClass SHOULD be rejected with the “Accepted” status condition set to “False” and an “InvalidParameters” reason. A Gateway for this GatewayClass may provide its own Support: Implementation-specific |
description
string
|
(Optional)
Description helps describe a GatewayClass with more details. |
GatewayClassStatus ¶
(Appears on: GatewayClass, GatewayClass)
GatewayClassStatus is the current status for the GatewayClass.
Field | Description |
---|---|
conditions
[]Kubernetes meta/v1.Condition
|
(Optional)
Conditions is the current status from the controller for this GatewayClass. Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition. |
supportedFeatures
[]SupportedFeature
|
(Optional)
SupportedFeatures is the set of features the GatewayClass support. It MUST be sorted in ascending alphabetical order by the Name key. gateway:experimental |
GatewayConditionReason
(string
alias)¶
GatewayConditionReason defines the set of reasons that explain why a particular Gateway condition type has been raised.
Value | Description |
---|---|
"Accepted" |
This reason is used with the “Accepted” condition when the condition is True. |
"AddressNotAssigned" |
This reason is used with the “Programmed” condition when the underlying implementation and network have yet to dynamically assign addresses for a Gateway. Some example situations where this reason can be used:
When this reason is used the implementation SHOULD provide a clear message explaining the underlying problem, ideally with some hints as to what actions can be taken that might resolve the problem. |
"AddressNotUsable" |
This reason is used with the “Programmed” condition when the underlying implementation (and possibly, network) are unable to use an address that was provided in the Gateway specification. Some example situations where this reason can be used:
When this reason is used the implementation SHOULD provide prescriptive information on which address is causing the problem and how to resolve it in the condition message. |
"Invalid" |
This reason is used with the “Programmed” and “Accepted” conditions when the Gateway is syntactically or semantically invalid. For example, this could include unspecified TLS configuration, or some unrecognized or invalid values in the TLS configuration. |
"InvalidParameters" |
This reason is used with the “Accepted” condition when the Gateway was not accepted because the parametersRef field was invalid, with more detail in the message. |
"ListenersNotReady" |
Deprecated: Ready is reserved for future use |
"ListenersNotValid" |
This reason is used with the “Accepted” condition when one or more Listeners have an invalid or unsupported configuration and cannot be configured on the Gateway. This can be the reason when “Accepted” is “True” or “False”, depending on whether the listener being invalid causes the entire Gateway to not be accepted. |
"NoResources" |
This reason is used with the “Programmed” condition when the Gateway is not scheduled because insufficient infrastructure resources are available. |
"NotReconciled" |
Deprecated: Use “Pending” instead. |
"Pending" |
This reason is used with the “Accepted” and “Programmed” conditions when the status is “Unknown” and no controller has reconciled the Gateway. |
"Programmed" |
This reason is used with the “Programmed” condition when the condition is true. |
"Ready" |
Deprecated: Ready is reserved for future use |
"Scheduled" |
This reason is used with the “Scheduled” condition when the condition is True. Deprecated: use the “Accepted” condition with reason “Accepted” instead. |
"UnsupportedAddress" |
This reason is used with the “Accepted” condition to indicate that the Gateway could not be accepted because an address that was provided is a type which is not supported by the implementation. |
GatewayConditionType
(string
alias)¶
GatewayConditionType is a type of condition associated with a Gateway. This type should be used with the GatewayStatus.Conditions field.
Value | Description |
---|---|
"Accepted" |
This condition is true when the controller managing the Gateway is syntactically and semantically valid enough to produce some configuration in the underlying data plane. This does not indicate whether or not the configuration has been propagated to the data plane. Possible reasons for this condition to be True are:
Possible reasons for this condition to be False are:
Possible reasons for this condition to be Unknown are:
Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability. |
"Programmed" |
This condition indicates whether a Gateway has generated some configuration that is assumed to be ready soon in the underlying data plane. It is a positive-polarity summary condition, and so should always be present on the resource with ObservedGeneration set. It should be set to Unknown if the controller performs updates to the status before it has all the information it needs to be able to determine if the condition is true. Possible reasons for this condition to be True are:
Possible reasons for this condition to be False are:
Possible reasons for this condition to be Unknown are:
Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability. |
"Ready" |
“Ready” is a condition type reserved for future use. It should not be used by implementations. If used in the future, “Ready” will represent the final state where all configuration is confirmed good
and has completely propagated to the data plane. That is, it is a guarantee that, as soon as something
sees the Condition as This is a very strong guarantee, and to date no implementation has satisfied it enough to implement it. This reservation can be discussed in the future if necessary. Note: This condition is not really “deprecated”, but rather “reserved”; however, deprecated triggers Go linters to alert about usage. Deprecated: Ready is reserved for future use |
"Scheduled" |
Deprecated: use “Accepted” instead. |
GatewayController
(string
alias)¶
(Appears on: GatewayClassSpec, RouteParentStatus, PolicyAncestorStatus)
GatewayController is the name of a Gateway API controller. It must be a domain prefixed path.
Valid values include:
- “example.com/bar”
Invalid values include:
- “example.com” - must include path
- “foo.example.com” - must include path
GatewayInfrastructure ¶
(Appears on: GatewaySpec)
GatewayInfrastructure defines infrastructure level attributes about a Gateway instance.
Field | Description |
---|---|
labels
map[sigs.k8s.io/gateway-api/apis/v1.LabelKey]sigs.k8s.io/gateway-api/apis/v1.LabelValue
|
(Optional)
Labels that SHOULD be applied to any resources created in response to this Gateway. For implementations creating other Kubernetes objects, this should be the An implementation may chose to add additional implementation-specific labels as they see fit. If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels change, it SHOULD clearly warn about this behavior in documentation. Support: Extended |
annotations
map[sigs.k8s.io/gateway-api/apis/v1.AnnotationKey]sigs.k8s.io/gateway-api/apis/v1.AnnotationValue
|
(Optional)
Annotations that SHOULD be applied to any resources created in response to this Gateway. For implementations creating other Kubernetes objects, this should be the An implementation may chose to add additional implementation-specific annotations as they see fit. Support: Extended |
parametersRef
LocalParametersReference
|
(Optional)
ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the Gateway. This is optional if the controller does not require any additional configuration. This follows the same semantics as GatewayClass’s The Gateway’s GatewayClass may provide its own Support: Implementation-specific |
GatewaySpec ¶
(Appears on: Gateway, Gateway)
GatewaySpec defines the desired state of Gateway.
Not all possible combinations of options specified in the Spec are valid. Some invalid configurations can be caught synchronously via CRD validation, but there are many cases that will require asynchronous signaling via the GatewayStatus block.
Field | Description |
---|---|
gatewayClassName
ObjectName
|
GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. |
listeners
[]Listener
|
Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway’s addresses. At least one Listener MUST be specified. Each Listener in a set of Listeners (for example, in a single Gateway) MUST be distinct, in that a traffic flow MUST be able to be assigned to exactly one listener. (This section uses “set of Listeners” rather than “Listeners in a single Gateway” because implementations MAY merge configuration from multiple Gateways onto a single data plane, and these rules also apply in that case). Practically, this means that each listener in a set MUST have a unique combination of Port, Protocol, and, if supported by the protocol, Hostname. Some combinations of port, protocol, and TLS settings are considered Core support and MUST be supported by implementations based on their targeted conformance profile: HTTP Profile
TLS Profile
“Distinct” Listeners have the following property: The implementation can match inbound requests to a single distinct Listener. When multiple Listeners share values for fields (for example, two Listeners with the same Port value), the implementation can match requests to only one of the Listeners using other Listener fields. For example, the following Listener scenarios are distinct:
Some fields in the Listener struct have possible values that affect whether the Listener is distinct. Hostname is particularly relevant for HTTP or HTTPS protocols. When using the Hostname value to select between same-Port, same-Protocol Listeners, the Hostname value must be different on each Listener for the Listener to be distinct. When the Listeners are distinct based on Hostname, inbound request hostnames MUST match from the most specific to least specific Hostname values to choose the correct Listener and its associated set of Routes. Exact matches must be processed before wildcard matches, and wildcard
matches must be processed before fallback (empty Hostname value)
matches. For example, Additionally, if there are multiple wildcard entries, more specific
wildcard entries must be processed before less specific wildcard entries.
For example, The wildcard character will match any number of characters and dots to
the left, however, so If a set of Listeners contains Listeners that are not distinct, then those Listeners are Conflicted, and the implementation MUST set the “Conflicted” condition in the Listener Status to “True”. Implementations MAY choose to accept a Gateway with some Conflicted Listeners only if they only accept the partial Listener set that contains no Conflicted Listeners. To put this another way, implementations may accept a partial Listener set only if they throw out all the conflicting Listeners. No picking one of the conflicting listeners as the winner. This also means that the Gateway must have at least one non-conflicting Listener in this case, otherwise it violates the requirement that at least one Listener must be present. The implementation MUST set a “ListenersNotValid” condition on the Gateway Status when the Gateway contains Conflicted Listeners whether or not they accept the Gateway. That Condition SHOULD clearly indicate in the Message which Listeners are conflicted, and which are Accepted. Additionally, the Listener status for those listeners SHOULD indicate which Listeners are conflicted and not Accepted. A Gateway’s Listeners are considered “compatible” if:
Compatible combinations in Extended support are expected to vary across implementations. A combination that is compatible for one implementation may not be compatible for another. For example, an implementation that cannot serve both TCP and UDP listeners on the same address, or cannot mix HTTPS and generic TLS listens on the same port would not consider those cases compatible, even though they are distinct. Note that requests SHOULD match at most one Listener. For example, if Listeners are defined for “foo.example.com” and “.example.com”, a request to “foo.example.com” SHOULD only be routed using routes attached to the “foo.example.com” Listener (and not the “.example.com” Listener). This concept is known as “Listener Isolation”. Implementations that do not support Listener Isolation MUST clearly document this. Implementations MAY merge separate Gateways onto a single set of Addresses if all Listeners across all Gateways are compatible. Support: Core |
addresses
[]GatewayAddress
|
(Optional)
Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. The Addresses field represents a request for the address(es) on the “outside of the Gateway”, that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. Support: Extended |
infrastructure
GatewayInfrastructure
|
(Optional)
Infrastructure defines infrastructure level attributes about this Gateway instance. Support: Extended |
backendTLS
GatewayBackendTLS
|
(Optional)
BackendTLS configures TLS settings for when this Gateway is connecting to backends with TLS. Support: Core |
GatewayStatus ¶
(Appears on: Gateway, Gateway)
GatewayStatus defines the observed state of Gateway.
Field | Description |
---|---|
addresses
[]GatewayStatusAddress
|
(Optional)
Addresses lists the network addresses that have been bound to the Gateway. This list may differ from the addresses provided in the spec under some conditions:
|
conditions
[]Kubernetes meta/v1.Condition
|
(Optional)
Conditions describe the current conditions of the Gateway. Implementations should prefer to express Gateway conditions
using the Known condition types are:
|
listeners
[]ListenerStatus
|
(Optional)
Listeners provide status for each unique listener port defined in the Spec. |
GatewayStatusAddress ¶
(Appears on: GatewayStatus)
GatewayStatusAddress describes a network address that is bound to a Gateway.
Field | Description |
---|---|
type
AddressType
|
(Optional)
Type of the address. |
value
string
|
Value of the address. The validity of the values will depend on the type and support by the controller. Examples: |
GatewayTLSConfig ¶
(Appears on: Listener)
GatewayTLSConfig describes a TLS configuration.
Field | Description |
---|---|
mode
TLSModeType
|
(Optional)
Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes:
Support: Core |
certificateRefs
[]SecretObjectReference
|
(Optional)
CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. A single CertificateRef to a Kubernetes Secret has “Core” support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the “ResolvedRefs” condition MUST be set to False for this listener with the “RefNotPermitted” reason. This field is required to have at least one element when the mode is set to “Terminate” (default) and is optional otherwise. CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls Support: Implementation-specific (More than one reference or other resource types) |
frontendValidation
FrontendTLSValidation
|
(Optional)
FrontendValidation holds configuration information for validating the frontend (client). Setting this field will require clients to send a client certificate required for validation during the TLS handshake. In browsers this may result in a dialog appearing that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific. Support: Extended |
options
map[sigs.k8s.io/gateway-api/apis/v1.AnnotationKey]sigs.k8s.io/gateway-api/apis/v1.AnnotationValue
|
(Optional)
Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. A set of common keys MAY be defined by the API in the future. To avoid
any ambiguity, implementation-specific definitions MUST use
domain-prefixed names, such as Support: Implementation-specific |
Group
(string
alias)¶
(Appears on: BackendObjectReference, LocalObjectReference, LocalParametersReference, ObjectReference, ParametersReference, ParentReference, RouteGroupKind, SecretObjectReference, LocalPolicyTargetReference, NamespacedPolicyTargetReference, ReferenceGrantFrom, ReferenceGrantTo)
Group refers to a Kubernetes Group. It must either be an empty string or a RFC 1123 subdomain.
This validation is based off of the corresponding Kubernetes validation: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L208
Valid values include:
- ”” - empty string implies core Kubernetes API group
- “networking.k8s.io”
- “foo.example.com”
Invalid values include:
- “example.com/bar” - “/” is an invalid character
HTTPBackendRef ¶
(Appears on: HTTPRouteRule)
HTTPBackendRef defines how a HTTPRoute should forward an HTTP request.
Field | Description |
---|---|
BackendRef
BackendRef
|
(Members of BackendRef is a reference to a backend to forward matched requests to. A BackendRef can be invalid for the following reasons. In all cases, the
implementation MUST ensure the A BackendRef is invalid if:
Support: Core for Kubernetes Service Support: Implementation-specific for any other resource Support for weight: Core Support for Kubernetes Service appProtocol: Extended Support for BackendTLSPolicy: Experimental and ImplementationSpecific |
filters
[]HTTPRouteFilter
|
(Optional)
Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.) |
HTTPHeader ¶
(Appears on: HTTPHeaderFilter)
HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
Field | Description |
---|---|
name
HTTPHeaderName
|
Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, “foo” and “Foo” are considered equivalent. |
value
string
|
Value is the value of HTTP Header to be matched. |
HTTPHeaderFilter ¶
(Appears on: GRPCRouteFilter, HTTPRouteFilter)
HTTPHeaderFilter defines a filter that modifies the headers of an HTTP request or response.
Field | Description |
---|---|
set
[]HTTPHeader
|
(Optional)
Set overwrites the request with the given header (name, value) before the action. Input: GET /foo HTTP/1.1 my-header: foo Config: set: - name: “my-header” value: “bar” Output: GET /foo HTTP/1.1 my-header: bar |
add
[]HTTPHeader
|
(Optional)
Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. Input: GET /foo HTTP/1.1 my-header: foo Config: add: - name: “my-header” value: “bar,baz” Output: GET /foo HTTP/1.1 my-header: foo,bar,baz |
remove
[]string
|
(Optional)
Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz Config: remove: [“my-header1”, “my-header3”] Output: GET /foo HTTP/1.1 my-header2: bar |
HTTPHeaderMatch ¶
(Appears on: HTTPRouteMatch)
HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers.
Field | Description |
---|---|
type
HeaderMatchType
|
(Optional)
Type specifies how to match against the value of the header. Support: Core (Exact) Support: Implementation-specific (RegularExpression) Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation’s documentation to determine the supported dialect. |
name
HTTPHeaderName
|
Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, “foo” and “Foo” are considered equivalent. When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for “Set-Cookie”. |
value
string
|
Value is the value of HTTP Header to be matched. |
HTTPHeaderName
(string
alias)¶
(Appears on: HTTPHeader, HTTPHeaderMatch, HTTPQueryParamMatch)
HTTPHeaderName is the name of an HTTP header.
Valid values include: * “Authorization” * “Set-Cookie”
Invalid values include:
”:method” - “:” is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type.
”/invalid” - “/” is an invalid character
HTTPMethod
(string
alias)¶
(Appears on: HTTPRouteMatch)
HTTPMethod describes how to select a HTTP route by matching the HTTP method as defined by RFC 7231 and RFC 5789. The value is expected in upper case.
Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.
Unknown values here must result in the implementation setting the
Accepted Condition for the Route to status: False
, with a
Reason of UnsupportedValue
.
Value | Description |
---|---|
"CONNECT" |
|
"DELETE" |
|
"GET" |
|
"HEAD" |
|
"OPTIONS" |
|
"PATCH" |
|
"POST" |
|
"PUT" |
|
"TRACE" |
HTTPPathMatch ¶
(Appears on: HTTPRouteMatch)
HTTPPathMatch describes how to select a HTTP route by matching the HTTP request path.
Field | Description |
---|---|
type
PathMatchType
|
(Optional)
Type specifies how to match against the path Value. Support: Core (Exact, PathPrefix) Support: Implementation-specific (RegularExpression) |
value
string
|
(Optional)
Value of the HTTP path to match against. |
HTTPPathModifier ¶
(Appears on: HTTPRequestRedirectFilter, HTTPURLRewriteFilter)
HTTPPathModifier defines configuration for path modifiers. gateway:experimental
Field | Description | ||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
type
HTTPPathModifierType
|
Type defines the type of path modifier. Additional types may be added in a future release of the API. Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. Unknown values here must result in the implementation setting the
Accepted Condition for the Route to |
||||||||||||||||||||||||||||||||||||||||||||||||
replaceFullPath
string
|
(Optional)
ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. |
||||||||||||||||||||||||||||||||||||||||||||||||
replacePrefixMatch
string
|
(Optional)
ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to “/foo/bar” with a prefix match of “/foo” and a ReplacePrefixMatch of “/xyz” would be modified to “/xyz/bar”. Note that this matches the behavior of the PathPrefix match type. This
matches full path elements. A path element refers to the list of labels
in the path split by the ReplacePrefixMatch is only compatible with a
|
HTTPPathModifierType
(string
alias)¶
(Appears on: HTTPPathModifier)
HTTPPathModifierType defines the type of path redirect or rewrite.
Value | Description |
---|---|
"ReplaceFullPath" |
This type of modifier indicates that the full path will be replaced by the specified value. |
"ReplacePrefixMatch" |
This type of modifier indicates that any prefix path matches will be replaced by the substitution value. For example, a path with a prefix match of “/foo” and a ReplacePrefixMatch substitution of “/bar” will have the “/foo” prefix replaced with “/bar” in matching requests. Note that this matches the behavior of the PathPrefix match type. This
matches full path elements. A path element refers to the list of labels
in the path split by the |
HTTPQueryParamMatch ¶
(Appears on: HTTPRouteMatch)
HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters.
Field | Description |
---|---|
type
QueryParamMatchType
|
(Optional)
Type specifies how to match against the value of the query parameter. Support: Extended (Exact) Support: Implementation-specific (RegularExpression) Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation’s documentation to determine the supported dialect. |
name
HTTPHeaderName
|
Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is recommended that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations. |
value
string
|
Value is the value of HTTP query param to be matched. |
HTTPRequestMirrorFilter ¶
(Appears on: GRPCRouteFilter, HTTPRouteFilter)
HTTPRequestMirrorFilter defines configuration for the RequestMirror filter.
Field | Description |
---|---|
backendRef
BackendObjectReference
|
BackendRef references a resource where mirrored requests are sent. Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. If the referent cannot be found, this BackendRef is invalid and must be
dropped from the Gateway. The controller must ensure the “ResolvedRefs”
condition on the Route status is set to If there is a cross-namespace reference to an existing object
that is not allowed by a ReferenceGrant, the controller must ensure the
“ResolvedRefs” condition on the Route is set to In either error case, the Message of the Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource |
percent
int32
|
(Optional)
Percent represents the percentage of requests that should be mirrored to BackendRef. Its minimum value is 0 (indicating 0% of requests) and its maximum value is 100 (indicating 100% of requests). Only one of Fraction or Percent may be specified. If neither field is specified, 100% of requests will be mirrored. |
fraction
Fraction
|
(Optional)
Fraction represents the fraction of requests that should be mirrored to BackendRef. Only one of Fraction or Percent may be specified. If neither field is specified, 100% of requests will be mirrored. |
HTTPRequestRedirectFilter ¶
(Appears on: HTTPRouteFilter)
HTTPRequestRedirect defines a filter that redirects a request. This filter MUST NOT be used on the same Route rule as a HTTPURLRewrite filter.
Field | Description |
---|---|
scheme
string
|
(Optional)
Scheme is the scheme to be used in the value of the Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. Unknown values here must result in the implementation setting the
Accepted Condition for the Route to Support: Extended |
hostname
PreciseHostname
|
(Optional)
Hostname is the hostname to be used in the value of the Support: Core |
path
HTTPPathModifier
|
(Optional)
Path defines parameters used to modify the path of the incoming request.
The modified path is then used to construct the Support: Extended |
port
PortNumber
|
(Optional)
Port is the port to be used in the value of the If no port is specified, the redirect port MUST be derived using the following rules:
Implementations SHOULD NOT add the port number in the ‘Location’ header in the following cases:
Support: Extended |
statusCode
int
|
(Optional)
StatusCode is the HTTP status code to be used in response. Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. Unknown values here must result in the implementation setting the
Accepted Condition for the Route to Support: Core |
HTTPRouteFilter ¶
(Appears on: HTTPBackendRef, HTTPRouteRule)
HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.
Field | Description |
---|---|
type
HTTPRouteFilterType
|
Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels:
Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. Unknown values here must result in the implementation setting the
Accepted Condition for the Route to |
requestHeaderModifier
HTTPHeaderFilter
|
(Optional)
RequestHeaderModifier defines a schema for a filter that modifies request headers. Support: Core |
responseHeaderModifier
HTTPHeaderFilter
|
(Optional)
ResponseHeaderModifier defines a schema for a filter that modifies response headers. Support: Extended |
requestMirror
HTTPRequestMirrorFilter
|
(Optional)
RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. Support: Extended |
requestRedirect
HTTPRequestRedirectFilter
|
(Optional)
RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. Support: Core |
urlRewrite
HTTPURLRewriteFilter
|
(Optional)
URLRewrite defines a schema for a filter that modifies a request during forwarding. Support: Extended |
extensionRef
LocalObjectReference
|
(Optional)
ExtensionRef is an optional, implementation-specific extension to the “filter” behavior. For example, resource “myroutefilter” in group “networking.example.net”). ExtensionRef MUST NOT be used for core and extended filters. This filter can be used multiple times within the same rule. Support: Implementation-specific |
HTTPRouteFilterType
(string
alias)¶
(Appears on: HTTPRouteFilter)
HTTPRouteFilterType identifies a type of HTTPRoute filter.
Value | Description |
---|---|
"ExtensionRef" |
HTTPRouteFilterExtensionRef should be used for configuring custom HTTP filters. Support in HTTPRouteRule: Implementation-specific Support in HTTPBackendRef: Implementation-specific |
"RequestHeaderModifier" |
HTTPRouteFilterRequestHeaderModifier can be used to add or remove an HTTP header from an HTTP request before it is sent to the upstream target. Support in HTTPRouteRule: Core Support in HTTPBackendRef: Extended |
"RequestMirror" |
HTTPRouteFilterRequestMirror can be used to mirror HTTP requests to a different backend. The responses from this backend MUST be ignored by the Gateway. Support in HTTPRouteRule: Extended Support in HTTPBackendRef: Extended |
"RequestRedirect" |
HTTPRouteFilterRequestRedirect can be used to redirect a request to another location. This filter can also be used for HTTP to HTTPS redirects. This may not be used on the same Route rule or BackendRef as a URLRewrite filter. Support in HTTPRouteRule: Core Support in HTTPBackendRef: Extended |
"ResponseHeaderModifier" |
HTTPRouteFilterResponseHeaderModifier can be used to add or remove an HTTP header from an HTTP response before it is sent to the client. Support in HTTPRouteRule: Extended Support in HTTPBackendRef: Extended |
"URLRewrite" |
HTTPRouteFilterURLRewrite can be used to modify a request during forwarding. At most one of these filters may be used on a Route rule. This may not be used on the same Route rule or BackendRef as a RequestRedirect filter. Support in HTTPRouteRule: Extended Support in HTTPBackendRef: Extended |
HTTPRouteMatch ¶
(Appears on: HTTPRouteRule)
HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied.
For example, the match below will match a HTTP request only if its path
starts with /foo
AND it contains the version: v1
header:
match:
path:
value: "/foo"
headers:
- name: "version"
value "v1"
Field | Description |
---|---|
path
HTTPPathMatch
|
(Optional)
Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the “/” path is provided. |
headers
[]HTTPHeaderMatch
|
(Optional)
Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. |
queryParams
[]HTTPQueryParamMatch
|
(Optional)
QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. Support: Extended |
method
HTTPMethod
|
(Optional)
Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. Support: Extended |
HTTPRouteRetry ¶
(Appears on: HTTPRouteRule)
HTTPRouteRetry defines retry configuration for an HTTPRoute.
Implementations SHOULD retry on connection errors (disconnect, reset, timeout, TCP failure) if a retry stanza is configured.
Field | Description |
---|---|
codes
[]HTTPRouteRetryStatusCode
|
(Optional)
Codes defines the HTTP response status codes for which a backend request should be retried. Support: Extended |
attempts
int
|
(Optional)
Attempts specifies the maximum number of times an individual request from the gateway to a backend should be retried. If the maximum number of retries has been attempted without a successful response from the backend, the Gateway MUST return an error. When this field is unspecified, the number of times to attempt to retry a backend request is implementation-specific. Support: Extended |
backoff
Duration
|
(Optional)
Backoff specifies the minimum duration a Gateway should wait between retry attempts and is represented in Gateway API Duration formatting. For example, setting the An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to some amount greater than the specified minimum, and MAY add arbitrary jitter to stagger requests, as long as unsuccessful backend requests are not retried before the configured minimum duration. If a Request timeout ( If a BackendRequest timeout ( If a BackendRequest timeout is not configured on the route, retry attempts MAY time out after an implementation default duration, or MAY remain pending until a configured Request timeout or implementation default duration for total request time is reached. When this field is unspecified, the time to wait between retry attempts is implementation-specific. Support: Extended |
HTTPRouteRetryStatusCode
(int
alias)¶
(Appears on: HTTPRouteRetry)
HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried.
Implementations MUST support the following status codes as retryable:
- 500
- 502
- 503
- 504
Implementations MAY support specifying additional discrete values in the 500-599 range.
Implementations MAY support specifying discrete values in the 400-499 range, which are often inadvisable to retry.
HTTPRouteRule ¶
(Appears on: HTTPRouteSpec)
HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs).
Field | Description |
---|---|
name
SectionName
|
(Optional)
Name is the name of the route rule. This name MUST be unique within a Route if it is set. Support: Extended gateway:experimental |
matches
[]HTTPRouteMatch
|
(Optional)
Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied. For example, take the following matches configuration:
For a request to match against this rule, a request must satisfy EITHER of the two conditions:
See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. If no matches are specified, the default is a prefix path match on “/”, which has the effect of matching every HTTP request. Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match having:
Note: The precedence of RegularExpression path matches are implementation-specific. If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties:
If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned. |
filters
[]HTTPRouteFilter
|
(Optional)
Filters define the filters that are applied to requests that match this rule. Wherever possible, implementations SHOULD implement filters in the order they are specified. Implementations MAY choose to implement this ordering strictly, rejecting any combination or order of filters that can not be supported. If implementations choose a strict interpretation of filter ordering, they MUST clearly document that behavior. To reject an invalid combination or order of filters, implementations SHOULD consider the Route Rules with this configuration invalid. If all Route Rules in a Route are invalid, the entire Route would be considered invalid. If only a portion of Route Rules are invalid, implementations MUST set the “PartiallyInvalid” condition for the Route. Conformance-levels at this level are defined based on the type of filter:
Specifying the same filter multiple times is not supported unless explicitly indicated in the filter. All filters are expected to be compatible with each other except for the
URLRewrite and RequestRedirect filters, which may not be combined. If an
implementation can not support other combinations of filters, they must clearly
document that limitation. In cases where incompatible or unsupported
filters are specified and cause the Support: Core |
backendRefs
[]HTTPBackendRef
|
(Optional)
BackendRefs defines the backend(s) where matching requests should be sent. Failure behavior here depends on how many BackendRefs are specified and how many are invalid. If all entries in BackendRefs are invalid, and there are also no filters specified in this route rule, all traffic which matches this rule MUST receive a 500 status code. See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. When a HTTPBackendRef refers to a Service that has no ready endpoints, implementations SHOULD return a 503 for requests to that backend instead. If an implementation chooses to do this, all of the above rules for 500 responses MUST also apply for responses that return a 503. Support: Core for Kubernetes Service Support: Extended for Kubernetes ServiceImport Support: Implementation-specific for any other resource Support for weight: Core |
timeouts
HTTPRouteTimeouts
|
(Optional)
Timeouts defines the timeouts that can be configured for an HTTP request. Support: Extended |
retry
HTTPRouteRetry
|
(Optional)
Retry defines the configuration for when to retry an HTTP request. Support: Extended |
sessionPersistence
SessionPersistence
|
(Optional)
SessionPersistence defines and configures session persistence for the route rule. Support: Extended |
HTTPRouteSpec ¶
(Appears on: HTTPRoute, HTTPRoute)
HTTPRouteSpec defines the desired state of HTTPRoute
Field | Description |
---|---|
CommonRouteSpec
CommonRouteSpec
|
(Members of |
hostnames
[]Hostname
|
(Optional)
Hostnames defines a set of hostnames that should match against the HTTP Host header to select a HTTPRoute used to process the request. Implementations MUST ignore any port value specified in the HTTP Host header while performing a match and (absent of any applicable header modification configuration) MUST forward this header unmodified to the backend. Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 2 notable exceptions:
If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example:
Hostnames that are prefixed with a wildcard label ( If both the Listener and HTTPRoute have specified hostnames, any
HTTPRoute hostnames that do not match the Listener hostname MUST be
ignored. For example, if a Listener specified If both the Listener and HTTPRoute have specified hostnames, and none
match with the criteria above, then the HTTPRoute is not accepted. The
implementation must raise an ‘Accepted’ Condition with a status of
In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of:
If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. Support: Core |
rules
[]HTTPRouteRule
|
(Optional)
Rules are a list of HTTP matchers, filters and actions. |
HTTPRouteStatus ¶
(Appears on: HTTPRoute, HTTPRoute)
HTTPRouteStatus defines the observed state of HTTPRoute.
Field | Description |
---|---|
RouteStatus
RouteStatus
|
(Members of |
HTTPRouteTimeouts ¶
(Appears on: HTTPRouteRule)
HTTPRouteTimeouts defines timeouts that can be configured for an HTTPRoute.
Field | Description |
---|---|
request
Duration
|
(Optional)
Request specifies the maximum duration for a gateway to respond to an HTTP request. If the gateway has not been able to respond before this deadline is met, the gateway MUST return a timeout error. For example, setting the Setting a timeout to the zero duration (e.g. “0s”) SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. This timeout is intended to cover as close to the whole request-response transaction as possible although an implementation MAY choose to start the timeout after the entire request stream has been received instead of immediately after the transaction is initiated by the client. The value of Request is a Gateway API Duration string as defined by GEP-2257. When this field is unspecified, request timeout behavior is implementation-specific. Support: Extended |
backendRequest
Duration
|
(Optional)
BackendRequest specifies a timeout for an individual request from the gateway to a backend. This covers the time from when the request first starts being sent from the gateway to when the full response has been received from the backend. Setting a timeout to the zero duration (e.g. “0s”) SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. An entire client HTTP transaction with a gateway, covered by the Request timeout, may result in more than one call from the gateway to the destination backend, for example, if automatic retries are supported. The value of BackendRequest must be a Gateway API Duration string as defined by GEP-2257. When this field is unspecified, its behavior is implementation-specific; when specified, the value of BackendRequest must be no more than the value of the Request timeout (since the Request timeout encompasses the BackendRequest timeout). Support: Extended |
HTTPURLRewriteFilter ¶
(Appears on: HTTPRouteFilter)
HTTPURLRewriteFilter defines a filter that modifies a request during forwarding. At most one of these filters may be used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequestRedirect filter.
Support: Extended
Field | Description |
---|---|
hostname
PreciseHostname
|
(Optional)
Hostname is the value to be used to replace the Host header value during forwarding. Support: Extended |
path
HTTPPathModifier
|
(Optional)
Path defines a path rewrite. Support: Extended |
HeaderMatchType
(string
alias)¶
(Appears on: HTTPHeaderMatch)
HeaderMatchType specifies the semantics of how HTTP header values should be compared. Valid HeaderMatchType values, along with their conformance levels, are:
- “Exact” - Core
- “RegularExpression” - Implementation Specific
Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.
Unknown values here must result in the implementation setting the
Accepted Condition for the Route to status: False
, with a
Reason of UnsupportedValue
.
Value | Description |
---|---|
"Exact" |
|
"RegularExpression" |
HeaderName
(string
alias)¶
HeaderName is the name of a header or query parameter.
Hostname
(string
alias)¶
(Appears on: GRPCRouteSpec, HTTPRouteSpec, Listener, TLSRouteSpec, SubjectAltName)
Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions:
- IPs are not allowed.
- A hostname may be prefixed with a wildcard label (
*.
). The wildcard label must appear by itself as the first label.
Hostname can be “precise” which is a domain name without the terminating
dot of a network host (e.g. “foo.example.com”) or “wildcard”, which is a
domain name prefixed with a single wildcard label (e.g. *.example.com
).
Note that as per RFC1035 and RFC1123, a label must consist of lower case alphanumeric characters or ‘-’, and must start and end with an alphanumeric character. No other punctuation is allowed.
Kind
(string
alias)¶
(Appears on: BackendObjectReference, LocalObjectReference, LocalParametersReference, ObjectReference, ParametersReference, ParentReference, RouteGroupKind, SecretObjectReference, LocalPolicyTargetReference, NamespacedPolicyTargetReference, ReferenceGrantFrom, ReferenceGrantTo)
Kind refers to a Kubernetes Kind.
Valid values include:
- “Service”
- “HTTPRoute”
Invalid values include:
- “invalid/kind” - “/” is an invalid character
LabelKey
(string
alias)¶
LabelKey is the key of a label in the Gateway API. This is used for validation of maps such as Gateway infrastructure labels. This matches the Kubernetes “qualified name” validation that is used for labels.
Valid values include:
- example
- example.com
- example.com/path
- example.com/path.html
Invalid values include:
- example~ - “~” is an invalid character
- example.com. - can not start or end with “.”
LabelValue
(string
alias)¶
(Appears on: GatewayInfrastructure)
LabelValue is the value of a label in the Gateway API. This is used for validation of maps such as Gateway infrastructure labels. This matches the Kubernetes label validation rules: * must be 63 characters or less (can be empty), * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
Valid values include:
- MyValue
- my.name
- 123-my-value
Listener ¶
(Appears on: GatewaySpec)
Listener embodies the concept of a logical endpoint where a Gateway accepts network connections.
Field | Description |
---|---|
name
SectionName
|
Name is the name of the Listener. This name MUST be unique within a Gateway. Support: Core |
hostname
Hostname
|
(Optional)
Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don’t require hostname based matching. Implementations MUST apply Hostname matching appropriately for each of the following protocols:
For HTTPRoute and TLSRoute resources, there is an interaction with the
Hostnames that are prefixed with a wildcard label ( Support: Core |
port
PortNumber
|
Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. Support: Core |
protocol
ProtocolType
|
Protocol specifies the network protocol this listener expects to receive. Support: Core |
tls
GatewayTLSConfig
|
(Optional)
TLS is the TLS configuration for the Listener. This field is required if the Protocol field is “HTTPS” or “TLS”. It is invalid to set this field if the Protocol field is “HTTP”, “TCP”, or “UDP”. The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. Support: Core |
allowedRoutes
AllowedRoutes
|
(Optional)
AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria:
All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. Support: Core |
ListenerConditionReason
(string
alias)¶
ListenerConditionReason defines the set of reasons that explain why a particular Listener condition type has been raised.
Value | Description |
---|---|
"Accepted" |
This reason is used with the “Accepted” condition when the condition is True. |
"Attached" |
This reason is used with the “Detached” condition when the condition is False. Deprecated: use the “Accepted” condition with reason “Accepted” instead. |
"HostnameConflict" |
This reason is used with the “Conflicted” condition when
the Listener conflicts with hostnames in other Listeners. For
example, this reason would be used when multiple Listeners on
the same port use |
"Invalid" |
This reason is used with the “Ready” and “Programmed” conditions when the Listener is syntactically or semantically invalid. |
"InvalidCertificateRef" |
This reason is used with the “ResolvedRefs” condition when the Listener has a TLS configuration with at least one TLS CertificateRef that is invalid or does not exist. A CertificateRef is considered invalid when it refers to a nonexistent or unsupported resource or kind, or when the data within that resource is malformed. This reason must be used only when the reference is allowed, either by referencing an object in the same namespace as the Gateway, or when a cross-namespace reference has been explicitly allowed by a ReferenceGrant. If the reference is not allowed, the reason RefNotPermitted must be used instead. |
"InvalidRouteKinds" |
This reason is used with the “ResolvedRefs” condition when an invalid or unsupported Route kind is specified by the Listener. |
"NoConflicts" |
This reason is used with the “Conflicted” condition when the condition is False. |
"Pending" |
This reason is used with the “Accepted”, “Ready” and “Programmed” conditions when the Listener is either not yet reconciled or not yet not online and ready to accept client traffic. |
"PortUnavailable" |
This reason is used with the “Accepted” condition when the Listener requests a port that cannot be used on the Gateway. This reason could be used in a number of instances, including:
|
"Programmed" |
This reason is used with the “Programmed” condition when the condition is true. |
"ProtocolConflict" |
This reason is used with the “Conflicted” condition when multiple Listeners are specified with the same Listener port number, but have conflicting protocol specifications. |
"Ready" |
Deprecated: Ready is reserved for future use |
"RefNotPermitted" |
This reason is used with the “ResolvedRefs” condition when the Listener has a TLS configuration that references an object in another namespace, where the object in the other namespace does not have a ReferenceGrant explicitly allowing the reference. |
"ResolvedRefs" |
This reason is used with the “ResolvedRefs” condition when the condition is true. |
"UnsupportedProtocol" |
This reason is used with the “Accepted” condition when the Listener could not be attached to be Gateway because its protocol type is not supported. |
ListenerConditionType
(string
alias)¶
ListenerConditionType is a type of condition associated with the listener. This type should be used with the ListenerStatus.Conditions field.
Value | Description |
---|---|
"Accepted" |
This condition indicates that the listener is syntactically and semantically valid, and that all features used in the listener’s spec are supported. In general, a Listener will be marked as Accepted when the supplied configuration will generate at least some data plane configuration. For example, a Listener with an unsupported protocol will never generate
any data plane config, and so will have Accepted set to Possible reasons for this condition to be True are:
Possible reasons for this condition to be False are:
Possible reasons for this condition to be Unknown are:
Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability. |
"Conflicted" |
This condition indicates that the controller was unable to resolve conflicting specification requirements for this Listener. If a Listener is conflicted, its network port should not be configured on any network elements. Possible reasons for this condition to be true are:
Possible reasons for this condition to be False are:
Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability. |
"Detached" |
Deprecated: use “Accepted” instead. |
"Programmed" |
This condition indicates whether a Listener has generated some configuration that will soon be ready in the underlying data plane. It is a positive-polarity summary condition, and so should always be present on the resource with ObservedGeneration set. It should be set to Unknown if the controller performs updates to the status before it has all the information it needs to be able to determine if the condition is true. Possible reasons for this condition to be True are:
Possible reasons for this condition to be False are:
Possible reasons for this condition to be Unknown are:
Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability. |
"Ready" |
“Ready” is a condition type reserved for future use. It should not be used by implementations. Note: This condition is not really “deprecated”, but rather “reserved”; however, deprecated triggers Go linters to alert about usage. If used in the future, “Ready” will represent the final state where all configuration is confirmed good
and has completely propagated to the data plane. That is, it is a guarantee that, as soon as something
sees the Condition as This is a very strong guarantee, and to date no implementation has satisfied it enough to implement it. This reservation can be discussed in the future if necessary. Deprecated: Ready is reserved for future use |
"ResolvedRefs" |
This condition indicates whether the controller was able to resolve all the object references for the Listener. Possible reasons for this condition to be true are:
Possible reasons for this condition to be False are:
Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability. |
ListenerStatus ¶
(Appears on: GatewayStatus)
ListenerStatus is the status associated with a Listener.
Field | Description |
---|---|
name
SectionName
|
Name is the name of the Listener that this status corresponds to. |
supportedKinds
[]RouteGroupKind
|
SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the “ResolvedRefs” condition to “False” with the “InvalidRouteKinds” reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified. |
attachedRoutes
int32
|
AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. Successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route’s ParentRefs field. A Route is successfully attached to a Listener when it is selected by the Listener’s AllowedRoutes field AND the Route has a valid ParentRef selecting the whole Gateway resource or a specific Listener as a parent resource (more detail on attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set for Listeners with condition Accepted: false and MUST count successfully attached Routes that may themselves have Accepted: false conditions. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. |
conditions
[]Kubernetes meta/v1.Condition
|
Conditions describe the current condition of this listener. |
LocalObjectReference ¶
(Appears on: GRPCRouteFilter, HTTPRouteFilter, BackendTLSPolicyValidation)
LocalObjectReference identifies an API object within the namespace of the referrer. The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.
References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.
Field | Description |
---|---|
group
Group
|
Group is the group of the referent. For example, “gateway.networking.k8s.io”. When unspecified or empty string, core API group is inferred. |
kind
Kind
|
Kind is kind of the referent. For example “HTTPRoute” or “Service”. |
name
ObjectName
|
Name is the name of the referent. |
LocalParametersReference ¶
(Appears on: GatewayInfrastructure)
LocalParametersReference identifies an API object containing controller-specific configuration resource within the namespace.
Field | Description |
---|---|
group
Group
|
Group is the group of the referent. |
kind
Kind
|
Kind is kind of the referent. |
name
string
|
Name is the name of the referent. |
Namespace
(string
alias)¶
(Appears on: BackendObjectReference, ObjectReference, ParametersReference, ParentReference, SecretObjectReference, NamespacedPolicyTargetReference, ReferenceGrantFrom)
Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.
This validation is based off of the corresponding Kubernetes validation: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187
This is used for Namespace name validation here: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63
Valid values include:
- “example”
Invalid values include:
- “example.com” - “.” is an invalid character
ObjectName
(string
alias)¶
(Appears on: BackendObjectReference, GatewaySpec, LocalObjectReference, ObjectReference, ParentReference, SecretObjectReference, LocalPolicyTargetReference, NamespacedPolicyTargetReference, ReferenceGrantTo)
ObjectName refers to the name of a Kubernetes object. Object names can have a variety of forms, including RFC 1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
ObjectReference ¶
(Appears on: FrontendTLSValidation)
ObjectReference identifies an API object including its namespace.
The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.
References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.
Field | Description |
---|---|
group
Group
|
Group is the group of the referent. For example, “gateway.networking.k8s.io”. When unspecified or empty string, core API group is inferred. |
kind
Kind
|
Kind is kind of the referent. For example “ConfigMap” or “Service”. |
name
ObjectName
|
Name is the name of the referent. |
namespace
Namespace
|
(Optional)
Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core |
ParametersReference ¶
(Appears on: GatewayClassSpec)
ParametersReference identifies an API object containing controller-specific configuration resource within the cluster.
Field | Description |
---|---|
group
Group
|
Group is the group of the referent. |
kind
Kind
|
Kind is kind of the referent. |
name
string
|
Name is the name of the referent. |
namespace
Namespace
|
(Optional)
Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. |
ParentReference ¶
(Appears on: CommonRouteSpec, RouteParentStatus, PolicyAncestorStatus)
ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with “Core” support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute.
Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference.
The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.
Field | Description |
---|---|
group
Group
|
(Optional)
Group is the group of the referent. When unspecified, “gateway.networking.k8s.io” is inferred. To set the core API group (such as for a “Service” kind referent), Group must be explicitly set to “” (empty string). Support: Core |
kind
Kind
|
(Optional)
Kind is kind of the referent. There are two kinds of parent resources with “Core” support:
Support for other resources is Implementation-Specific. |
namespace
Namespace
|
(Optional)
Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. gateway:experimental:description ParentRefs from a Route to a Service in the same namespace are “producer” routes, which apply default routing rules to inbound connections from any namespace to the Service. ParentRefs from a Route to a Service in a different namespace are “consumer” routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. /gateway:experimental:description Support: Core |
name
ObjectName
|
Name is the name of the referent. Support: Core |
sectionName
SectionName
|
(Optional)
SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following:
Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Core |
port
PortNumber
|
(Optional)
Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. When the parent resource is a Gateway, this targets all listeners
listening on the specified port that also support this kind of Route(and
select this Route). It’s not recommended to set gateway:experimental:description When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. /gateway:experimental:description Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Extended |
PathMatchType
(string
alias)¶
(Appears on: HTTPPathMatch)
PathMatchType specifies the semantics of how HTTP paths should be compared. Valid PathMatchType values, along with their conformance level, are:
- “Exact” - Core
- “PathPrefix” - Core
- “RegularExpression” - Implementation Specific
PathPrefix and Exact paths must be syntactically valid:
- Must begin with the
/
character - Must not contain consecutive
/
characters (e.g./foo///
,//
).
Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.
Unknown values here must result in the implementation setting the
Accepted Condition for the Route to status: False
, with a
Reason of UnsupportedValue
.
Value | Description |
---|---|
"Exact" |
Matches the URL path exactly and with case sensitivity. This means that
an exact path match on |
"PathPrefix" |
Matches based on a URL path prefix split by For example, the paths “PathPrefix” is semantically equivalent to the “Prefix” path type in the Kubernetes Ingress API. |
"RegularExpression" |
Matches if the URL path matches the given regular expression with case sensitivity. Since |
PortNumber
(int32
alias)¶
(Appears on: BackendObjectReference, HTTPRequestRedirectFilter, Listener, ParentReference)
PortNumber defines a network port.
PreciseHostname
(string
alias)¶
(Appears on: HTTPRequestRedirectFilter, HTTPURLRewriteFilter, BackendTLSPolicyValidation)
PreciseHostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 1 notable exception that numeric IP addresses are not allowed.
Note that as per RFC1035 and RFC1123, a label must consist of lower case alphanumeric characters or ‘-’, and must start and end with an alphanumeric character. No other punctuation is allowed.
ProtocolType
(string
alias)¶
(Appears on: Listener)
ProtocolType defines the application protocol accepted by a Listener. Implementations are not required to accept all the defined protocols. If an implementation does not support a specified protocol, it MUST set the “Accepted” condition to False for the affected Listener with a reason of “UnsupportedProtocol”.
Core ProtocolType values are listed in the table below.
Implementations can define their own protocols if a core ProtocolType does not
exist. Such definitions must use prefixed name, such as
mycompany.com/my-custom-protocol
. Un-prefixed names are reserved for core
protocols. Any protocol defined by implementations will fall under
implementation-specific conformance.
Valid values include:
- “HTTP” - Core support
- “example.com/bar” - Implementation-specific support
Invalid values include:
- “example.com” - must include path if domain is used
- “foo.example.com” - must include path if domain is used
Value | Description |
---|---|
"HTTP" |
Accepts cleartext HTTP/1.1 sessions over TCP. Implementations MAY also support HTTP/2 over cleartext. If implementations support HTTP/2 over cleartext on “HTTP” listeners, that MUST be clearly documented by the implementation. |
"HTTPS" |
Accepts HTTP/1.1 or HTTP/2 sessions over TLS. |
"TCP" |
Accepts TCP sessions. |
"TLS" |
Accepts TLS sessions over TCP. |
"UDP" |
Accepts UDP packets. |
QueryParamMatchType
(string
alias)¶
(Appears on: HTTPQueryParamMatch)
QueryParamMatchType specifies the semantics of how HTTP query parameter values should be compared. Valid QueryParamMatchType values, along with their conformance levels, are:
- “Exact” - Core
- “RegularExpression” - Implementation Specific
Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.
Unknown values here must result in the implementation setting the
Accepted Condition for the Route to status: False
, with a
Reason of UnsupportedValue
.
Value | Description |
---|---|
"Exact" |
|
"RegularExpression" |
RouteConditionReason
(string
alias)¶
RouteConditionReason is a reason for a route condition.
Value | Description |
---|---|
"Accepted" |
This reason is used with the “Accepted” condition when the Route has been accepted by the Gateway. |
"BackendNotFound" |
This reason is used with the “ResolvedRefs” condition when one of the Route’s rules has a reference to a resource that does not exist. |
"IncompatibleFilters" |
This reason is used with the “Accepted” condition when there are incompatible filters present on a route rule (for example if the URLRewrite and RequestRedirect are both present on an HTTPRoute). |
"InvalidKind" |
This reason is used with the “ResolvedRefs” condition when one of the Route’s rules has a reference to an unknown or unsupported Group and/or Kind. |
"NoMatchingListenerHostname" |
This reason is used with the “Accepted” condition when the Gateway has no compatible Listeners whose Hostname matches the route |
"NoMatchingParent" |
This reason is used with the “Accepted” condition when there are no matching Parents. In the case of Gateways, this can occur when a Route ParentRef specifies a Port and/or SectionName that does not match any Listeners in the Gateway. |
"NotAllowedByListeners" |
This reason is used with the “Accepted” condition when the route has not been accepted by a Gateway because the Gateway has no Listener whose allowedRoutes criteria permit the route |
"Pending" |
This reason is used with the “Accepted” when a controller has not yet reconciled the route. |
"RefNotPermitted" |
This reason is used with the “ResolvedRefs” condition when one of the Listener’s Routes has a BackendRef to an object in another namespace, where the object in the other namespace does not have a ReferenceGrant explicitly allowing the reference. |
"ResolvedRefs" |
This reason is used with the “ResolvedRefs” condition when the condition is true. |
"UnsupportedProtocol" |
This reason is used with the “ResolvedRefs” condition when one of the Route’s rules has a reference to a resource with an app protocol that is not supported by this implementation. |
"UnsupportedValue" |
This reason is used with the “Accepted” condition when a value for an Enum is not recognized. |
RouteConditionType
(string
alias)¶
RouteConditionType is a type of condition for a route.
Value | Description |
---|---|
"Accepted" |
This condition indicates whether the route has been accepted or rejected by a Gateway, and why. Possible reasons for this condition to be True are:
Possible reasons for this condition to be False are:
Possible reasons for this condition to be Unknown are:
Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability. |
"PartiallyInvalid" |
This condition indicates that the Route contains a combination of both valid and invalid rules. When this happens, implementations MUST take one of the following approaches: 1) Drop Rule(s): With this approach, implementations will drop the invalid Route Rule(s) until they are fully valid again. The message for this condition MUST start with the prefix “Dropped Rule” and include information about which Rules have been dropped. In this state, the “Accepted” condition MUST be set to “True” with the latest generation of the resource. 2) Fall Back: With this approach, implementations will fall back to the last known good state of the entire Route. The message for this condition MUST start with the prefix “Fall Back” and include information about why the current Rule(s) are invalid. To represent this, the “Accepted” condition MUST be set to “True” with the generation of the last known good state of the resource. Reverting to the last known good state should only be done by implementations that have a means of restoring that state if/when they are restarted. This condition MUST NOT be set if a Route is fully valid, fully invalid, or not accepted. By extension, that means that this condition MUST only be set when it is “True”. Possible reasons for this condition to be True are:
Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability. |
"ResolvedRefs" |
This condition indicates whether the controller was able to resolve all the object references for the Route. Possible reasons for this condition to be True are:
Possible reasons for this condition to be False are:
Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability. |
RouteGroupKind ¶
(Appears on: AllowedRoutes, ListenerStatus)
RouteGroupKind indicates the group and kind of a Route resource.
Field | Description |
---|---|
group
Group
|
(Optional)
Group is the group of the Route. |
kind
Kind
|
Kind is the kind of the Route. |
RouteNamespaces ¶
(Appears on: AllowedRoutes)
RouteNamespaces indicate which namespaces Routes should be selected from.
Field | Description |
---|---|
from
FromNamespaces
|
(Optional)
From indicates where Routes will be selected for this Gateway. Possible values are:
Support: Core |
selector
Kubernetes meta/v1.LabelSelector
|
(Optional)
Selector must be specified when From is set to “Selector”. In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of “From”. Support: Core |
RouteParentStatus ¶
(Appears on: RouteStatus)
RouteParentStatus describes the status of a route with respect to an associated Parent.
Field | Description |
---|---|
parentRef
ParentReference
|
ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. |
controllerName
GatewayController
|
ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: “example.net/gateway-controller”. The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. |
conditions
[]Kubernetes meta/v1.Condition
|
Conditions describes the status of the route with respect to the Gateway. Note that the route’s availability is also subject to the Gateway’s own status conditions and listener status. If the Route’s ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway’s controller has sufficient access, then that Gateway’s controller MUST set the “Accepted” condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. A Route MUST be considered “Accepted” if at least one of the Route’s rules is implemented by the Gateway. There are a number of cases where the “Accepted” condition may not be set due to lack of controller visibility, that includes when:
|
RouteStatus ¶
(Appears on: GRPCRouteStatus, HTTPRouteStatus, TCPRouteStatus, TLSRouteStatus, UDPRouteStatus)
RouteStatus defines the common attributes that all Routes MUST include within their status.
Field | Description |
---|---|
parents
[]RouteParentStatus
|
Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. |
SecretObjectReference ¶
(Appears on: GatewayBackendTLS, GatewayTLSConfig)
SecretObjectReference identifies an API object including its namespace, defaulting to Secret.
The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.
References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.
Field | Description |
---|---|
group
Group
|
(Optional)
Group is the group of the referent. For example, “gateway.networking.k8s.io”. When unspecified or empty string, core API group is inferred. |
kind
Kind
|
(Optional)
Kind is kind of the referent. For example “Secret”. |
name
ObjectName
|
Name is the name of the referent. |
namespace
Namespace
|
(Optional)
Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core |
SectionName
(string
alias)¶
(Appears on: GRPCRouteRule, HTTPRouteRule, Listener, ListenerStatus, ParentReference, LocalPolicyTargetReferenceWithSectionName, TCPRouteRule, TLSRouteRule, UDPRouteRule)
SectionName is the name of a section in a Kubernetes resource.
In the following resources, SectionName is interpreted as the following:
- Gateway: Listener name
- HTTPRoute: HTTPRouteRule name
- Service: Port name
Section names can have a variety of forms, including RFC 1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
This validation is based off of the corresponding Kubernetes validation: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L208
Valid values include:
- “example”
- “foo-example”
- “example.com”
- “foo.example.com”
Invalid values include:
- “example.com/bar” - “/” is an invalid character
SessionPersistence ¶
(Appears on: GRPCRouteRule, HTTPRouteRule, BackendLBPolicySpec)
SessionPersistence defines the desired state of SessionPersistence.
Field | Description |
---|---|
sessionName
string
|
(Optional)
SessionName defines the name of the persistent session token which may be reflected in the cookie or the header. Users should avoid reusing session names to prevent unintended consequences, such as rejection or unpredictable behavior. Support: Implementation-specific |
absoluteTimeout
Duration
|
(Optional)
AbsoluteTimeout defines the absolute timeout of the persistent session. Once the AbsoluteTimeout duration has elapsed, the session becomes invalid. Support: Extended |
idleTimeout
Duration
|
(Optional)
IdleTimeout defines the idle timeout of the persistent session. Once the session has been idle for more than the specified IdleTimeout duration, the session becomes invalid. Support: Extended |
type
SessionPersistenceType
|
(Optional)
Type defines the type of session persistence such as through the use a header or cookie. Defaults to cookie based session persistence. Support: Core for “Cookie” type Support: Extended for “Header” type |
cookieConfig
CookieConfig
|
(Optional)
CookieConfig provides configuration settings that are specific to cookie-based session persistence. Support: Core |
SessionPersistenceType
(string
alias)¶
(Appears on: SessionPersistence)
Value | Description |
---|---|
"Cookie" |
CookieBasedSessionPersistence specifies cookie-based session persistence. Support: Core |
"Header" |
HeaderBasedSessionPersistence specifies header-based session persistence. Support: Extended |
SupportedFeature ¶
(Appears on: GatewayClassStatus)
Field | Description |
---|---|
name
FeatureName
|
TLSModeType
(string
alias)¶
(Appears on: GatewayTLSConfig)
TLSModeType type defines how a Gateway handles TLS sessions.
Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.
Unknown values here must result in the implementation setting the
Ready Condition for the Listener to status: False
, with a
Reason of Invalid
.
Value | Description |
---|---|
"Passthrough" |
In this mode, the TLS session is NOT terminated by the Gateway. This implies that the Gateway can’t decipher the TLS stream except for the ClientHello message of the TLS protocol. Note that SSL passthrough is only supported by TLSRoute. |
"Terminate" |
In this mode, TLS session between the downstream client and the Gateway is terminated at the Gateway. |
gateway.networking.k8s.io/v1beta1
Package v1beta1 contains API Schema definitions for the gateway.networking.k8s.io API group.
Resource Types:Gateway ¶
Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses.
Field | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1beta1
|
||||||||||
kind
string
|
Gateway |
||||||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||
spec
GatewaySpec
|
Spec defines the desired state of Gateway.
|
||||||||||
status
GatewayStatus
|
Status defines the current state of Gateway. |
GatewayClass ¶
GatewayClass describes a class of Gateways available to the user for creating Gateway resources.
It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation.
Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
add the gateway-exists-finalizer.gateway.networking.k8s.io
finalizer on the
associated GatewayClass. This ensures that a GatewayClass associated with a
Gateway is not deleted while in use.
GatewayClass is a Cluster level resource.
Field | Description | ||||||
---|---|---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1beta1
|
||||||
kind
string
|
GatewayClass |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
GatewayClassSpec
|
Spec defines the desired state of GatewayClass.
|
||||||
status
GatewayClassStatus
|
Status defines the current state of GatewayClass. Implementations MUST populate status on all GatewayClass resources which specify their controller name. |
HTTPRoute ¶
HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.
Field | Description | ||||||
---|---|---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1beta1
|
||||||
kind
string
|
HTTPRoute |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
HTTPRouteSpec
|
Spec defines the desired state of HTTPRoute.
|
||||||
status
HTTPRouteStatus
|
Status defines the current state of HTTPRoute. |
ReferenceGrant ¶
ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy.
Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within.
All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant.
ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed.
Field | Description | ||||
---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1beta1
|
||||
kind
string
|
ReferenceGrant |
||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||
spec
ReferenceGrantSpec
|
Spec defines the desired state of ReferenceGrant.
|
ReferenceGrantFrom ¶
(Appears on: ReferenceGrantSpec)
ReferenceGrantFrom describes trusted namespaces and kinds.
Field | Description |
---|---|
group
Group
|
Group is the group of the referent. When empty, the Kubernetes core API group is inferred. Support: Core |
kind
Kind
|
Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the “Core” support level for this field. When used to permit a SecretObjectReference:
When used to permit a BackendObjectReference:
|
namespace
Namespace
|
Namespace is the namespace of the referent. Support: Core |
ReferenceGrantSpec ¶
(Appears on: ReferenceGrant, ReferenceGrant)
ReferenceGrantSpec identifies a cross namespace relationship that is trusted for Gateway API.
Field | Description |
---|---|
from
[]ReferenceGrantFrom
|
From describes the trusted namespaces and kinds that can reference the resources described in “To”. Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. Support: Core |
to
[]ReferenceGrantTo
|
To describes the resources that may be referenced by the resources described in “From”. Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. Support: Core |
ReferenceGrantTo ¶
(Appears on: ReferenceGrantSpec)
ReferenceGrantTo describes what Kinds are allowed as targets of the references.
Field | Description |
---|---|
group
Group
|
Group is the group of the referent. When empty, the Kubernetes core API group is inferred. Support: Core |
kind
Kind
|
Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the “Core” support level for this field:
|
name
ObjectName
|
(Optional)
Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. |
gateway.networking.k8s.io/v1alpha3
Package v1alpha3 contains API Schema definitions for the gateway.networking.k8s.io API group.
Resource Types:BackendTLSPolicy ¶
BackendTLSPolicy provides a way to configure how a Gateway connects to a Backend via TLS.
Field | Description | ||||||
---|---|---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1alpha3
|
||||||
kind
string
|
BackendTLSPolicy |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
BackendTLSPolicySpec
|
Spec defines the desired state of BackendTLSPolicy.
|
||||||
status
PolicyStatus
|
Status defines the current state of BackendTLSPolicy. |
BackendTLSPolicySpec ¶
(Appears on: BackendTLSPolicy)
BackendTLSPolicySpec defines the desired state of BackendTLSPolicy.
Support: Extended
Field | Description |
---|---|
targetRefs
[]LocalPolicyTargetReferenceWithSectionName
|
TargetRefs identifies an API object to apply the policy to. Only Services have Extended support. Implementations MAY support additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. Support: Extended for Kubernetes Service Support: Implementation-specific for any other resource |
validation
BackendTLSPolicyValidation
|
Validation contains backend TLS validation configuration. |
options
map[sigs.k8s.io/gateway-api/apis/v1.AnnotationKey]sigs.k8s.io/gateway-api/apis/v1.AnnotationValue
|
(Optional)
Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. A set of common keys MAY be defined by the API in the future. To avoid
any ambiguity, implementation-specific definitions MUST use
domain-prefixed names, such as Support: Implementation-specific |
BackendTLSPolicyValidation ¶
(Appears on: BackendTLSPolicySpec)
BackendTLSPolicyValidation contains backend TLS validation configuration.
Field | Description |
---|---|
caCertificateRefs
[]LocalObjectReference
|
(Optional)
CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod. If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If CACertifcateRefs is empty or unspecified, the configuration for WellKnownCACertificates MUST be honored instead if supported by the implementation. References to a resource in a different namespace are invalid for the moment, although we will revisit this in the future. A single CACertificateRef to a Kubernetes ConfigMap kind has “Core” support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific. Support: Core - An optional single reference to a Kubernetes ConfigMap,
with the CA certificate in a key named Support: Implementation-specific (More than one reference, or other kinds of resources). |
wellKnownCACertificates
WellKnownCACertificatesType
|
(Optional)
WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (“”), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If an implementation does not support the WellKnownCACertificates field or the value supplied is not supported, the Status Conditions on the Policy MUST be updated to include an Accepted: False Condition with Reason: Invalid. Support: Implementation-specific |
hostname
PreciseHostname
|
Hostname is used for two purposes in the connection between Gateways and backends:
Support: Core |
subjectAltNames
[]SubjectAltName
|
(Optional)
SubjectAltNames contains one or more Subject Alternative Names. When specified, the certificate served from the backend MUST have at least one Subject Alternate Name matching one of the specified SubjectAltNames. Support: Core |
SubjectAltName ¶
(Appears on: BackendTLSPolicyValidation)
SubjectAltName represents Subject Alternative Name.
Field | Description |
---|---|
type
SubjectAltNameType
|
Type determines the format of the Subject Alternative Name. Always required. Support: Core |
hostname
Hostname
|
(Optional)
Hostname contains Subject Alternative Name specified in DNS name format. Required when Type is set to Hostname, ignored otherwise. Support: Core |
uri
AbsoluteURI
|
(Optional)
URI contains Subject Alternative Name specified in a full URI format. It MUST include both a scheme (e.g., “http” or “ftp”) and a scheme-specific-part. Common values include SPIFFE IDs like “spiffe://mycluster.example.com/ns/myns/sa/svc1sa”. Required when Type is set to URI, ignored otherwise. Support: Core |
SubjectAltNameType
(string
alias)¶
(Appears on: SubjectAltName)
SubjectAltNameType is the type of the Subject Alternative Name.
Value | Description |
---|---|
"Hostname" |
HostnameSubjectAltNameType specifies hostname-based SAN. Support: Core |
"URI" |
URISubjectAltNameType specifies URI-based SAN, e.g. SPIFFE id. Support: Core |
WellKnownCACertificatesType
(string
alias)¶
(Appears on: BackendTLSPolicyValidation)
WellKnownCACertificatesType is the type of CA certificate that will be used when the caCertificateRefs field is unspecified.
Value | Description |
---|---|
"System" |
WellKnownCACertificatesSystem indicates that well known system CA certificates should be used. |
gateway.networking.k8s.io/v1alpha2
Package v1alpha2 contains API Schema definitions for the gateway.networking.k8s.io API group.
Resource Types:BackendLBPolicy ¶
BackendLBPolicy provides a way to define load balancing rules for a backend.
Field | Description | ||||
---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1alpha2
|
||||
kind
string
|
BackendLBPolicy |
||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||
spec
BackendLBPolicySpec
|
Spec defines the desired state of BackendLBPolicy.
|
||||
status
PolicyStatus
|
Status defines the current state of BackendLBPolicy. |
ReferenceGrant ¶
ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy.
Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within.
A ReferenceGrant is required for all cross-namespace references in Gateway API (with the exception of cross-namespace Route-Gateway attachment, which is governed by the AllowedRoutes configuration on the Gateway, and cross-namespace Service ParentRefs on a “consumer” mesh Route, which defines routing rules applicable only to workloads in the Route namespace). ReferenceGrants allowing a reference from a Route to a Service are only applicable to BackendRefs.
ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed.
Field | Description | ||||
---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1alpha2
|
||||
kind
string
|
ReferenceGrant |
||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||
spec
ReferenceGrantSpec
|
Spec defines the desired state of ReferenceGrant.
|
TCPRoute ¶
TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute.
Field | Description | ||||
---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1alpha2
|
||||
kind
string
|
TCPRoute |
||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||
spec
TCPRouteSpec
|
Spec defines the desired state of TCPRoute.
|
||||
status
TCPRouteStatus
|
Status defines the current state of TCPRoute. |
TLSRoute ¶
The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener.
If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener.
Field | Description | ||||||
---|---|---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1alpha2
|
||||||
kind
string
|
TLSRoute |
||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
TLSRouteSpec
|
Spec defines the desired state of TLSRoute.
|
||||||
status
TLSRouteStatus
|
Status defines the current state of TLSRoute. |
UDPRoute ¶
UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute.
Field | Description | ||||
---|---|---|---|---|---|
apiVersion
string |
gateway.networking.k8s.io/v1alpha2
|
||||
kind
string
|
UDPRoute |
||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||
spec
UDPRouteSpec
|
Spec defines the desired state of UDPRoute.
|
||||
status
UDPRouteStatus
|
Status defines the current state of UDPRoute. |
BackendLBPolicySpec ¶
(Appears on: BackendLBPolicy)
BackendLBPolicySpec defines the desired state of BackendLBPolicy. Note: there is no Override or Default policy configuration.
Field | Description |
---|---|
targetRefs
[]LocalPolicyTargetReference
|
TargetRef identifies an API object to apply policy to. Currently, Backends (i.e. Service, ServiceImport, or any implementation-specific backendRef) are the only valid API target references. |
sessionPersistence
SessionPersistence
|
(Optional)
SessionPersistence defines and configures session persistence for the backend. Support: Extended |
GRPCRoute ¶
Field | Description | ||||||
---|---|---|---|---|---|---|---|
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
spec
GRPCRouteSpec
|
Spec defines the desired state of GRPCRoute.
|
||||||
status
GRPCRouteStatus
|
Status defines the current state of GRPCRoute. |
LocalPolicyTargetReference ¶
(Appears on: BackendLBPolicySpec, LocalPolicyTargetReferenceWithSectionName)
LocalPolicyTargetReference identifies an API object to apply a direct or inherited policy to. This should be used as part of Policy resources that can target Gateway API resources. For more information on how this policy attachment model works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API.
Field | Description |
---|---|
group
Group
|
Group is the group of the target resource. |
kind
Kind
|
Kind is kind of the target resource. |
name
ObjectName
|
Name is the name of the target resource. |
LocalPolicyTargetReferenceWithSectionName ¶
(Appears on: BackendTLSPolicySpec)
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a direct policy to. This should be used as part of Policy resources that can target single resources. For more information on how this policy attachment mode works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API.
Note: This should only be used for direct policy attachment when references to SectionName are actually needed. In all other cases, LocalPolicyTargetReference should be used.
Field | Description |
---|---|
LocalPolicyTargetReference
LocalPolicyTargetReference
|
(Members of |
sectionName
SectionName
|
(Optional)
SectionName is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following:
If a SectionName is specified, but does not exist on the targeted object,
the Policy must fail to attach, and the policy implementation should record
a |
NamespacedPolicyTargetReference ¶
NamespacedPolicyTargetReference identifies an API object to apply a direct or inherited policy to, potentially in a different namespace. This should only be used as part of Policy resources that need to be able to target resources in different namespaces. For more information on how this policy attachment model works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API.
Field | Description |
---|---|
group
Group
|
Group is the group of the target resource. |
kind
Kind
|
Kind is kind of the target resource. |
name
ObjectName
|
Name is the name of the target resource. |
namespace
Namespace
|
(Optional)
Namespace is the namespace of the referent. When unspecified, the local namespace is inferred. Even when policy targets a resource in a different namespace, it MUST only apply to traffic originating from the same namespace as the policy. |
PolicyAncestorStatus ¶
(Appears on: PolicyStatus)
PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor.
Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy’s Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most useful object to place Policy status on, so we recommend that implementations SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a very good reason otherwise.
In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway.
Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations.
For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status.
Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used.
This struct is intended to be used in a slice that’s effectively a map, with a composite key made up of the AncestorRef and the ControllerName.
Field | Description |
---|---|
ancestorRef
ParentReference
|
AncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of. |
controllerName
GatewayController
|
ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: “example.net/gateway-controller”. The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. |
conditions
[]Kubernetes meta/v1.Condition
|
Conditions describes the status of the Policy with respect to the given Ancestor. |
PolicyConditionReason
(string
alias)¶
PolicyConditionReason is a reason for a policy condition.
Value | Description |
---|---|
"Accepted" |
PolicyReasonAccepted is used with the “Accepted” condition when the policy has been accepted by the targeted resource. |
"Conflicted" |
PolicyReasonConflicted is used with the “Accepted” condition when the policy has not been accepted by a targeted resource because there is another policy that targets the same resource and a merge is not possible. |
"Invalid" |
PolicyReasonInvalid is used with the “Accepted” condition when the policy is syntactically or semantically invalid. |
"TargetNotFound" |
PolicyReasonTargetNotFound is used with the “Accepted” condition when the policy is attached to an invalid target resource. |
PolicyConditionType
(string
alias)¶
PolicyConditionType is a type of condition for a policy. This type should be used with a Policy resource Status.Conditions field.
Value | Description |
---|---|
"Accepted" |
PolicyConditionAccepted indicates whether the policy has been accepted or rejected by a targeted resource, and why. Possible reasons for this condition to be True are:
Possible reasons for this condition to be False are:
|
PolicyStatus ¶
(Appears on: BackendLBPolicy, BackendTLSPolicy)
PolicyStatus defines the common attributes that all Policies should include within their status.
Field | Description |
---|---|
ancestors
[]PolicyAncestorStatus
|
Ancestors is a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy with respect to each ancestor. When this policy attaches to a parent, the controller that manages the parent and the ancestors MUST add an entry to this list when the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced here. For example, if this list was full on BackendTLSPolicy, no additional Gateways would be able to reference the Service targeted by the BackendTLSPolicy. |
TCPRouteRule ¶
(Appears on: TCPRouteSpec)
TCPRouteRule is the configuration for a given rule.
Field | Description |
---|---|
name
SectionName
|
(Optional)
Name is the name of the route rule. This name MUST be unique within a Route if it is set. Support: Extended |
backendRefs
[]BackendRef
|
BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. Support: Core for Kubernetes Service Support: Extended for Kubernetes ServiceImport Support: Implementation-specific for any other resource Support for weight: Extended |
TCPRouteSpec ¶
(Appears on: TCPRoute)
TCPRouteSpec defines the desired state of TCPRoute
Field | Description |
---|---|
CommonRouteSpec
CommonRouteSpec
|
(Members of |
rules
[]TCPRouteRule
|
Rules are a list of TCP matchers and actions. |
TCPRouteStatus ¶
(Appears on: TCPRoute)
TCPRouteStatus defines the observed state of TCPRoute
Field | Description |
---|---|
RouteStatus
RouteStatus
|
(Members of |
TLSRouteRule ¶
(Appears on: TLSRouteSpec)
TLSRouteRule is the configuration for a given rule.
Field | Description |
---|---|
name
SectionName
|
(Optional)
Name is the name of the route rule. This name MUST be unique within a Route if it is set. Support: Extended |
backendRefs
[]BackendRef
|
BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. Support: Core for Kubernetes Service Support: Extended for Kubernetes ServiceImport Support: Implementation-specific for any other resource Support for weight: Extended |
TLSRouteSpec ¶
(Appears on: TLSRoute)
TLSRouteSpec defines the desired state of a TLSRoute resource.
Field | Description |
---|---|
CommonRouteSpec
CommonRouteSpec
|
(Members of |
hostnames
[]Hostname
|
(Optional)
Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions:
If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example:
If both the Listener and TLSRoute have specified hostnames, any
TLSRoute hostnames that do not match the Listener hostname MUST be
ignored. For example, if a Listener specified If both the Listener and TLSRoute have specified hostnames, and none
match with the criteria above, then the TLSRoute is not accepted. The
implementation must raise an ‘Accepted’ Condition with a status of
Support: Core |
rules
[]TLSRouteRule
|
Rules are a list of TLS matchers and actions. |
TLSRouteStatus ¶
(Appears on: TLSRoute)
TLSRouteStatus defines the observed state of TLSRoute
Field | Description |
---|---|
RouteStatus
RouteStatus
|
(Members of |
UDPRouteRule ¶
(Appears on: UDPRouteSpec)
UDPRouteRule is the configuration for a given rule.
Field | Description |
---|---|
name
SectionName
|
(Optional)
Name is the name of the route rule. This name MUST be unique within a Route if it is set. Support: Extended |
backendRefs
[]BackendRef
|
BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. Support: Core for Kubernetes Service Support: Extended for Kubernetes ServiceImport Support: Implementation-specific for any other resource Support for weight: Extended |
UDPRouteSpec ¶
(Appears on: UDPRoute)
UDPRouteSpec defines the desired state of UDPRoute.
Field | Description |
---|---|
CommonRouteSpec
CommonRouteSpec
|
(Members of |
rules
[]UDPRouteRule
|
Rules are a list of UDP matchers and actions. |
UDPRouteStatus ¶
(Appears on: UDPRoute)
UDPRouteStatus defines the observed state of UDPRoute.
Field | Description |
---|---|
RouteStatus
RouteStatus
|
(Members of |
Generated with gen-crd-api-reference-docs
.