Skip to content

API Reference

Packages

gateway.networking.k8s.io/v1

Package v1 contains API Schema definitions for the gateway.networking.k8s.io API group.

Resource Types

AbsoluteURI

Underlying type: string

The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The AbsoluteURI MUST include both a scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. The below regex is taken from the regex section in RFC 3986 with a slight modification to enforce a full URI and not relative.

Validation: - MaxLength: 253 - MinLength: 1 - Pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?

Appears in: - HTTPCORSFilter - SubjectAltName

AddressType

Underlying type: string

AddressType defines how a network address is represented as a text string. This may take two possible forms:

  • A predefined CamelCase string identifier (currently limited to IPAddress or Hostname)
  • A domain-prefixed string identifier (like acme.io/CustomAddressType)

Values IPAddress and Hostname have Extended support.

The NamedAddress value has been deprecated in favor of implementation specific domain-prefixed strings.

All other values, including domain-prefixed values have Implementation-specific support, which are used in implementation-specific behaviors. Support for additional predefined CamelCase identifiers may be added in future releases.

Validation: - MaxLength: 253 - MinLength: 1 - Pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$

Appears in: - GatewaySpecAddress - GatewayStatusAddress

Field Description
IPAddress A textual representation of a numeric IP address. IPv4
addresses must be in dotted-decimal form. IPv6 addresses
must be in a standard IPv6 text representation
(see RFC 5952).
This type is intended for specific addresses. Address ranges are not
supported (e.g. you cannot use a CIDR range like 127.0.0.0/24 as an
IPAddress).
Support: Extended
Hostname A Hostname represents a DNS based ingress point. This is similar to the
corresponding hostname field in Kubernetes load balancer status. For
example, this concept may be used for cloud load balancers where a DNS
name is used to expose a load balancer.
Support: Extended
NamedAddress A NamedAddress provides a way to reference a specific IP address by name.
For example, this may be a name or other unique identifier that refers
to a resource on a cloud provider such as a static IP.
The NamedAddress type has been deprecated in favor of implementation
specific domain-prefixed strings.
Support: Implementation-specific

AllowedListeners

AllowedListeners defines which ListenerSets can be attached to this Gateway.

Appears in: - GatewaySpec

Field Description Default Validation
namespaces ListenerNamespaces Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no ListenerSets.		 { from:None }

AllowedRoutes

AllowedRoutes defines which Routes may be attached to this Listener.

Appears in: - Listener

Field Description Default Validation
namespaces RouteNamespaces Namespaces indicates namespaces from which Routes may be attached to this
Listener. This is restricted to the namespace of this Gateway by default.
Support: Core		 { from:Same }
kinds RouteGroupKind array Kinds specifies the groups and kinds of Routes that are allowed to bind
to this Gateway Listener. When unspecified or empty, the kinds of Routes
selected are determined using the Listener protocol.
A RouteGroupKind MUST correspond to kinds of Routes that are compatible
with the application protocol specified in the Listener's Protocol field.
If an implementation does not support or recognize this resource type, it
MUST set the "ResolvedRefs" condition to False for this Listener with the
"InvalidRouteKinds" reason.
Support: Core		 MaxItems: 8

AnnotationKey

Underlying type: string

AnnotationKey is the key of an annotation in Gateway API. This is used for validation of maps such as TLS options. This matches the Kubernetes "qualified name" validation that is used for annotations and other common values.

Valid values include:

  • example
  • example.com
  • example.com/path
  • example.com/path.html

Invalid values include:

  • example~ - "~" is an invalid character
  • example.com. - cannot start or end with "."

Validation: - MaxLength: 253 - MinLength: 1 - Pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$

Appears in: - BackendTLSPolicySpec - GatewayInfrastructure - GatewayTLSConfig

AnnotationValue

Underlying type: string

AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct.

Validation: - MaxLength: 4096 - MinLength: 0

Appears in: - BackendTLSPolicySpec - GatewayInfrastructure - GatewayTLSConfig

BackendObjectReference

BackendObjectReference defines how an ObjectReference that is specific to BackendRef. It includes a few additional fields and features than a regular ObjectReference.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.

The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.

Appears in: - BackendRef - GRPCBackendRef - HTTPBackendRef - HTTPRequestMirrorFilter

Field Description Default Validation
group Group Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.		 MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is the Kubernetes resource kind of the referent. For example
"Service".
Defaults to "Service" when not specified.
ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.
Support: Core (Services with a type other than ExternalName)
Support: Implementation-specific (Services with type ExternalName)		 Service MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name ObjectName Name is the name of the referent. MaxLength: 253
MinLength: 1
namespace Namespace Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core		 MaxLength: 63
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
port PortNumber Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field.		 Maximum: 65535
Minimum: 1

BackendRef

BackendRef defines how a Route should forward a request to a Kubernetes resource.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.

When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port.

Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726.

If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service.

If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.

Note that when the BackendTLSPolicy object is enabled by the implementation, there are some extra rules about validity to consider here. See the fields where this struct is used for more information about the exact behavior.

Appears in: - GRPCBackendRef - HTTPBackendRef

Field Description Default Validation
group Group Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.		 MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is the Kubernetes resource kind of the referent. For example
"Service".
Defaults to "Service" when not specified.
ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.
Support: Core (Services with a type other than ExternalName)
Support: Implementation-specific (Services with type ExternalName)		 Service MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name ObjectName Name is the name of the referent. MaxLength: 253
MinLength: 1
namespace Namespace Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core		 MaxLength: 63
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
port PortNumber Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field.		 Maximum: 65535
Minimum: 1
weight integer Weight specifies the proportion of requests forwarded to the referenced
backend. This is computed as weight/(sum of all weights in this
BackendRefs list). For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision an
implementation supports. Weight is not a percentage and the sum of
weights does not need to equal 100.
If only one backend is specified and it has a weight greater than 0, 100%
of the traffic is forwarded to that backend. If weight is set to 0, no
traffic should be forwarded for this entry. If unspecified, weight
defaults to 1.
Support for this field varies based on the context where used.		 1 Maximum: 1e+06
Minimum: 0

CommonRouteSpec

CommonRouteSpec defines the common attributes that all Routes MUST include within their spec.

Appears in: - GRPCRouteSpec - HTTPRouteSpec

Field Description Default Validation
parentRefs ParentReference array ParentRefs references the resources (usually Gateways) that a Route wants
to be attached to. Note that the referenced parent resource needs to
allow this for the attachment to be complete. For Gateways, that means
the Gateway needs to allow attachment from Routes of this kind and
namespace. For Services, that means the Service must either be in the same
namespace for a "producer" route, or the mesh implementation must support
and allow "consumer" routes for the referenced Service. ReferenceGrant is
not applicable for governing ParentRefs to Services - it is not possible to
create a "producer" route for a Service in a different namespace from the
Route.
There are two kinds of parent resources with "Core" support:
Gateway (Gateway conformance profile)
 Service (Mesh conformance profile, ClusterIP Services only)
This API may be extended in the future to support additional kinds of parent
resources.
ParentRefs must be distinct. This means either that:
They select different objects. If this is the case, then parentRef
entries are distinct. In terms of fields, this means that the
multi-part key defined by group, kind, namespace, and name must
be unique across all parentRef entries in the Route.
 They do not select different objects, but for each optional field used,
each ParentRef that selects the same object must set the same set of
optional fields to different values. If one ParentRef sets a
combination of optional fields, all must set the same combination.
Some examples:
If one ParentRef sets sectionName, all ParentRefs referencing the
same object must also set sectionName.
 If one ParentRef sets port, all ParentRefs referencing the same
object must also set port.
* If one ParentRef sets sectionName and port, all ParentRefs
referencing the same object must also set sectionName and port.
It is possible to separately reference multiple distinct objects that may
be collapsed by an implementation. For example, some implementations may
choose to merge compatible Gateway Listeners together. If that is the
case, the list of routes attached to those resources should also be
merged.
Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example,
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable other kinds of cross-namespace reference.

ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.




 MaxItems: 32

CookieConfig

CookieConfig defines the configuration for cookie-based session persistence.

Appears in: - SessionPersistence

Field Description Default Validation
lifetimeType CookieLifetimeType LifetimeType specifies whether the cookie has a permanent or
session-based lifetime. A permanent cookie persists until its
specified expiry time, defined by the Expires or Max-Age cookie
attributes, while a session cookie is deleted when the current
session ends.
When set to "Permanent", AbsoluteTimeout indicates the
cookie's lifetime via the Expires or Max-Age cookie attributes
and is required.
When set to "Session", AbsoluteTimeout indicates the
absolute lifetime of the cookie tracked by the gateway and
is optional.
Defaults to "Session".
Support: Core for "Session" type
Support: Extended for "Permanent" type		 Session Enum: [Permanent Session]

CookieLifetimeType

Underlying type: string

Validation: - Enum: [Permanent Session]

Appears in: - CookieConfig

Field Description
Session SessionCookieLifetimeType specifies the type for a session
cookie.
Support: Core
Permanent PermanentCookieLifetimeType specifies the type for a permanent
cookie.
Support: Extended

Duration

Underlying type: string

Duration is a string value representing a duration in time. The format is as specified in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.

Validation: - Pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

Appears in: - HTTPRouteRetry - HTTPRouteTimeouts - SessionPersistence

FeatureName

Underlying type: string

FeatureName is used to describe distinct features that are covered by conformance tests.

Appears in: - SupportedFeature

Fraction

Appears in: - HTTPRequestMirrorFilter

Field Description Default Validation
numerator integer Minimum: 0
denominator integer 100 Minimum: 1

FromNamespaces

Underlying type: string

FromNamespaces specifies namespace from which Routes/ListenerSets may be attached to a Gateway.

Validation: - Enum: [All Selector Same None]

Appears in: - ListenerNamespaces - RouteNamespaces

Field Description
All Routes/ListenerSets in all namespaces may be attached to this Gateway.
Selector Only Routes/ListenerSets in namespaces selected by the selector may be attached to
this Gateway.
Same Only Routes/ListenerSets in the same namespace as the Gateway may be attached to this
Gateway.
None No Routes/ListenerSets may be attached to this Gateway.

FrontendTLSValidation

FrontendTLSValidation holds configuration information that can be used to validate the frontend initiating the TLS connection

Appears in: - GatewayTLSConfig

Field Description Default Validation
caCertificateRefs ObjectReference array CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.
A single CA certificate reference to a Kubernetes ConfigMap
has "Core" support.
Implementations MAY choose to support attaching multiple CA certificates to
a Listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap
with the CA certificate in a key named ca.crt.
Support: Implementation-specific (More than one reference, or other kinds
of resources).
References to a resource in a different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.		 MaxItems: 8
MinItems: 1

GRPCBackendRef

GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.

When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port.

Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726.

If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service.

If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.

Appears in: - GRPCRouteRule

Field Description Default Validation
group Group Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.		 MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is the Kubernetes resource kind of the referent. For example
"Service".
Defaults to "Service" when not specified.
ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.
Support: Core (Services with a type other than ExternalName)
Support: Implementation-specific (Services with type ExternalName)		 Service MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name ObjectName Name is the name of the referent. MaxLength: 253
MinLength: 1
namespace Namespace Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core		 MaxLength: 63
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
port PortNumber Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field.		 Maximum: 65535
Minimum: 1
weight integer Weight specifies the proportion of requests forwarded to the referenced
backend. This is computed as weight/(sum of all weights in this
BackendRefs list). For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision an
implementation supports. Weight is not a percentage and the sum of
weights does not need to equal 100.
If only one backend is specified and it has a weight greater than 0, 100%
of the traffic is forwarded to that backend. If weight is set to 0, no
traffic should be forwarded for this entry. If unspecified, weight
defaults to 1.
Support for this field varies based on the context where used.		 1 Maximum: 1e+06
Minimum: 0
filters GRPCRouteFilter array Filters defined at this level MUST be executed if and only if the
request is being forwarded to the backend defined here.
Support: Implementation-specific (For broader support of filters, use the
Filters field in GRPCRouteRule.)		 MaxItems: 16

GRPCHeaderMatch

GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers.

Appears in: - GRPCRouteMatch

Field Description Default Validation
type GRPCHeaderMatchType Type specifies how to match against the value of the header. Exact Enum: [Exact RegularExpression]
name GRPCHeaderName Name is the name of the gRPC Header to be matched.
If multiple entries specify equivalent header names, only the first
entry with an equivalent name MUST be considered for a match. Subsequent
entries with an equivalent header name MUST be ignored. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered
equivalent.		 MaxLength: 256
MinLength: 1
Pattern: `^[A-Za-z0-9!
value string Value is the value of the gRPC Header to be matched. MaxLength: 4096
MinLength: 1

GRPCHeaderMatchType

Underlying type: string

GRPCHeaderMatchType specifies the semantics of how GRPC header values should be compared. Valid GRPCHeaderMatchType values, along with their conformance levels, are:

  • "Exact" - Core
  • "RegularExpression" - Implementation Specific

Note that new values may be added to this enum in future releases of the API, implementations MUST ensure that unknown values will not cause a crash.

Unknown values here MUST result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Validation: - Enum: [Exact RegularExpression]

Appears in: - GRPCHeaderMatch

Field Description
Exact
RegularExpression

GRPCHeaderName

Underlying type: HeaderName

Validation: - MaxLength: 256 - MinLength: 1 - Pattern: `^[A-Za-z0-9!

Appears in: - GRPCHeaderMatch

GRPCMethodMatch

GRPCMethodMatch describes how to select a gRPC route by matching the gRPC request service and/or method.

At least one of Service and Method MUST be a non-empty string.

Appears in: - GRPCRouteMatch

Field Description Default Validation
type GRPCMethodMatchType Type specifies how to match against the service and/or method.
Support: Core (Exact with service and method specified)
Support: Implementation-specific (Exact with method specified but no service specified)
Support: Implementation-specific (RegularExpression)		 Exact Enum: [Exact RegularExpression]
service string Value of the service to match against. If left empty or omitted, will
match any service.
At least one of Service and Method MUST be a non-empty string.		 MaxLength: 1024
method string Value of the method to match against. If left empty or omitted, will
match all services.
At least one of Service and Method MUST be a non-empty string.		 MaxLength: 1024

GRPCMethodMatchType

Underlying type: string

MethodMatchType specifies the semantics of how gRPC methods and services are compared. Valid MethodMatchType values, along with their conformance levels, are:

  • "Exact" - Core
  • "RegularExpression" - Implementation Specific

Exact methods MUST be syntactically valid:

  • Must not contain / character

Validation: - Enum: [Exact RegularExpression]

Appears in: - GRPCMethodMatch

Field Description
Exact Matches the method or service exactly and with case sensitivity.
RegularExpression Matches if the method or service matches the given regular expression with
case sensitivity.
Since "RegularExpression" has implementation-specific conformance,
implementations can support POSIX, PCRE, RE2 or any other regular expression
dialect.
Please read the implementation's documentation to determine the supported
dialect.

GRPCRoute

GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed.

GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word "MUST" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated.

Implementations supporting GRPCRoute with the HTTPS ProtocolType MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the "Accepted" condition to "False" for the affected listener with a reason of "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1.

Implementations supporting GRPCRoute with the HTTP ProtocolType MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the "Accepted" condition to "False" for the affected listener with a reason of "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge.

Appears in: - GRPCRoute

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1
kind string GRPCRoute
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec GRPCRouteSpec Spec defines the desired state of GRPCRoute.
status GRPCRouteStatus Status defines the current state of GRPCRoute.

GRPCRouteFilter

GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.

Appears in: - GRPCBackendRef - GRPCRouteRule

Field Description Default Validation
type GRPCRouteFilterType Type identifies the type of filter to apply. As with other API fields,
types are classified into three conformance levels:
- Core: Filter types and their corresponding configuration defined by
"Support: Core" in this package, e.g. "RequestHeaderModifier". All
implementations supporting GRPCRoute MUST support core filters.
- Extended: Filter types and their corresponding configuration defined by
"Support: Extended" in this package, e.g. "RequestMirror". Implementers
are encouraged to support extended filters.
- Implementation-specific: Filters that are defined and supported by specific vendors.
In the future, filters showing convergence in behavior across multiple
implementations will be considered for inclusion in extended or core
conformance levels. Filter-specific configuration for such filters
is specified using the ExtensionRef field. Type MUST be set to
"ExtensionRef" for custom filters.
Implementers are encouraged to define custom implementation types to
extend the core API with implementation-specific behavior.
If a reference to a custom filter type cannot be resolved, the filter
MUST NOT be skipped. Instead, requests that would have been processed by
that filter MUST receive a HTTP error response.
 Enum: [ResponseHeaderModifier RequestHeaderModifier RequestMirror ExtensionRef]
requestHeaderModifier HTTPHeaderFilter RequestHeaderModifier defines a schema for a filter that modifies request
headers.
Support: Core
responseHeaderModifier HTTPHeaderFilter ResponseHeaderModifier defines a schema for a filter that modifies response
headers.
Support: Extended
requestMirror HTTPRequestMirrorFilter RequestMirror defines a schema for a filter that mirrors requests.
Requests are sent to the specified destination, but responses from
that destination are ignored.
This filter can be used multiple times within the same rule. Note that
not all implementations will be able to support mirroring to multiple
backends.
Support: Extended
extensionRef LocalObjectReference ExtensionRef is an optional, implementation-specific extension to the
"filter" behavior. For example, resource "myroutefilter" in group
"networking.example.net"). ExtensionRef MUST NOT be used for core and
extended filters.
Support: Implementation-specific
This filter can be used multiple times within the same rule.

GRPCRouteFilterType

Underlying type: string

GRPCRouteFilterType identifies a type of GRPCRoute filter.

Appears in: - GRPCRouteFilter

Field Description
RequestHeaderModifier GRPCRouteFilterRequestHeaderModifier can be used to add or remove a gRPC
header from a gRPC request before it is sent to the upstream target.
Support in GRPCRouteRule: Core
Support in GRPCBackendRef: Extended
ResponseHeaderModifier GRPCRouteFilterRequestHeaderModifier can be used to add or remove a gRPC
header from a gRPC response before it is sent to the client.
Support in GRPCRouteRule: Core
Support in GRPCBackendRef: Extended
RequestMirror GRPCRouteFilterRequestMirror can be used to mirror gRPC requests to a
different backend. The responses from this backend MUST be ignored by
the Gateway.
Support in GRPCRouteRule: Extended
Support in GRPCBackendRef: Extended
ExtensionRef GRPCRouteFilterExtensionRef should be used for configuring custom
gRPC filters.
Support in GRPCRouteRule: Implementation-specific
Support in GRPCBackendRef: Implementation-specific

GRPCRouteMatch

GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied.

For example, the match below will match a gRPC request only if its service is foo AND it contains the version: v1 header:

matches:
  - method:
    type: Exact
    service: "foo"
    headers:
  - name: "version"
    value "v1"

Appears in: - GRPCRouteRule

Field Description Default Validation
method GRPCMethodMatch Method specifies a gRPC request service/method matcher. If this field is
not specified, all services and methods will match.
headers GRPCHeaderMatch array Headers specifies gRPC request header matchers. Multiple match values are
ANDed together, meaning, a request MUST match all the specified headers
to select the route.		 MaxItems: 16

GRPCRouteRule

GRPCRouteRule defines the semantics for matching a gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs).

Appears in: - GRPCRouteSpec

Field Description Default Validation
name SectionName Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Support: Extended
 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
matches GRPCRouteMatch array Matches define conditions used for matching the rule against incoming
gRPC requests. Each match is independent, i.e. this rule will be matched
if any one of the matches is satisfied.
For example, take the following matches configuration:
<br />matches:<br />- method:<br /> service: foo.bar<br /> headers:<br /> values:<br /> version: 2<br />- method:<br /> service: foo.bar.v2<br />
For a request to match against this rule, it MUST satisfy
EITHER of the two conditions:
- service of foo.bar AND contains the header version: 2
- service of foo.bar.v2
See the documentation for GRPCRouteMatch on how to specify multiple
match conditions to be ANDed together.
If no matches are specified, the implementation MUST match every gRPC request.
Proxy or Load Balancer routing configuration generated from GRPCRoutes
MUST prioritize rules based on the following criteria, continuing on
ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
Precedence MUST be given to the rule with the largest number of:
Characters in a matching non-wildcard hostname.
 Characters in a matching hostname.
Characters in a matching service.
 Characters in a matching method.
Header matches.
If ties still exist across multiple Routes, matching precedence MUST be
determined in order of the following criteria, continuing on ties:
 The oldest Route based on creation timestamp.
* The Route appearing first in alphabetical order by
"{namespace}/{name}".
If ties still exist within the Route that has been given precedence,
matching precedence MUST be granted to the first matching rule meeting
the above criteria.		 MaxItems: 64
filters GRPCRouteFilter array Filters define the filters that are applied to requests that match
this rule.
The effects of ordering of multiple behaviors are currently unspecified.
This can change in the future based on feedback during the alpha stage.
Conformance-levels at this level are defined based on the type of filter:
- ALL core filters MUST be supported by all implementations that support
GRPCRoute.
- Implementers are encouraged to support extended filters.
- Implementation-specific custom filters have no API guarantees across
implementations.
Specifying the same filter multiple times is not supported unless explicitly
indicated in the filter.
If an implementation cannot support a combination of filters, it must clearly
document that limitation. In cases where incompatible or unsupported
filters are specified and cause the Accepted condition to be set to status
False, implementations may use the IncompatibleFilters reason to specify
this configuration error.
Support: Core		 MaxItems: 16
backendRefs GRPCBackendRef array BackendRefs defines the backend(s) where matching requests should be
sent.
Failure behavior here depends on how many BackendRefs are specified and
how many are invalid.
If all entries in BackendRefs are invalid, and there are also no filters
specified in this route rule, all traffic which matches this rule MUST
receive an UNAVAILABLE status.
See the GRPCBackendRef definition for the rules about what makes a single
GRPCBackendRef invalid.
When a GRPCBackendRef is invalid, UNAVAILABLE statuses MUST be returned for
requests that would have otherwise been routed to an invalid backend. If
multiple backends are specified, and some are invalid, the proportion of
requests that would otherwise have been routed to an invalid backend
MUST receive an UNAVAILABLE status.
For example, if two backends are specified with equal weights, and one is
invalid, 50 percent of traffic MUST receive an UNAVAILABLE status.
Implementations may choose how that 50 percent is determined.
Support: Core for Kubernetes Service
Support: Implementation-specific for any other resource
Support for weight: Core		 MaxItems: 16
sessionPersistence SessionPersistence SessionPersistence defines and configures session persistence
for the route rule.
Support: Extended

GRPCRouteSpec

GRPCRouteSpec defines the desired state of GRPCRoute

Appears in: - GRPCRoute

Field Description Default Validation
parentRefs ParentReference array ParentRefs references the resources (usually Gateways) that a Route wants
to be attached to. Note that the referenced parent resource needs to
allow this for the attachment to be complete. For Gateways, that means
the Gateway needs to allow attachment from Routes of this kind and
namespace. For Services, that means the Service must either be in the same
namespace for a "producer" route, or the mesh implementation must support
and allow "consumer" routes for the referenced Service. ReferenceGrant is
not applicable for governing ParentRefs to Services - it is not possible to
create a "producer" route for a Service in a different namespace from the
Route.
There are two kinds of parent resources with "Core" support:
Gateway (Gateway conformance profile)
 Service (Mesh conformance profile, ClusterIP Services only)
This API may be extended in the future to support additional kinds of parent
resources.
ParentRefs must be distinct. This means either that:
They select different objects. If this is the case, then parentRef
entries are distinct. In terms of fields, this means that the
multi-part key defined by group, kind, namespace, and name must
be unique across all parentRef entries in the Route.
 They do not select different objects, but for each optional field used,
each ParentRef that selects the same object must set the same set of
optional fields to different values. If one ParentRef sets a
combination of optional fields, all must set the same combination.
Some examples:
If one ParentRef sets sectionName, all ParentRefs referencing the
same object must also set sectionName.
 If one ParentRef sets port, all ParentRefs referencing the same
object must also set port.
* If one ParentRef sets sectionName and port, all ParentRefs
referencing the same object must also set sectionName and port.
It is possible to separately reference multiple distinct objects that may
be collapsed by an implementation. For example, some implementations may
choose to merge compatible Gateway Listeners together. If that is the
case, the list of routes attached to those resources should also be
merged.
Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example,
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable other kinds of cross-namespace reference.

ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.




 MaxItems: 32
hostnames Hostname array Hostnames defines a set of hostnames to match against the GRPC
Host header to select a GRPCRoute to process the request. This matches
the RFC 1123 definition of a hostname with 2 notable exceptions:
1. IPs are not allowed.
2. A hostname may be prefixed with a wildcard label (*.). The wildcard
label MUST appear by itself as the first label.
If a hostname is specified by both the Listener and GRPCRoute, there
MUST be at least one intersecting hostname for the GRPCRoute to be
attached to the Listener. For example:
A Listener with test.example.com as the hostname matches GRPCRoutes
that have either not specified any hostnames, or have specified at
least one of test.example.com or *.example.com.
 A Listener with *.example.com as the hostname matches GRPCRoutes
that have either not specified any hostnames or have specified at least
one hostname that matches the Listener hostname. For example,
test.example.com and *.example.com would both match. On the other
hand, example.com and test.example.net would not match.
Hostnames that are prefixed with a wildcard label (*.) are interpreted
as a suffix match. That means that a match for *.example.com would match
both test.example.com, and foo.test.example.com, but not example.com.
If both the Listener and GRPCRoute have specified hostnames, any
GRPCRoute hostnames that do not match the Listener hostname MUST be
ignored. For example, if a Listener specified *.example.com, and the
GRPCRoute specified test.example.com and test.example.net,
test.example.net MUST NOT be considered for a match.
If both the Listener and GRPCRoute have specified hostnames, and none
match with the criteria above, then the GRPCRoute MUST NOT be accepted by
the implementation. The implementation MUST raise an 'Accepted' Condition
with a status of False in the corresponding RouteParentStatus.
If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
Listener and that listener already has another Route (B) of the other
type attached and the intersection of the hostnames of A and B is
non-empty, then the implementation MUST accept exactly one of these two
routes, determined by the following criteria, in order:
The oldest Route based on creation timestamp.
 The Route appearing first in alphabetical order by
"{namespace}/{name}".
The rejected Route MUST raise an 'Accepted' condition with a status of
'False' in the corresponding RouteParentStatus.
Support: Core		 MaxItems: 16
MaxLength: 253
MinLength: 1
Pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
rules GRPCRouteRule array Rules are a list of GRPC matchers, filters and actions.
 MaxItems: 16

GRPCRouteStatus

GRPCRouteStatus defines the observed state of GRPCRoute.

Appears in: - GRPCRoute

Field Description Default Validation
parents RouteParentStatus array Parents is a list of parent resources (usually Gateways) that are
associated with the route, and the status of the route with respect to
each parent. When this route attaches to a parent, the controller that
manages the parent must add an entry to this list when the controller
first sees the route and should update the entry as appropriate when the
route or gateway is modified.
Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this API
can only populate Route status for the Gateways/parent resources they are
responsible for.
A maximum of 32 Gateways will be represented in this list. An empty list
means the route has not been attached to any Gateway.		 MaxItems: 32

Gateway

Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses.

Appears in: - Gateway

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1
kind string Gateway
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec GatewaySpec Spec defines the desired state of Gateway.
status GatewayStatus Status defines the current state of Gateway. { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Accepted] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed]] }

GatewayBackendTLS

GatewayBackendTLS describes backend TLS configuration for gateway.

Appears in: - GatewaySpec

Field Description Default Validation
clientCertificateRef SecretObjectReference ClientCertificateRef is a reference to an object that contains a Client
Certificate and the associated private key.
References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.
ClientCertificateRef can reference to standard Kubernetes resources, i.e.
Secret, or implementation-specific custom resources.
This setting can be overridden on the service level by use of BackendTLSPolicy.
Support: Core

GatewayClass

GatewayClass describes a class of Gateways available to the user for creating Gateway resources.

It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation.

Whenever one or more Gateways are using a GatewayClass, implementations SHOULD add the gateway-exists-finalizer.gateway.networking.k8s.io finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use.

GatewayClass is a Cluster level resource.

Appears in: - GatewayClass

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1
kind string GatewayClass
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec GatewayClassSpec Spec defines the desired state of GatewayClass.
status GatewayClassStatus Status defines the current state of GatewayClass.
Implementations MUST populate status on all GatewayClass resources which
specify their controller name.		 { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Accepted]] }

GatewayClassSpec

GatewayClassSpec reflects the configuration of a class of Gateways.

Appears in: - GatewayClass

Field Description Default Validation
controllerName GatewayController ControllerName is the name of the controller that is managing Gateways of
this class. The value of this field MUST be a domain prefixed path.
Example: "example.net/gateway-controller".
This field is not mutable and cannot be empty.
Support: Core		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
parametersRef ParametersReference ParametersRef is a reference to a resource that contains the configuration
parameters corresponding to the GatewayClass. This is optional if the
controller does not require any additional configuration.
ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
or an implementation-specific custom resource. The resource can be
cluster-scoped or namespace-scoped.
If the referent cannot be found, refers to an unsupported kind, or when
the data within that resource is malformed, the GatewayClass SHOULD be
rejected with the "Accepted" status condition set to "False" and an
"InvalidParameters" reason.
A Gateway for this GatewayClass may provide its own parametersRef. When both are specified,
the merging behavior is implementation specific.
It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
Support: Implementation-specific
description string Description helps describe a GatewayClass with more details. MaxLength: 64

GatewayClassStatus

GatewayClassStatus is the current status for the GatewayClass.

Appears in: - GatewayClass

Field Description Default Validation
conditions Condition array Conditions is the current status from the controller for
this GatewayClass.
Controllers should prefer to publish conditions using values
of GatewayClassConditionType for the type of each Condition.		 [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Accepted]] MaxItems: 8
supportedFeatures SupportedFeature array SupportedFeatures is the set of features the GatewayClass support.
It MUST be sorted in ascending alphabetical order by the Name key.
 MaxItems: 64

GatewayController

Underlying type: string

GatewayController is the name of a Gateway API controller. It must be a domain prefixed path.

Valid values include:

  • "example.com/bar"

Invalid values include:

  • "example.com" - must include path
  • "foo.example.com" - must include path

Validation: - MaxLength: 253 - MinLength: 1 - Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$

Appears in: - GatewayClassSpec - RouteParentStatus

GatewayInfrastructure

GatewayInfrastructure defines infrastructure level attributes about a Gateway instance.

Appears in: - GatewaySpec

Field Description Default Validation
labels object (keys:LabelKey, values:LabelValue) Labels that SHOULD be applied to any resources created in response to this Gateway.
For implementations creating other Kubernetes objects, this should be the metadata.labels field on resources.
For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
An implementation may chose to add additional implementation-specific labels as they see fit.
If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
change, it SHOULD clearly warn about this behavior in documentation.
Support: Extended		 MaxProperties: 8
annotations object (keys:AnnotationKey, values:AnnotationValue) Annotations that SHOULD be applied to any resources created in response to this Gateway.
For implementations creating other Kubernetes objects, this should be the metadata.annotations field on resources.
For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
An implementation may chose to add additional implementation-specific annotations as they see fit.
Support: Extended		 MaxProperties: 8
parametersRef LocalParametersReference ParametersRef is a reference to a resource that contains the configuration
parameters corresponding to the Gateway. This is optional if the
controller does not require any additional configuration.
This follows the same semantics as GatewayClass's parametersRef, but on a per-Gateway basis
The Gateway's GatewayClass may provide its own parametersRef. When both are specified,
the merging behavior is implementation specific.
It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
If the referent cannot be found, refers to an unsupported kind, or when
the data within that resource is malformed, the Gateway SHOULD be
rejected with the "Accepted" status condition set to "False" and an
"InvalidParameters" reason.
Support: Implementation-specific

GatewaySpec

GatewaySpec defines the desired state of Gateway.

Not all possible combinations of options specified in the Spec are valid. Some invalid configurations can be caught synchronously via CRD validation, but there are many cases that will require asynchronous signaling via the GatewayStatus block.

Appears in: - Gateway

Field Description Default Validation
gatewayClassName ObjectName GatewayClassName used for this Gateway. This is the name of a
GatewayClass resource.		 MaxLength: 253
MinLength: 1
listeners Listener array Listeners associated with this Gateway. Listeners define
logical endpoints that are bound on this Gateway's addresses.
At least one Listener MUST be specified.
## Distinct Listeners
Each Listener in a set of Listeners (for example, in a single Gateway)
MUST be distinct, in that a traffic flow MUST be able to be assigned to
exactly one listener. (This section uses "set of Listeners" rather than
"Listeners in a single Gateway" because implementations MAY merge configuration
from multiple Gateways onto a single data plane, and these rules also
apply in that case).
Practically, this means that each listener in a set MUST have a unique
combination of Port, Protocol, and, if supported by the protocol, Hostname.
Some combinations of port, protocol, and TLS settings are considered
Core support and MUST be supported by implementations based on the objects
they support:
HTTPRoute
1. HTTPRoute, Port: 80, Protocol: HTTP
2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
TLSRoute
1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
"Distinct" Listeners have the following property:
The implementation can match inbound requests to a single distinct
Listener.
When multiple Listeners share values for fields (for
example, two Listeners with the same Port value), the implementation
can match requests to only one of the Listeners using other
Listener fields.
When multiple listeners have the same value for the Protocol field, then
each of the Listeners with matching Protocol values MUST have different
values for other fields.
The set of fields that MUST be different for a Listener differs per protocol.
The following rules define the rules for what fields MUST be considered for
Listeners to be distinct with each protocol currently defined in the
Gateway API spec.
The set of listeners that all share a protocol value MUST have different
values for at least one of these fields to be distinct:
HTTP, HTTPS, TLS: Port, Hostname
 TCP, UDP: Port
One very important rule to call out involves what happens when an
implementation:
Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
Listeners, and
 sees HTTP, HTTPS, or TLS protocols with the same port as one with TCP
Protocol.
In this case all the Listeners that share a port with the
TCP Listener are not distinct and so MUST NOT be accepted.
If an implementation does not support TCP Protocol Listeners, then the
previous rule does not apply, and the TCP Listeners SHOULD NOT be
accepted.
Note that the tls field is not used for determining if a listener is distinct, because
Listeners that only differ on TLS config will still conflict in all cases.
### Listeners that are distinct only by Hostname
When the Listeners are distinct based only on Hostname, inbound request
hostnames MUST match from the most specific to least specific Hostname
values to choose the correct Listener and its associated set of Routes.
Exact matches MUST be processed before wildcard matches, and wildcard
matches MUST be processed before fallback (empty Hostname value)
matches. For example, "foo.example.com" takes precedence over
"*.example.com", and "*.example.com" takes precedence over "".
Additionally, if there are multiple wildcard entries, more specific
wildcard entries must be processed before less specific wildcard entries.
For example, "*.foo.example.com" takes precedence over "*.example.com".
The precise definition here is that the higher the number of dots in the
hostname to the right of the wildcard character, the higher the precedence.
The wildcard character will match any number of characters and dots to
the left, however, so "*.example.com" will match both
"foo.bar.example.com" and "bar.example.com".
## Handling indistinct Listeners
If a set of Listeners contains Listeners that are not distinct, then those
Listeners are Conflicted, and the implementation MUST set the "Conflicted"
condition in the Listener Status to "True".
The words "indistinct" and "conflicted" are considered equivalent for the
purpose of this documentation.
Implementations MAY choose to accept a Gateway with some Conflicted
Listeners only if they only accept the partial Listener set that contains
no Conflicted Listeners.
Specifically, an implementation MAY accept a partial Listener set subject to
the following rules:
The implementation MUST NOT pick one conflicting Listener as the winner.
ALL indistinct Listeners must not be accepted for processing.
 At least one distinct Listener MUST be present, or else the Gateway effectively
contains no Listeners, and must be rejected from processing as a whole.
The implementation MUST set a "ListenersNotValid" condition on the
Gateway Status when the Gateway contains Conflicted Listeners whether or
not they accept the Gateway. That Condition SHOULD clearly
indicate in the Message which Listeners are conflicted, and which are
Accepted. Additionally, the Listener status for those listeners SHOULD
indicate which Listeners are conflicted and not Accepted.
## General Listener behavior
Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
For example, if Listeners are defined for "foo.example.com" and ".example.com", a
request to "foo.example.com" SHOULD only be routed using routes attached
to the "foo.example.com" Listener (and not the ".example.com" Listener).
This concept is known as "Listener Isolation", and it is an Extended feature
of Gateway API. Implementations that do not support Listener Isolation MUST
clearly document this, and MUST NOT claim support for the
GatewayHTTPListenerIsolation feature.
Implementations that do support Listener Isolation SHOULD claim support
for the Extended GatewayHTTPListenerIsolation feature and pass the associated
conformance tests.
## Compatible Listeners
A Gateway's Listeners are considered compatible if:
1. They are distinct.
2. The implementation can serve them in compliance with the Addresses
requirement that all Listeners are available on all assigned
addresses.
Compatible combinations in Extended support are expected to vary across
implementations. A combination that is compatible for one implementation
may not be compatible for another.
For example, an implementation that cannot serve both TCP and UDP listeners
on the same address, or cannot mix HTTPS and generic TLS listens on the same port
would not consider those cases compatible, even though they are distinct.
Implementations MAY merge separate Gateways onto a single set of
Addresses if all Listeners across all Gateways are compatible.
In a future release the MinItems=1 requirement MAY be dropped.
Support: Core		 MaxItems: 64
MinItems: 1
addresses GatewaySpecAddress array Addresses requested for this Gateway. This is optional and behavior can
depend on the implementation. If a value is set in the spec and the
requested address is invalid or unavailable, the implementation MUST
indicate this in the associated entry in GatewayStatus.Addresses.
The Addresses field represents a request for the address(es) on the
"outside of the Gateway", that traffic bound for this Gateway will use.
This could be the IP address or hostname of an external load balancer or
other networking infrastructure, or some other address that traffic will
be sent to.
If no Addresses are specified, the implementation MAY schedule the
Gateway in an implementation-specific manner, assigning an appropriate
set of Addresses.
The implementation MUST bind all Listeners to every GatewayAddress that
it assigns to the Gateway and add a corresponding entry in
GatewayStatus.Addresses.
Support: Extended
 MaxItems: 16
infrastructure GatewayInfrastructure Infrastructure defines infrastructure level attributes about this Gateway instance.
Support: Extended
backendTLS GatewayBackendTLS BackendTLS configures TLS settings for when this Gateway is connecting to
backends with TLS.
Support: Core
allowedListeners AllowedListeners AllowedListeners defines which ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no ListenerSets.

GatewaySpecAddress

GatewaySpecAddress describes an address that can be bound to a Gateway.

Appears in: - GatewaySpec

Field Description Default Validation
type AddressType Type of the address. IPAddress MaxLength: 253
MinLength: 1
Pattern: ^Hostname\|IPAddress\|NamedAddress\|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
value string When a value is unspecified, an implementation SHOULD automatically
assign an address matching the requested type if possible.
If an implementation does not support an empty value, they MUST set the
"Programmed" condition in status to False with a reason of "AddressNotAssigned".
Examples: 1.2.3.4, 128::1, my-ip-address.		 MaxLength: 253

GatewayStatus

GatewayStatus defines the observed state of Gateway.

Appears in: - Gateway

Field Description Default Validation
addresses GatewayStatusAddress array Addresses lists the network addresses that have been bound to the
Gateway.
This list may differ from the addresses provided in the spec under some
conditions:
* no addresses are specified, all addresses are dynamically assigned
* a combination of specified and dynamic addresses are assigned
* a specified address was unusable (e.g. already in use)
 MaxItems: 16
conditions Condition array Conditions describe the current conditions of the Gateway.
Implementations should prefer to express Gateway conditions
using the GatewayConditionType and GatewayConditionReason
constants so that operators and tools can converge on a common
vocabulary to describe Gateway state.
Known condition types are:
"Accepted"
 "Programmed"
* "Ready"		 [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Accepted] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed]] MaxItems: 8
listeners ListenerStatus array Listeners provide status for each unique listener port defined in the Spec. MaxItems: 64

GatewayStatusAddress

GatewayStatusAddress describes a network address that is bound to a Gateway.

Appears in: - GatewayStatus

Field Description Default Validation
type AddressType Type of the address. IPAddress MaxLength: 253
MinLength: 1
Pattern: ^Hostname\|IPAddress\|NamedAddress\|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
value string Value of the address. The validity of the values will depend
on the type and support by the controller.
Examples: 1.2.3.4, 128::1, my-ip-address.		 MaxLength: 253
MinLength: 1

GatewayTLSConfig

GatewayTLSConfig describes a TLS configuration.

Appears in: - Listener

Field Description Default Validation
mode TLSModeType Mode defines the TLS behavior for the TLS session initiated by the client.
There are two possible modes:
- Terminate: The TLS session between the downstream client and the
Gateway is terminated at the Gateway. This mode requires certificates
to be specified in some way, such as populating the certificateRefs
field.
- Passthrough: The TLS session is NOT terminated by the Gateway. This
implies that the Gateway can't decipher the TLS stream except for
the ClientHello message of the TLS protocol. The certificateRefs field
is ignored in this mode.
Support: Core		 Terminate Enum: [Terminate Passthrough]
certificateRefs SecretObjectReference array CertificateRefs contains a series of references to Kubernetes objects that
contains TLS certificates and private keys. These certificates are used to
establish a TLS handshake for requests that match the hostname of the
associated listener.
A single CertificateRef to a Kubernetes Secret has "Core" support.
Implementations MAY choose to support attaching multiple certificates to
a Listener, but this behavior is implementation-specific.
References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.
This field is required to have at least one element when the mode is set
to "Terminate" (default) and is optional otherwise.
CertificateRefs can reference to standard Kubernetes resources, i.e.
Secret, or implementation-specific custom resources.
Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
Support: Implementation-specific (More than one reference or other resource types)		 MaxItems: 64
frontendValidation FrontendTLSValidation FrontendValidation holds configuration information for validating the frontend (client).
Setting this field will require clients to send a client certificate
required for validation during the TLS handshake. In browsers this may result in a dialog appearing
that requests a user to specify the client certificate.
The maximum depth of a certificate chain accepted in verification is Implementation specific.
Support: Extended
options object (keys:AnnotationKey, values:AnnotationValue) Options are a list of key/value pairs to enable extended TLS
configuration for each implementation. For example, configuring the
minimum TLS version or supported cipher suites.
A set of common keys MAY be defined by the API in the future. To avoid
any ambiguity, implementation-specific definitions MUST use
domain-prefixed names, such as example.com/my-custom-option.
Un-prefixed names are reserved for key names defined by Gateway API.
Support: Implementation-specific		 MaxProperties: 16

Group

Underlying type: string

Group refers to a Kubernetes Group. It must either be an empty string or a RFC 1123 subdomain.

This validation is based off of the corresponding Kubernetes validation: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L208

Valid values include:

  • "" - empty string implies core Kubernetes API group
  • "gateway.networking.k8s.io"
  • "foo.example.com"

Invalid values include:

  • "example.com/bar" - "/" is an invalid character

Validation: - MaxLength: 253 - Pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

Appears in: - BackendObjectReference - BackendRef - GRPCBackendRef - HTTPBackendRef - LocalObjectReference - LocalParametersReference - ObjectReference - ParametersReference - ParentReference - RouteGroupKind - SecretObjectReference

HTTPBackendRef

HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.

When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port.

Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726.

If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service.

If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.

Appears in: - HTTPRouteRule

Field Description Default Validation
group Group Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.		 MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is the Kubernetes resource kind of the referent. For example
"Service".
Defaults to "Service" when not specified.
ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.
Support: Core (Services with a type other than ExternalName)
Support: Implementation-specific (Services with type ExternalName)		 Service MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name ObjectName Name is the name of the referent. MaxLength: 253
MinLength: 1
namespace Namespace Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core		 MaxLength: 63
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
port PortNumber Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field.		 Maximum: 65535
Minimum: 1
weight integer Weight specifies the proportion of requests forwarded to the referenced
backend. This is computed as weight/(sum of all weights in this
BackendRefs list). For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision an
implementation supports. Weight is not a percentage and the sum of
weights does not need to equal 100.
If only one backend is specified and it has a weight greater than 0, 100%
of the traffic is forwarded to that backend. If weight is set to 0, no
traffic should be forwarded for this entry. If unspecified, weight
defaults to 1.
Support for this field varies based on the context where used.		 1 Maximum: 1e+06
Minimum: 0
filters HTTPRouteFilter array Filters defined at this level should be executed if and only if the
request is being forwarded to the backend defined here.
Support: Implementation-specific (For broader support of filters, use the
Filters field in HTTPRouteRule.)		 MaxItems: 16

HTTPCORSFilter

HTTPCORSFilter defines a filter that that configures Cross-Origin Request Sharing (CORS).

Appears in: - HTTPRouteFilter

Field Description Default Validation
allowOrigins AbsoluteURI array AllowOrigins indicates whether the response can be shared with requested
resource from the given Origin.
The Origin consists of a scheme and a host, with an optional port, and
takes the form <scheme>://<host>(:<port>).
Valid values for scheme are: http and https.
Valid values for port are any integer between 1 and 65535 (the list of
available TCP/UDP ports). Note that, if not included, port 80 is
assumed for http scheme origins, and port 443 is assumed for https
origins. This may affect origin matching.
The host part of the origin may contain the wildcard character *. These
wildcard characters behave as follows:
* is a greedy match to the left, including any number of
DNS labels to the left of its position. This also means that
* will include any number of period . characters to the
left of its position.
 A wildcard by itself matches all hosts.
An origin value that includes only the * character indicates requests
from all Origins are allowed.
When the AllowOrigins field is configured with multiple origins, it
means the server supports clients from multiple origins. If the request
Origin matches the configured allowed origins, the gateway must return
the given Origin and sets value of the header
Access-Control-Allow-Origin same as the Origin header provided by the
client.
The status code of a successful response to a "preflight" request is
always an OK status (i.e., 204 or 200).
If the request Origin does not match the configured allowed origins,
the gateway returns 204/200 response but doesn't set the relevant
cross-origin response headers. Alternatively, the gateway responds with
403 status to the "preflight" request is denied, coupled with omitting
the CORS headers. The cross-origin request fails on the client side.
Therefore, the client doesn't attempt the actual cross-origin request.
The Access-Control-Allow-Origin response header can only use *
wildcard as value when the AllowCredentials field is unspecified.
When the AllowCredentials field is specified and AllowOrigins field
specified with the * wildcard, the gateway must return a single origin
in the value of the Access-Control-Allow-Origin response header,
instead of specifying the * wildcard. The value of the header
Access-Control-Allow-Origin is same as the Origin header provided by
the client.
Support: Extended		 MaxItems: 64
MaxLength: 253
MinLength: 1
Pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
allowCredentials TrueField AllowCredentials indicates whether the actual cross-origin request allows
to include credentials.
The only valid value for the Access-Control-Allow-Credentials response
header is true (case-sensitive).
If the credentials are not allowed in cross-origin requests, the gateway
will omit the header Access-Control-Allow-Credentials entirely rather
than setting its value to false.
Support: Extended		 Enum: [true]
allowMethods HTTPMethodWithWildcard array AllowMethods indicates which HTTP methods are supported for accessing the
requested resource.
Valid values are any method defined by RFC9110, along with the special
value *, which represents all HTTP methods are allowed.
Method names are case sensitive, so these values are also case-sensitive.
(See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
Multiple method names in the value of the Access-Control-Allow-Methods
response header are separated by a comma (",").
A CORS-safelisted method is a method that is GET, HEAD, or POST.
(See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
CORS-safelisted methods are always allowed, regardless of whether they
are specified in the AllowMethods field.
When the AllowMethods field is configured with one or more methods, the
gateway must return the Access-Control-Allow-Methods response header
which value is present in the AllowMethods field.
If the HTTP method of the Access-Control-Request-Method request header
is not included in the list of methods specified by the response header
Access-Control-Allow-Methods, it will present an error on the client
side.
The Access-Control-Allow-Methods response header can only use *
wildcard as value when the AllowCredentials field is unspecified.
When the AllowCredentials field is specified and AllowMethods field
specified with the * wildcard, the gateway must specify one HTTP method
in the value of the Access-Control-Allow-Methods response header. The
value of the header Access-Control-Allow-Methods is same as the
Access-Control-Request-Method header provided by the client. If the
header Access-Control-Request-Method is not included in the request,
the gateway will omit the Access-Control-Allow-Methods response header,
instead of specifying the * wildcard. A Gateway implementation may
choose to add implementation-specific default methods.
Support: Extended		 Enum: [GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH *]
MaxItems: 9
allowHeaders HTTPHeaderName array AllowHeaders indicates which HTTP request headers are supported for
accessing the requested resource.
Header names are not case sensitive.
Multiple header names in the value of the Access-Control-Allow-Headers
response header are separated by a comma (",").
When the AllowHeaders field is configured with one or more headers, the
gateway must return the Access-Control-Allow-Headers response header
which value is present in the AllowHeaders field.
If any header name in the Access-Control-Request-Headers request header
is not included in the list of header names specified by the response
header Access-Control-Allow-Headers, it will present an error on the
client side.
If any header name in the Access-Control-Allow-Headers response header
does not recognize by the client, it will also occur an error on the
client side.
A wildcard indicates that the requests with all HTTP headers are allowed.
The Access-Control-Allow-Headers response header can only use *
wildcard as value when the AllowCredentials field is unspecified.
When the AllowCredentials field is specified and AllowHeaders field
specified with the * wildcard, the gateway must specify one or more
HTTP headers in the value of the Access-Control-Allow-Headers response
header. The value of the header Access-Control-Allow-Headers is same as
the Access-Control-Request-Headers header provided by the client. If
the header Access-Control-Request-Headers is not included in the
request, the gateway will omit the Access-Control-Allow-Headers
response header, instead of specifying the * wildcard. A Gateway
implementation may choose to add implementation-specific default headers.
Support: Extended		 MaxItems: 64
MaxLength: 256
MinLength: 1
Pattern: `^[A-Za-z0-9!
exposeHeaders HTTPHeaderName array ExposeHeaders indicates which HTTP response headers can be exposed
to client-side scripts in response to a cross-origin request.
A CORS-safelisted response header is an HTTP header in a CORS response
that it is considered safe to expose to the client scripts.
The CORS-safelisted response headers include the following headers:
Cache-Control
Content-Language
Content-Length
Content-Type
Expires
Last-Modified
Pragma
(See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
The CORS-safelisted response headers are exposed to client by default.
When an HTTP header name is specified using the ExposeHeaders field,
this additional header will be exposed as part of the response to the
client.
Header names are not case sensitive.
Multiple header names in the value of the Access-Control-Expose-Headers
response header are separated by a comma (",").
A wildcard indicates that the responses with all HTTP headers are exposed
to clients. The Access-Control-Expose-Headers response header can only
use * wildcard as value when the AllowCredentials field is
unspecified.
Support: Extended		 MaxItems: 64
MaxLength: 256
MinLength: 1
Pattern: `^[A-Za-z0-9!
maxAge integer MaxAge indicates the duration (in seconds) for the client to cache the
results of a "preflight" request.
The information provided by the Access-Control-Allow-Methods and
Access-Control-Allow-Headers response headers can be cached by the
client until the time specified by Access-Control-Max-Age elapses.
The default value of Access-Control-Max-Age response header is 5
(seconds).		 5 Minimum: 1

HTTPHeader

HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.

Appears in: - HTTPHeaderFilter

Field Description Default Validation
name HTTPHeaderName Name is the name of the HTTP Header to be matched. Name matching MUST be
case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, the first entry with
an equivalent name MUST be considered for a match. Subsequent entries
with an equivalent header name MUST be ignored. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered
equivalent.		 MaxLength: 256
MinLength: 1
Pattern: `^[A-Za-z0-9!
value string Value is the value of HTTP Header to be matched. MaxLength: 4096
MinLength: 1

HTTPHeaderFilter

HTTPHeaderFilter defines a filter that modifies the headers of an HTTP request or response. Only one action for a given header name is permitted. Filters specifying multiple actions of the same or different type for any one header name are invalid and will be rejected by CRD validation. Configuration to set or add multiple values for a header must use RFC 7230 header value formatting, separating each value with a comma.

Appears in: - GRPCRouteFilter - HTTPRouteFilter

Field Description Default Validation
set HTTPHeader array Set overwrites the request with the given header (name, value)
before the action.
Input:
GET /foo HTTP/1.1
my-header: foo
Config:
set:
- name: "my-header"
value: "bar"
Output:
GET /foo HTTP/1.1
my-header: bar		 MaxItems: 16
add HTTPHeader array Add adds the given header(s) (name, value) to the request
before the action. It appends to any existing values associated
with the header name.
Input:
GET /foo HTTP/1.1
my-header: foo
Config:
add:
- name: "my-header"
value: "bar,baz"
Output:
GET /foo HTTP/1.1
my-header: foo,bar,baz		 MaxItems: 16
remove string array Remove the given header(s) from the HTTP request before the action. The
value of Remove is a list of HTTP header names. Note that the header
names are case-insensitive (see
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
Input:
GET /foo HTTP/1.1
my-header1: foo
my-header2: bar
my-header3: baz
Config:
remove: ["my-header1", "my-header3"]
Output:
GET /foo HTTP/1.1
my-header2: bar		 MaxItems: 16

HTTPHeaderMatch

HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers.

Appears in: - HTTPRouteMatch

Field Description Default Validation
type HeaderMatchType Type specifies how to match against the value of the header.
Support: Core (Exact)
Support: Implementation-specific (RegularExpression)
Since RegularExpression HeaderMatchType has implementation-specific
conformance, implementations can support POSIX, PCRE or any other dialects
of regular expressions. Please read the implementation's documentation to
determine the supported dialect.		 Exact Enum: [Exact RegularExpression]
name HTTPHeaderName Name is the name of the HTTP Header to be matched. Name matching MUST be
case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
If multiple entries specify equivalent header names, only the first
entry with an equivalent name MUST be considered for a match. Subsequent
entries with an equivalent header name MUST be ignored. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered
equivalent.
When a header is repeated in an HTTP request, it is
implementation-specific behavior as to how this is represented.
Generally, proxies should follow the guidance from the RFC:
https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
processing a repeated header, with special handling for "Set-Cookie".		 MaxLength: 256
MinLength: 1
Pattern: `^[A-Za-z0-9!
value string Value is the value of HTTP Header to be matched. MaxLength: 4096
MinLength: 1

HTTPHeaderName

Underlying type: HeaderName

HTTPHeaderName is the name of an HTTP header.

Valid values include:

  • "Authorization"
  • "Set-Cookie"

Invalid values include:

  • ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type.
  • "/invalid" - "/ " is an invalid character

Validation: - MaxLength: 256 - MinLength: 1 - Pattern: `^[A-Za-z0-9!

Appears in: - HTTPCORSFilter - HTTPHeader - HTTPHeaderMatch - HTTPQueryParamMatch

HTTPMethod

Underlying type: string

HTTPMethod describes how to select a HTTP route by matching the HTTP method as defined by RFC 7231 and RFC 5789. The value is expected in upper case.

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Validation: - Enum: [GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH]

Appears in: - HTTPRouteMatch

Field Description
GET
HEAD
POST
PUT
DELETE
CONNECT
OPTIONS
TRACE
PATCH

HTTPMethodWithWildcard

Underlying type: string

Validation: - Enum: [GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH *]

Appears in: - HTTPCORSFilter

HTTPPathMatch

HTTPPathMatch describes how to select a HTTP route by matching the HTTP request path.

Appears in: - HTTPRouteMatch

Field Description Default Validation
type PathMatchType Type specifies how to match against the path Value.
Support: Core (Exact, PathPrefix)
Support: Implementation-specific (RegularExpression)		 PathPrefix Enum: [Exact PathPrefix RegularExpression]
value string Value of the HTTP path to match against. / MaxLength: 1024

HTTPPathModifier

HTTPPathModifier defines configuration for path modifiers.

Appears in: - HTTPRequestRedirectFilter - HTTPURLRewriteFilter

Field Description Default Validation
type HTTPPathModifierType Type defines the type of path modifier. Additional types may be
added in a future release of the API.
Note that values may be added to this enum, implementations
must ensure that unknown values will not cause a crash.
Unknown values here must result in the implementation setting the
Accepted Condition for the Route to status: False, with a
Reason of UnsupportedValue.		 Enum: [ReplaceFullPath ReplacePrefixMatch]
replaceFullPath string ReplaceFullPath specifies the value with which to replace the full path
of a request during a rewrite or redirect.		 MaxLength: 1024
replacePrefixMatch string ReplacePrefixMatch specifies the value with which to replace the prefix
match of a request during a rewrite or redirect. For example, a request
to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
of "/xyz" would be modified to "/xyz/bar".
Note that this matches the behavior of the PathPrefix match type. This
matches full path elements. A path element refers to the list of labels
in the path split by the / separator. When specified, a trailing / is
ignored. For example, the paths /abc, /abc/, and /abc/def would all
match the prefix /abc, but the path /abcd would not.
ReplacePrefixMatch is only compatible with a PathPrefix HTTPRouteMatch.
Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
the implementation setting the Accepted Condition for the Route to status: False.
Request Path | Prefix Match | Replace Prefix | Modified Path		 MaxLength: 1024

HTTPPathModifierType

Underlying type: string

HTTPPathModifierType defines the type of path redirect or rewrite.

Appears in: - HTTPPathModifier

Field Description
ReplaceFullPath This type of modifier indicates that the full path will be replaced
by the specified value.
ReplacePrefixMatch This type of modifier indicates that any prefix path matches will be
replaced by the substitution value. For example, a path with a prefix
match of "/foo" and a ReplacePrefixMatch substitution of "/bar" will have
the "/foo" prefix replaced with "/bar" in matching requests.
Note that this matches the behavior of the PathPrefix match type. This
matches full path elements. A path element refers to the list of labels
in the path split by the / separator. When specified, a trailing / is
ignored. For example, the paths /abc, /abc/, and /abc/def would all
match the prefix /abc, but the path /abcd would not.

HTTPQueryParamMatch

HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters.

Appears in: - HTTPRouteMatch

Field Description Default Validation
type QueryParamMatchType Type specifies how to match against the value of the query parameter.
Support: Extended (Exact)
Support: Implementation-specific (RegularExpression)
Since RegularExpression QueryParamMatchType has Implementation-specific
conformance, implementations can support POSIX, PCRE or any other
dialects of regular expressions. Please read the implementation's
documentation to determine the supported dialect.		 Exact Enum: [Exact RegularExpression]
name HTTPHeaderName Name is the name of the HTTP query param to be matched. This must be an
exact string match. (See
https://tools.ietf.org/html/rfc7230#section-2.7.3).
If multiple entries specify equivalent query param names, only the first
entry with an equivalent name MUST be considered for a match. Subsequent
entries with an equivalent query param name MUST be ignored.
If a query param is repeated in an HTTP request, the behavior is
purposely left undefined, since different data planes have different
capabilities. However, it is recommended that implementations should
match against the first value of the param if the data plane supports it,
as this behavior is expected in other load balancing contexts outside of
the Gateway API.
Users SHOULD NOT route traffic based on repeated query params to guard
themselves against potential differences in the implementations.		 MaxLength: 256
MinLength: 1
Pattern: `^[A-Za-z0-9!
value string Value is the value of HTTP query param to be matched. MaxLength: 1024
MinLength: 1

HTTPRequestMirrorFilter

HTTPRequestMirrorFilter defines configuration for the RequestMirror filter.

Appears in: - GRPCRouteFilter - HTTPRouteFilter

Field Description Default Validation
backendRef BackendObjectReference BackendRef references a resource where mirrored requests are sent.
Mirrored requests must be sent only to a single destination endpoint
within this BackendRef, irrespective of how many endpoints are present
within this BackendRef.
If the referent cannot be found, this BackendRef is invalid and must be
dropped from the Gateway. The controller must ensure the "ResolvedRefs"
condition on the Route status is set to status: False and not configure
this backend in the underlying implementation.
If there is a cross-namespace reference to an existing object
that is not allowed by a ReferenceGrant, the controller must ensure the
"ResolvedRefs" condition on the Route is set to status: False,
with the "RefNotPermitted" reason and not configure this backend in the
underlying implementation.
In either error case, the Message of the ResolvedRefs Condition
should be used to provide more detail about the problem.
Support: Extended for Kubernetes Service
Support: Implementation-specific for any other resource
percent integer Percent represents the percentage of requests that should be
mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
requests) and its maximum value is 100 (indicating 100% of requests).
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.		 Maximum: 100
Minimum: 0
fraction Fraction Fraction represents the fraction of requests that should be
mirrored to BackendRef.
Only one of Fraction or Percent may be specified. If neither field
is specified, 100% of requests will be mirrored.

HTTPRequestRedirectFilter

HTTPRequestRedirect defines a filter that redirects a request. This filter MUST NOT be used on the same Route rule as a HTTPURLRewrite filter.

Appears in: - HTTPRouteFilter

Field Description Default Validation
scheme string Scheme is the scheme to be used in the value of the Location header in
the response. When empty, the scheme of the request is used.
Scheme redirects can affect the port of the redirect, for more information,
refer to the documentation for the port field of this filter.
Note that values may be added to this enum, implementations
must ensure that unknown values will not cause a crash.
Unknown values here must result in the implementation setting the
Accepted Condition for the Route to status: False, with a
Reason of UnsupportedValue.
Support: Extended		 Enum: [http https]
hostname PreciseHostname Hostname is the hostname to be used in the value of the Location
header in the response.
When empty, the hostname in the Host header of the request is used.
Support: Core		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
path HTTPPathModifier Path defines parameters used to modify the path of the incoming request.
The modified path is then used to construct the Location header. When
empty, the request path is used as-is.
Support: Extended
port PortNumber Port is the port to be used in the value of the Location
header in the response.
If no port is specified, the redirect port MUST be derived using the
following rules:
If redirect scheme is not-empty, the redirect port MUST be the well-known
port associated with the redirect scheme. Specifically "http" to port 80
and "https" to port 443. If the redirect scheme does not have a
well-known port, the listener port of the Gateway SHOULD be used.
 If redirect scheme is empty, the redirect port MUST be the Gateway
Listener port.
Implementations SHOULD NOT add the port number in the 'Location'
header in the following cases:
A Location header that will use HTTP (whether that is determined via
the Listener protocol or the Scheme field) and use port 80.
 A Location header that will use HTTPS (whether that is determined via
the Listener protocol or the Scheme field) and use port 443.
Support: Extended		 Maximum: 65535
Minimum: 1
statusCode integer StatusCode is the HTTP status code to be used in response.
Note that values may be added to this enum, implementations
must ensure that unknown values will not cause a crash.
Unknown values here must result in the implementation setting the
Accepted Condition for the Route to status: False, with a
Reason of UnsupportedValue.
Support: Core		 302 Enum: [301 302]

HTTPRoute

HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.

Appears in: - HTTPRoute

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1
kind string HTTPRoute
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec HTTPRouteSpec Spec defines the desired state of HTTPRoute.
status HTTPRouteStatus Status defines the current state of HTTPRoute.

HTTPRouteFilter

HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.

Appears in: - HTTPBackendRef - HTTPRouteRule

Field Description Default Validation
type HTTPRouteFilterType Type identifies the type of filter to apply. As with other API fields,
types are classified into three conformance levels:
- Core: Filter types and their corresponding configuration defined by
"Support: Core" in this package, e.g. "RequestHeaderModifier". All
implementations must support core filters.
- Extended: Filter types and their corresponding configuration defined by
"Support: Extended" in this package, e.g. "RequestMirror". Implementers
are encouraged to support extended filters.
- Implementation-specific: Filters that are defined and supported by
specific vendors.
In the future, filters showing convergence in behavior across multiple
implementations will be considered for inclusion in extended or core
conformance levels. Filter-specific configuration for such filters
is specified using the ExtensionRef field. Type should be set to
"ExtensionRef" for custom filters.
Implementers are encouraged to define custom implementation types to
extend the core API with implementation-specific behavior.
If a reference to a custom filter type cannot be resolved, the filter
MUST NOT be skipped. Instead, requests that would have been processed by
that filter MUST receive a HTTP error response.
Note that values may be added to this enum, implementations
must ensure that unknown values will not cause a crash.
Unknown values here must result in the implementation setting the
Accepted Condition for the Route to status: False, with a
Reason of UnsupportedValue.
 Enum: [RequestHeaderModifier ResponseHeaderModifier RequestMirror RequestRedirect URLRewrite ExtensionRef]
requestHeaderModifier HTTPHeaderFilter RequestHeaderModifier defines a schema for a filter that modifies request
headers.
Support: Core
responseHeaderModifier HTTPHeaderFilter ResponseHeaderModifier defines a schema for a filter that modifies response
headers.
Support: Extended
requestMirror HTTPRequestMirrorFilter RequestMirror defines a schema for a filter that mirrors requests.
Requests are sent to the specified destination, but responses from
that destination are ignored.
This filter can be used multiple times within the same rule. Note that
not all implementations will be able to support mirroring to multiple
backends.
Support: Extended
requestRedirect HTTPRequestRedirectFilter RequestRedirect defines a schema for a filter that responds to the
request with an HTTP redirection.
Support: Core
urlRewrite HTTPURLRewriteFilter URLRewrite defines a schema for a filter that modifies a request during forwarding.
Support: Extended
cors HTTPCORSFilter CORS defines a schema for a filter that responds to the
cross-origin request based on HTTP response header.
Support: Extended
extensionRef LocalObjectReference ExtensionRef is an optional, implementation-specific extension to the
"filter" behavior. For example, resource "myroutefilter" in group
"networking.example.net"). ExtensionRef MUST NOT be used for core and
extended filters.
This filter can be used multiple times within the same rule.
Support: Implementation-specific

HTTPRouteFilterType

Underlying type: string

HTTPRouteFilterType identifies a type of HTTPRoute filter.

Appears in: - HTTPRouteFilter

Field Description
RequestHeaderModifier HTTPRouteFilterRequestHeaderModifier can be used to add or remove an HTTP
header from an HTTP request before it is sent to the upstream target.
Support in HTTPRouteRule: Core
Support in HTTPBackendRef: Extended
ResponseHeaderModifier HTTPRouteFilterResponseHeaderModifier can be used to add or remove an HTTP
header from an HTTP response before it is sent to the client.
Support in HTTPRouteRule: Extended
Support in HTTPBackendRef: Extended
RequestRedirect HTTPRouteFilterRequestRedirect can be used to redirect a request to
another location. This filter can also be used for HTTP to HTTPS
redirects. This may not be used on the same Route rule or BackendRef as a
URLRewrite filter.
Support in HTTPRouteRule: Core
Support in HTTPBackendRef: Extended
URLRewrite HTTPRouteFilterURLRewrite can be used to modify a request during
forwarding. At most one of these filters may be used on a Route rule.
This may not be used on the same Route rule or BackendRef as a
RequestRedirect filter.
Support in HTTPRouteRule: Extended
Support in HTTPBackendRef: Extended
RequestMirror HTTPRouteFilterRequestMirror can be used to mirror HTTP requests to a
different backend. The responses from this backend MUST be ignored by
the Gateway.
Support in HTTPRouteRule: Extended
Support in HTTPBackendRef: Extended
CORS HTTPRouteFilterCORS can be used to add CORS headers to an
HTTP response before it is sent to the client.
Support in HTTPRouteRule: Extended
Support in HTTPBackendRef: Extended
ExtensionRef HTTPRouteFilterExtensionRef should be used for configuring custom
HTTP filters.
Support in HTTPRouteRule: Implementation-specific
Support in HTTPBackendRef: Implementation-specific

HTTPRouteMatch

HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied.

For example, the match below will match a HTTP request only if its path starts with /foo AND it contains the version: v1 header:

match:

    path:
      value: "/foo"
    headers:
    - name: "version"
      value "v1"

Appears in: - HTTPRouteRule

Field Description Default Validation
path HTTPPathMatch Path specifies a HTTP request path matcher. If this field is not
specified, a default prefix match on the "/" path is provided.		 { type:PathPrefix value:/ }
headers HTTPHeaderMatch array Headers specifies HTTP request header matchers. Multiple match values are
ANDed together, meaning, a request must match all the specified headers
to select the route.		 MaxItems: 16
queryParams HTTPQueryParamMatch array QueryParams specifies HTTP query parameter matchers. Multiple match
values are ANDed together, meaning, a request must match all the
specified query parameters to select the route.
Support: Extended		 MaxItems: 16
method HTTPMethod Method specifies HTTP method matcher.
When specified, this route will be matched only if the request has the
specified method.
Support: Extended		 Enum: [GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH]

HTTPRouteRetry

HTTPRouteRetry defines retry configuration for an HTTPRoute.

Implementations SHOULD retry on connection errors (disconnect, reset, timeout, TCP failure) if a retry stanza is configured.

Appears in: - HTTPRouteRule

Field Description Default Validation
codes HTTPRouteRetryStatusCode array Codes defines the HTTP response status codes for which a backend request
should be retried.
Support: Extended		 Maximum: 599
Minimum: 400
attempts integer Attempts specifies the maximum number of times an individual request
from the gateway to a backend should be retried.
If the maximum number of retries has been attempted without a successful
response from the backend, the Gateway MUST return an error.
When this field is unspecified, the number of times to attempt to retry
a backend request is implementation-specific.
Support: Extended
backoff Duration Backoff specifies the minimum duration a Gateway should wait between
retry attempts and is represented in Gateway API Duration formatting.
For example, setting the rules[].retry.backoff field to the value
100ms will cause a backend request to first be retried approximately
100 milliseconds after timing out or receiving a response code configured
to be retryable.
An implementation MAY use an exponential or alternative backoff strategy
for subsequent retry attempts, MAY cap the maximum backoff duration to
some amount greater than the specified minimum, and MAY add arbitrary
jitter to stagger requests, as long as unsuccessful backend requests are
not retried before the configured minimum duration.
If a Request timeout (rules[].timeouts.request) is configured on the
route, the entire duration of the initial request and any retry attempts
MUST not exceed the Request timeout duration. If any retry attempts are
still in progress when the Request timeout duration has been reached,
these SHOULD be canceled if possible and the Gateway MUST immediately
return a timeout error.
If a BackendRequest timeout (rules[].timeouts.backendRequest) is
configured on the route, any retry attempts which reach the configured
BackendRequest timeout duration without a response SHOULD be canceled if
possible and the Gateway should wait for at least the specified backoff
duration before attempting to retry the backend request again.
If a BackendRequest timeout is not configured on the route, retry
attempts MAY time out after an implementation default duration, or MAY
remain pending until a configured Request timeout or implementation
default duration for total request time is reached.
When this field is unspecified, the time to wait between retry attempts
is implementation-specific.
Support: Extended		 Pattern: ^([0-9]\{1,5\}(h\|m\|s\|ms))\{1,4\}$

HTTPRouteRetryStatusCode

Underlying type: integer

HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried.

Implementations MUST support the following status codes as retryable:

  • 500
  • 502
  • 503
  • 504

Implementations MAY support specifying additional discrete values in the 500-599 range.

Implementations MAY support specifying discrete values in the 400-499 range, which are often inadvisable to retry.

Validation: - Maximum: 599 - Minimum: 400

Appears in: - HTTPRouteRetry

HTTPRouteRule

HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs).

Appears in: - HTTPRouteSpec

Field Description Default Validation
name SectionName Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Support: Extended
 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
matches HTTPRouteMatch array Matches define conditions used for matching the rule against incoming
HTTP requests. Each match is independent, i.e. this rule will be matched
if any one of the matches is satisfied.
For example, take the following matches configuration:
<br />matches:<br />- path:<br /> value: "/foo"<br /> headers:<br /> - name: "version"<br /> value: "v2"<br />- path:<br /> value: "/v2/foo"<br />
For a request to match against this rule, a request must satisfy
EITHER of the two conditions:
- path prefixed with /foo AND contains the header version: v2
- path prefix of /v2/foo
See the documentation for HTTPRouteMatch on how to specify multiple
match conditions that should be ANDed together.
If no matches are specified, the default is a prefix
path match on "/", which has the effect of matching every
HTTP request.
Proxy or Load Balancer routing configuration generated from HTTPRoutes
MUST prioritize matches based on the following criteria, continuing on
ties. Across all rules specified on applicable Routes, precedence must be
given to the match having:
"Exact" path match.
 "Prefix" path match with largest number of characters.
Method match.
 Largest number of header matches.
Largest number of query param matches.
Note: The precedence of RegularExpression path matches are implementation-specific.
If ties still exist across multiple Routes, matching precedence MUST be
determined in order of the following criteria, continuing on ties:
 The oldest Route based on creation timestamp.
* The Route appearing first in alphabetical order by
"{namespace}/{name}".
If ties still exist within an HTTPRoute, matching precedence MUST be granted
to the FIRST matching rule (in list order) with a match meeting the above
criteria.
When no rules matching a request have been successfully attached to the
parent a request is coming from, a HTTP 404 status code MUST be returned.		 [map[path:map[type:PathPrefix value:/]]] MaxItems: 64
filters HTTPRouteFilter array Filters define the filters that are applied to requests that match
this rule.
Wherever possible, implementations SHOULD implement filters in the order
they are specified.
Implementations MAY choose to implement this ordering strictly, rejecting
any combination or order of filters that cannot be supported. If implementations
choose a strict interpretation of filter ordering, they MUST clearly document
that behavior.
To reject an invalid combination or order of filters, implementations SHOULD
consider the Route Rules with this configuration invalid. If all Route Rules
in a Route are invalid, the entire Route would be considered invalid. If only
a portion of Route Rules are invalid, implementations MUST set the
"PartiallyInvalid" condition for the Route.
Conformance-levels at this level are defined based on the type of filter:
- ALL core filters MUST be supported by all implementations.
- Implementers are encouraged to support extended filters.
- Implementation-specific custom filters have no API guarantees across
implementations.
Specifying the same filter multiple times is not supported unless explicitly
indicated in the filter.
All filters are expected to be compatible with each other except for the
URLRewrite and RequestRedirect filters, which may not be combined. If an
implementation cannot support other combinations of filters, they must clearly
document that limitation. In cases where incompatible or unsupported
filters are specified and cause the Accepted condition to be set to status
False, implementations may use the IncompatibleFilters reason to specify
this configuration error.
Support: Core		 MaxItems: 16
backendRefs HTTPBackendRef array BackendRefs defines the backend(s) where matching requests should be
sent.
Failure behavior here depends on how many BackendRefs are specified and
how many are invalid.
If all entries in BackendRefs are invalid, and there are also no filters
specified in this route rule, all traffic which matches this rule MUST
receive a 500 status code.
See the HTTPBackendRef definition for the rules about what makes a single
HTTPBackendRef invalid.
When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
requests that would have otherwise been routed to an invalid backend. If
multiple backends are specified, and some are invalid, the proportion of
requests that would otherwise have been routed to an invalid backend
MUST receive a 500 status code.
For example, if two backends are specified with equal weights, and one is
invalid, 50 percent of traffic must receive a 500. Implementations may
choose how that 50 percent is determined.
When a HTTPBackendRef refers to a Service that has no ready endpoints,
implementations SHOULD return a 503 for requests to that backend instead.
If an implementation chooses to do this, all of the above rules for 500 responses
MUST also apply for responses that return a 503.
Support: Core for Kubernetes Service
Support: Extended for Kubernetes ServiceImport
Support: Implementation-specific for any other resource
Support for weight: Core		 MaxItems: 16
timeouts HTTPRouteTimeouts Timeouts defines the timeouts that can be configured for an HTTP request.
Support: Extended
retry HTTPRouteRetry Retry defines the configuration for when to retry an HTTP request.
Support: Extended
sessionPersistence SessionPersistence SessionPersistence defines and configures session persistence
for the route rule.
Support: Extended

HTTPRouteSpec

HTTPRouteSpec defines the desired state of HTTPRoute

Appears in: - HTTPRoute

Field Description Default Validation
parentRefs ParentReference array ParentRefs references the resources (usually Gateways) that a Route wants
to be attached to. Note that the referenced parent resource needs to
allow this for the attachment to be complete. For Gateways, that means
the Gateway needs to allow attachment from Routes of this kind and
namespace. For Services, that means the Service must either be in the same
namespace for a "producer" route, or the mesh implementation must support
and allow "consumer" routes for the referenced Service. ReferenceGrant is
not applicable for governing ParentRefs to Services - it is not possible to
create a "producer" route for a Service in a different namespace from the
Route.
There are two kinds of parent resources with "Core" support:
Gateway (Gateway conformance profile)
 Service (Mesh conformance profile, ClusterIP Services only)
This API may be extended in the future to support additional kinds of parent
resources.
ParentRefs must be distinct. This means either that:
They select different objects. If this is the case, then parentRef
entries are distinct. In terms of fields, this means that the
multi-part key defined by group, kind, namespace, and name must
be unique across all parentRef entries in the Route.
 They do not select different objects, but for each optional field used,
each ParentRef that selects the same object must set the same set of
optional fields to different values. If one ParentRef sets a
combination of optional fields, all must set the same combination.
Some examples:
If one ParentRef sets sectionName, all ParentRefs referencing the
same object must also set sectionName.
 If one ParentRef sets port, all ParentRefs referencing the same
object must also set port.
* If one ParentRef sets sectionName and port, all ParentRefs
referencing the same object must also set sectionName and port.
It is possible to separately reference multiple distinct objects that may
be collapsed by an implementation. For example, some implementations may
choose to merge compatible Gateway Listeners together. If that is the
case, the list of routes attached to those resources should also be
merged.
Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example,
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable other kinds of cross-namespace reference.

ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.




 MaxItems: 32
hostnames Hostname array Hostnames defines a set of hostnames that should match against the HTTP Host
header to select a HTTPRoute used to process the request. Implementations
MUST ignore any port value specified in the HTTP Host header while
performing a match and (absent of any applicable header modification
configuration) MUST forward this header unmodified to the backend.
Valid values for Hostnames are determined by RFC 1123 definition of a
hostname with 2 notable exceptions:
1. IPs are not allowed.
2. A hostname may be prefixed with a wildcard label (*.). The wildcard
label must appear by itself as the first label.
If a hostname is specified by both the Listener and HTTPRoute, there
must be at least one intersecting hostname for the HTTPRoute to be
attached to the Listener. For example:
A Listener with test.example.com as the hostname matches HTTPRoutes
that have either not specified any hostnames, or have specified at
least one of test.example.com or *.example.com.
 A Listener with *.example.com as the hostname matches HTTPRoutes
that have either not specified any hostnames or have specified at least
one hostname that matches the Listener hostname. For example,
*.example.com, test.example.com, and foo.test.example.com would
all match. On the other hand, example.com and test.example.net would
not match.
Hostnames that are prefixed with a wildcard label (*.) are interpreted
as a suffix match. That means that a match for *.example.com would match
both test.example.com, and foo.test.example.com, but not example.com.
If both the Listener and HTTPRoute have specified hostnames, any
HTTPRoute hostnames that do not match the Listener hostname MUST be
ignored. For example, if a Listener specified *.example.com, and the
HTTPRoute specified test.example.com and test.example.net,
test.example.net must not be considered for a match.
If both the Listener and HTTPRoute have specified hostnames, and none
match with the criteria above, then the HTTPRoute is not accepted. The
implementation must raise an 'Accepted' Condition with a status of
False in the corresponding RouteParentStatus.
In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
overlapping wildcard matching and exact matching hostnames), precedence must
be given to rules from the HTTPRoute with the largest number of:
Characters in a matching non-wildcard hostname.
 Characters in a matching hostname.
If ties exist across multiple Routes, the matching precedence rules for
HTTPRouteMatches takes over.
Support: Core		 MaxItems: 16
MaxLength: 253
MinLength: 1
Pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
rules HTTPRouteRule array Rules are a list of HTTP matchers, filters and actions.
 [map[matches:[map[path:map[type:PathPrefix value:/]]]]] MaxItems: 16

HTTPRouteStatus

HTTPRouteStatus defines the observed state of HTTPRoute.

Appears in: - HTTPRoute

Field Description Default Validation
parents RouteParentStatus array Parents is a list of parent resources (usually Gateways) that are
associated with the route, and the status of the route with respect to
each parent. When this route attaches to a parent, the controller that
manages the parent must add an entry to this list when the controller
first sees the route and should update the entry as appropriate when the
route or gateway is modified.
Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this API
can only populate Route status for the Gateways/parent resources they are
responsible for.
A maximum of 32 Gateways will be represented in this list. An empty list
means the route has not been attached to any Gateway.		 MaxItems: 32

HTTPRouteTimeouts

HTTPRouteTimeouts defines timeouts that can be configured for an HTTPRoute. Timeout values are represented with Gateway API Duration formatting.

Appears in: - HTTPRouteRule

Field Description Default Validation
request Duration Request specifies the maximum duration for a gateway to respond to an HTTP request.
If the gateway has not been able to respond before this deadline is met, the gateway
MUST return a timeout error.
For example, setting the rules.timeouts.request field to the value 10s in an
HTTPRoute will cause a timeout if a client request is taking longer than 10 seconds
to complete.
Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
completely. Implementations that cannot completely disable the timeout MUST
instead interpret the zero duration as the longest possible value to which
the timeout can be set.
This timeout is intended to cover as close to the whole request-response transaction
as possible although an implementation MAY choose to start the timeout after the entire
request stream has been received instead of immediately after the transaction is
initiated by the client.
The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
field is unspecified, request timeout behavior is implementation-specific.
Support: Extended		 Pattern: ^([0-9]\{1,5\}(h\|m\|s\|ms))\{1,4\}$
backendRequest Duration BackendRequest specifies a timeout for an individual request from the gateway
to a backend. This covers the time from when the request first starts being
sent from the gateway to when the full response has been received from the backend.
Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
completely. Implementations that cannot completely disable the timeout MUST
instead interpret the zero duration as the longest possible value to which
the timeout can be set.
An entire client HTTP transaction with a gateway, covered by the Request timeout,
may result in more than one call from the gateway to the destination backend,
for example, if automatic retries are supported.
The value of BackendRequest must be a Gateway API Duration string as defined by
GEP-2257. When this field is unspecified, its behavior is implementation-specific;
when specified, the value of BackendRequest must be no more than the value of the
Request timeout (since the Request timeout encompasses the BackendRequest timeout).
Support: Extended		 Pattern: ^([0-9]\{1,5\}(h\|m\|s\|ms))\{1,4\}$

HTTPURLRewriteFilter

HTTPURLRewriteFilter defines a filter that modifies a request during forwarding. At most one of these filters may be used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequestRedirect filter.

Support: Extended

Appears in: - HTTPRouteFilter

Field Description Default Validation
hostname PreciseHostname Hostname is the value to be used to replace the Host header value during
forwarding.
Support: Extended		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
path HTTPPathModifier Path defines a path rewrite.
Support: Extended

HeaderMatchType

Underlying type: string

HeaderMatchType specifies the semantics of how HTTP header values should be compared. Valid HeaderMatchType values, along with their conformance levels, are:

  • "Exact" - Core
  • "RegularExpression" - Implementation Specific

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Validation: - Enum: [Exact RegularExpression]

Appears in: - HTTPHeaderMatch

Field Description
Exact
RegularExpression

HeaderName

Underlying type: string

HeaderName is the name of a header or query parameter.

Validation: - MaxLength: 256 - MinLength: 1 - Pattern: `^[A-Za-z0-9!

Appears in: - GRPCHeaderName - HTTPHeaderName

Hostname

Underlying type: string

Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions:

  1. IPs are not allowed.
  2. A hostname may be prefixed with a wildcard label (*.). The wildcard label must appear by itself as the first label.

Hostname can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.example.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. *.example.com).

Note that as per RFC1035 and RFC1123, a label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed.

Validation: - MaxLength: 253 - MinLength: 1 - Pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

Appears in: - GRPCRouteSpec - HTTPRouteSpec - Listener - SubjectAltName

Kind

Underlying type: string

Kind refers to a Kubernetes Kind.

Valid values include:

  • "Service"
  • "HTTPRoute"

Invalid values include:

  • "invalid/kind" - "/" is an invalid character

Validation: - MaxLength: 63 - MinLength: 1 - Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

Appears in: - BackendObjectReference - BackendRef - GRPCBackendRef - HTTPBackendRef - LocalObjectReference - LocalParametersReference - ObjectReference - ParametersReference - ParentReference - RouteGroupKind - SecretObjectReference

LabelKey

Underlying type: string

LabelKey is the key of a label in the Gateway API. This is used for validation of maps such as Gateway infrastructure labels. This matches the Kubernetes "qualified name" validation that is used for labels.

Valid values include:

  • example
  • example.com
  • example.com/path
  • example.com/path.html

Invalid values include:

  • example~ - "~" is an invalid character
  • example.com. - cannot start or end with "."

Validation: - MaxLength: 253 - MinLength: 1 - Pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$

Appears in: - GatewayInfrastructure

LabelValue

Underlying type: string

LabelValue is the value of a label in the Gateway API. This is used for validation of maps such as Gateway infrastructure labels. This matches the Kubernetes label validation rules: * must be 63 characters or less (can be empty), * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.

Valid values include:

  • MyValue
  • my.name
  • 123-my-value

Validation: - MaxLength: 63 - MinLength: 0 - Pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$

Appears in: - GatewayInfrastructure

Listener

Listener embodies the concept of a logical endpoint where a Gateway accepts network connections.

Appears in: - GatewaySpec

Field Description Default Validation
name SectionName Name is the name of the Listener. This name MUST be unique within a
Gateway.
Support: Core		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
hostname Hostname Hostname specifies the virtual hostname to match for protocol types that
define this concept. When unspecified, all hostnames are matched. This
field is ignored for protocols that don't require hostname based
matching.
Implementations MUST apply Hostname matching appropriately for each of
the following protocols:
TLS: The Listener Hostname MUST match the SNI.
 HTTP: The Listener Hostname MUST match the Host header of the request.
HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
Note that this does not require the SNI and Host header to be the same.
The semantics of this are described in more detail below.
To ensure security, Section 11.1 of RFC-6066 emphasizes that server
implementations that rely on SNI hostname matching MUST also verify
hostnames within the application protocol.
Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
reuse of a connection by responding with the HTTP 421 Misdirected Request
status code. This indicates that the origin server has rejected the
request because it appears to have been misdirected.
To detect misdirected requests, Gateways SHOULD match the authority of
the requests with all the SNI hostname(s) configured across all the
Gateway Listeners on the same port and protocol:
 If another Listener has an exact match or more specific wildcard entry,
the Gateway SHOULD return a 421.
* If the current Listener (selected by SNI matching during ClientHello)
does not match the Host:
* If another Listener does match the Host the Gateway SHOULD return a
421.
* If no other Listener matches the Host, the Gateway MUST return a
404.
For HTTPRoute and TLSRoute resources, there is an interaction with the
spec.hostnames array. When both listener and route specify hostnames,
there MUST be an intersection between the values for a Route to be
accepted. For more information, refer to the Route specific Hostnames
documentation.
Hostnames that are prefixed with a wildcard label (*.) are interpreted
as a suffix match. That means that a match for *.example.com would match
both test.example.com, and foo.test.example.com, but not example.com.
Support: Core		 MaxLength: 253
MinLength: 1
Pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
port PortNumber Port is the network port. Multiple listeners may use the
same port, subject to the Listener compatibility rules.
Support: Core		 Maximum: 65535
Minimum: 1
protocol ProtocolType Protocol specifies the network protocol this listener expects to receive.
Support: Core		 MaxLength: 255
MinLength: 1
Pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$\|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
tls GatewayTLSConfig TLS is the TLS configuration for the Listener. This field is required if
the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
if the Protocol field is "HTTP", "TCP", or "UDP".
The association of SNIs to Certificate defined in GatewayTLSConfig is
defined based on the Hostname field for this listener.
The GatewayClass MUST use the longest matching SNI out of all
available certificates for any TLS handshake.
Support: Core
allowedRoutes AllowedRoutes AllowedRoutes defines the types of routes that MAY be attached to a
Listener and the trusted namespaces where those Route resources MAY be
present.
Although a client request may match multiple route rules, only one rule
may ultimately receive the request. Matching precedence MUST be
determined in order of the following criteria:
The most specific match as defined by the Route type.
 The oldest Route based on creation timestamp. For example, a Route with
a creation timestamp of "2020-09-08 01:02:03" is given precedence over
a Route with a creation timestamp of "2020-09-08 01:02:04".
* If everything else is equivalent, the Route appearing first in
alphabetical order (namespace/name) should be given precedence. For
example, foo/bar is given precedence over foo/baz.
All valid rules within a Route attached to this Listener should be
implemented. Invalid Route rules can be ignored (sometimes that will mean
the full Route). If a Route rule transitions from valid to invalid,
support for that Route rule should be dropped to ensure consistency. For
example, even if a filter specified by a Route rule is invalid, the rest
of the rules within that Route should still be supported.
Support: Core		 { namespaces:map[from:Same] }

ListenerNamespaces

ListenerNamespaces indicate which namespaces ListenerSets should be selected from.

Appears in: - AllowedListeners

Field Description Default Validation
from FromNamespaces From indicates where ListenerSets can attach to this Gateway. Possible
values are:
Same: Only ListenerSets in the same namespace may be attached to this Gateway.
 Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
All: ListenerSets in all namespaces may be attached to this Gateway.
 None: Only listeners defined in the Gateway's spec are allowed
While this feature is experimental, the default value None		 None Enum: [All Selector Same None]
selector LabelSelector Selector must be specified when From is set to "Selector". In that case,
only ListenerSets in Namespaces matching this Selector will be selected by this
Gateway. This field is ignored for other values of "From".

ListenerStatus

ListenerStatus is the status associated with a Listener.

Appears in: - GatewayStatus

Field Description Default Validation
name SectionName Name is the name of the Listener that this status corresponds to. MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
supportedKinds RouteGroupKind array SupportedKinds is the list indicating the Kinds supported by this
listener. This MUST represent the kinds an implementation supports for
that Listener configuration.
If kinds are specified in Spec that are not supported, they MUST NOT
appear in this list and an implementation MUST set the "ResolvedRefs"
condition to "False" with the "InvalidRouteKinds" reason. If both valid
and invalid Route kinds are specified, the implementation MUST
reference the valid Route kinds that have been specified.		 MaxItems: 8
attachedRoutes integer AttachedRoutes represents the total number of Routes that have been
successfully attached to this Listener.
Successful attachment of a Route to a Listener is based solely on the
combination of the AllowedRoutes field on the corresponding Listener
and the Route's ParentRefs field. A Route is successfully attached to
a Listener when it is selected by the Listener's AllowedRoutes field
AND the Route has a valid ParentRef selecting the whole Gateway
resource or a specific Listener as a parent resource (more detail on
attachment semantics can be found in the documentation on the various
Route kinds ParentRefs fields). Listener or Route status does not impact
successful attachment, i.e. the AttachedRoutes field count MUST be set
for Listeners with condition Accepted: false and MUST count successfully
attached Routes that may themselves have Accepted: false conditions.
Uses for this field include troubleshooting Route attachment and
measuring blast radius/impact of changes to a Listener.
conditions Condition array Conditions describe the current condition of this listener. MaxItems: 8

LocalObjectReference

LocalObjectReference identifies an API object within the namespace of the referrer. The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.

Appears in: - BackendTLSPolicyValidation - GRPCRouteFilter - HTTPRouteFilter

Field Description Default Validation
group Group Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.		 MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is kind of the referent. For example "HTTPRoute" or "Service". MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name ObjectName Name is the name of the referent. MaxLength: 253
MinLength: 1

LocalParametersReference

LocalParametersReference identifies an API object containing controller-specific configuration resource within the namespace.

Appears in: - GatewayInfrastructure

Field Description Default Validation
group Group Group is the group of the referent. MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is kind of the referent. MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name string Name is the name of the referent. MaxLength: 253
MinLength: 1

Namespace

Underlying type: string

Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.

This validation is based off of the corresponding Kubernetes validation: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187

This is used for Namespace name validation here: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63

Valid values include:

  • "example"

Invalid values include:

  • "example.com" - "." is an invalid character

Validation: - MaxLength: 63 - MinLength: 1 - Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

Appears in: - BackendObjectReference - BackendRef - GRPCBackendRef - HTTPBackendRef - ObjectReference - ParametersReference - ParentReference - SecretObjectReference

ObjectName

Underlying type: string

ObjectName refers to the name of a Kubernetes object. Object names can have a variety of forms, including RFC 1123 subdomains, RFC 1123 labels, or RFC 1035 labels.

Validation: - MaxLength: 253 - MinLength: 1

Appears in: - BackendObjectReference - BackendRef - GRPCBackendRef - GatewaySpec - HTTPBackendRef - LocalObjectReference - ObjectReference - ParentReference - SecretObjectReference

ObjectReference

ObjectReference identifies an API object including its namespace.

The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.

Appears in: - FrontendTLSValidation

Field Description Default Validation
group Group Group is the group of the referent. For example, "gateway.networking.k8s.io".
When set to the empty string, core API group is inferred.		 MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is kind of the referent. For example "ConfigMap" or "Service". MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name ObjectName Name is the name of the referent. MaxLength: 253
MinLength: 1
namespace Namespace Namespace is the namespace of the referenced object. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core		 MaxLength: 63
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

ParametersReference

ParametersReference identifies an API object containing controller-specific configuration resource within the cluster.

Appears in: - GatewayClassSpec

Field Description Default Validation
group Group Group is the group of the referent. MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is kind of the referent. MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name string Name is the name of the referent. MaxLength: 253
MinLength: 1
namespace Namespace Namespace is the namespace of the referent.
This field is required when referring to a Namespace-scoped resource and
MUST be unset when referring to a Cluster-scoped resource.		 MaxLength: 63
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

ParentReference

ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support:

  • Gateway (Gateway conformance profile)
  • Service (Mesh conformance profile, ClusterIP Services only)

This API may be extended in the future to support additional kinds of parent resources.

The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.

Appears in: - CommonRouteSpec - GRPCRouteSpec - HTTPRouteSpec - RouteParentStatus

Field Description Default Validation
group Group Group is the group of the referent.
When unspecified, "gateway.networking.k8s.io" is inferred.
To set the core API group (such as for a "Service" kind referent),
Group must be explicitly set to "" (empty string).
Support: Core		 gateway.networking.k8s.io MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is kind of the referent.
There are two kinds of parent resources with "Core" support:
Gateway (Gateway conformance profile)
 Service (Mesh conformance profile, ClusterIP Services only)
Support for other resources is Implementation-Specific.		 Gateway MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
namespace Namespace Namespace is the namespace of the referent. When unspecified, this refers
to the local namespace of the Route.
Note that there are specific rules for ParentRefs which cross namespace
boundaries. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example:
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.

ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.

Support: Core		 MaxLength: 63
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
name ObjectName Name is the name of the referent.
Support: Core		 MaxLength: 253
MinLength: 1
sectionName SectionName SectionName is the name of a section within the target resource. In the
following resources, SectionName is interpreted as the following:
Gateway: Listener name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
 Service: Port name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
Implementations MAY choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName is
interpreted.
When unspecified (empty string), this will reference the entire resource.
For the purpose of status, an attachment is considered successful if at
least one section in the parent resource accepts it. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route, the
Route MUST be considered detached from the Gateway.
Support: Core		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
port PortNumber Port is the network port this Route targets. It can be interpreted
differently based on the type of parent resource.
When the parent resource is a Gateway, this targets all listeners
listening on the specified port that also support this kind of Route(and
select this Route). It's not recommended to set Port unless the
networking behaviors specified in a Route must apply to a specific port
as opposed to a listener(s) whose port(s) may be changed. When both Port
and SectionName are specified, the name and port of the selected listener
must match both specified values.

When the parent resource is a Service, this targets a specific port in the
Service spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified values.

Implementations MAY choose to support other parent resources.
Implementations supporting other types of parent resources MUST clearly
document how/if Port is interpreted.
For the purpose of status, an attachment is considered successful as
long as the parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
Support: Extended		 Maximum: 65535
Minimum: 1

PathMatchType

Underlying type: string

PathMatchType specifies the semantics of how HTTP paths should be compared. Valid PathMatchType values, along with their support levels, are:

  • "Exact" - Core
  • "PathPrefix" - Core
  • "RegularExpression" - Implementation Specific

PathPrefix and Exact paths must be syntactically valid:

  • Must begin with the / character
  • Must not contain consecutive / characters (e.g. /foo///, //).

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Validation: - Enum: [Exact PathPrefix RegularExpression]

Appears in: - HTTPPathMatch

Field Description
Exact Matches the URL path exactly and with case sensitivity. This means that
an exact path match on /abc will only match requests to /abc, NOT
/abc/, /Abc, or /abcd.
PathPrefix Matches based on a URL path prefix split by /. Matching is
case-sensitive and done on a path element by element basis. A
path element refers to the list of labels in the path split by
the / separator. When specified, a trailing / is ignored.
For example, the paths /abc, /abc/, and /abc/def would all match
the prefix /abc, but the path /abcd would not.
"PathPrefix" is semantically equivalent to the "Prefix" path type in the
Kubernetes Ingress API.
RegularExpression Matches if the URL path matches the given regular expression with
case sensitivity.
Since "RegularExpression" has implementation-specific conformance,
implementations can support POSIX, PCRE, RE2 or any other regular expression
dialect.
Please read the implementation's documentation to determine the supported
dialect.

PortNumber

Underlying type: integer

PortNumber defines a network port.

Validation: - Maximum: 65535 - Minimum: 1

Appears in: - BackendObjectReference - BackendRef - GRPCBackendRef - HTTPBackendRef - HTTPRequestRedirectFilter - Listener - ParentReference

PreciseHostname

Underlying type: string

PreciseHostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 1 notable exception that numeric IP addresses are not allowed.

Note that as per RFC1035 and RFC1123, a label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed.

Validation: - MaxLength: 253 - MinLength: 1 - Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

Appears in: - BackendTLSPolicyValidation - HTTPRequestRedirectFilter - HTTPURLRewriteFilter

ProtocolType

Underlying type: string

ProtocolType defines the application protocol accepted by a Listener. Implementations are not required to accept all the defined protocols. If an implementation does not support a specified protocol, it MUST set the "Accepted" condition to False for the affected Listener with a reason of "UnsupportedProtocol".

Core ProtocolType values are listed in the table below.

Implementations can define their own protocols if a core ProtocolType does not exist. Such definitions must use prefixed name, such as mycompany.com/my-custom-protocol. Un-prefixed names are reserved for core protocols. Any protocol defined by implementations will fall under Implementation-specific conformance.

Valid values include:

  • "HTTP" - Core support
  • "example.com/bar" - Implementation-specific support

Invalid values include:

  • "example.com" - must include path if domain is used
  • "foo.example.com" - must include path if domain is used

Validation: - MaxLength: 255 - MinLength: 1 - Pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$

Appears in: - Listener

Field Description
HTTP Accepts cleartext HTTP/1.1 sessions over TCP. Implementations MAY also
support HTTP/2 over cleartext. If implementations support HTTP/2 over
cleartext on "HTTP" listeners, that MUST be clearly documented by the
implementation.
HTTPS Accepts HTTP/1.1 or HTTP/2 sessions over TLS.
TLS Accepts TLS sessions over TCP.
TCP Accepts TCP sessions.
UDP Accepts UDP packets.

QueryParamMatchType

Underlying type: string

QueryParamMatchType specifies the semantics of how HTTP query parameter values should be compared. Valid QueryParamMatchType values, along with their conformance levels, are:

  • "Exact" - Core
  • "RegularExpression" - Implementation Specific

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Validation: - Enum: [Exact RegularExpression]

Appears in: - HTTPQueryParamMatch

Field Description
Exact
RegularExpression

RouteGroupKind

RouteGroupKind indicates the group and kind of a Route resource.

Appears in: - AllowedRoutes - ListenerStatus

Field Description Default Validation
group Group Group is the group of the Route. gateway.networking.k8s.io MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is the kind of the Route. MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

RouteNamespaces

RouteNamespaces indicate which namespaces Routes should be selected from.

Appears in: - AllowedRoutes

Field Description Default Validation
from FromNamespaces From indicates where Routes will be selected for this Gateway. Possible
values are:
All: Routes in all namespaces may be used by this Gateway.
 Selector: Routes in namespaces selected by the selector may be used by
this Gateway.
* Same: Only Routes in the same namespace may be used by this Gateway.
Support: Core		 Same Enum: [All Selector Same None]
selector LabelSelector Selector must be specified when From is set to "Selector". In that case,
only Routes in Namespaces matching this Selector will be selected by this
Gateway. This field is ignored for other values of "From".
Support: Core

RouteParentStatus

RouteParentStatus describes the status of a route with respect to an associated Parent.

Appears in: - GRPCRouteStatus - HTTPRouteStatus - RouteStatus

Field Description Default Validation
parentRef ParentReference ParentRef corresponds with a ParentRef in the spec that this
RouteParentStatus struct describes the status of.
controllerName GatewayController ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
controllerName field on GatewayClass.
Example: "example.net/gateway-controller".
The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
valid Kubernetes names
(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
Controllers MUST populate this field when writing status. Controllers should ensure that
entries to status populated with their ControllerName are cleaned up when they are no
longer necessary.		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
conditions Condition array Conditions describes the status of the route with respect to the Gateway.
Note that the route's availability is also subject to the Gateway's own
status conditions and listener status.
If the Route's ParentRef specifies an existing Gateway that supports
Routes of this kind AND that Gateway's controller has sufficient access,
then that Gateway's controller MUST set the "Accepted" condition on the
Route, to indicate whether the route has been accepted or rejected by the
Gateway, and why.
A Route MUST be considered "Accepted" if at least one of the Route's
rules is implemented by the Gateway.
There are a number of cases where the "Accepted" condition may not be set
due to lack of controller visibility, that includes when:
The Route refers to a nonexistent parent.
 The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to.		 MaxItems: 8
MinItems: 1

RouteStatus

RouteStatus defines the common attributes that all Routes MUST include within their status.

Appears in: - GRPCRouteStatus - HTTPRouteStatus

Field Description Default Validation
parents RouteParentStatus array Parents is a list of parent resources (usually Gateways) that are
associated with the route, and the status of the route with respect to
each parent. When this route attaches to a parent, the controller that
manages the parent must add an entry to this list when the controller
first sees the route and should update the entry as appropriate when the
route or gateway is modified.
Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this API
can only populate Route status for the Gateways/parent resources they are
responsible for.
A maximum of 32 Gateways will be represented in this list. An empty list
means the route has not been attached to any Gateway.		 MaxItems: 32

SecretObjectReference

SecretObjectReference identifies an API object including its namespace, defaulting to Secret.

The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.

Appears in: - GatewayBackendTLS - GatewayTLSConfig

Field Description Default Validation
group Group Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.		 MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is kind of the referent. For example "Secret". Secret MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name ObjectName Name is the name of the referent. MaxLength: 253
MinLength: 1
namespace Namespace Namespace is the namespace of the referenced object. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core		 MaxLength: 63
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

SectionName

Underlying type: string

SectionName is the name of a section in a Kubernetes resource.

In the following resources, SectionName is interpreted as the following:

  • Gateway: Listener name
  • HTTPRoute: HTTPRouteRule name
  • Service: Port name

Section names can have a variety of forms, including RFC 1123 subdomains, RFC 1123 labels, or RFC 1035 labels.

This validation is based off of the corresponding Kubernetes validation: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L208

Valid values include:

  • "example"
  • "foo-example"
  • "example.com"
  • "foo.example.com"

Invalid values include:

  • "example.com/bar" - "/" is an invalid character

Validation: - MaxLength: 253 - MinLength: 1 - Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

Appears in: - GRPCRouteRule - HTTPRouteRule - Listener - ListenerStatus - ParentReference

SessionPersistence

SessionPersistence defines the desired state of SessionPersistence.

Appears in: - GRPCRouteRule - HTTPRouteRule

Field Description Default Validation
sessionName string SessionName defines the name of the persistent session token
which may be reflected in the cookie or the header. Users
should avoid reusing session names to prevent unintended
consequences, such as rejection or unpredictable behavior.
Support: Implementation-specific		 MaxLength: 128
absoluteTimeout Duration AbsoluteTimeout defines the absolute timeout of the persistent
session. Once the AbsoluteTimeout duration has elapsed, the
session becomes invalid.
Support: Extended		 Pattern: ^([0-9]\{1,5\}(h\|m\|s\|ms))\{1,4\}$
idleTimeout Duration IdleTimeout defines the idle timeout of the persistent session.
Once the session has been idle for more than the specified
IdleTimeout duration, the session becomes invalid.
Support: Extended		 Pattern: ^([0-9]\{1,5\}(h\|m\|s\|ms))\{1,4\}$
type SessionPersistenceType Type defines the type of session persistence such as through
the use a header or cookie. Defaults to cookie based session
persistence.
Support: Core for "Cookie" type
Support: Extended for "Header" type		 Cookie Enum: [Cookie Header]
cookieConfig CookieConfig CookieConfig provides configuration settings that are specific
to cookie-based session persistence.
Support: Core

SessionPersistenceType

Underlying type: string

Validation: - Enum: [Cookie Header]

Appears in: - SessionPersistence

Field Description
Cookie CookieBasedSessionPersistence specifies cookie-based session
persistence.
Support: Core
Header HeaderBasedSessionPersistence specifies header-based session
persistence.
Support: Extended

SupportedFeature

Appears in: - GatewayClassStatus

Field Description Default Validation
name FeatureName

TLSModeType

Underlying type: string

TLSModeType type defines how a Gateway handles TLS sessions.

Validation: - Enum: [Terminate Passthrough]

Appears in: - GatewayTLSConfig

Field Description
Terminate In this mode, TLS session between the downstream client
and the Gateway is terminated at the Gateway.
Passthrough In this mode, the TLS session is NOT terminated by the Gateway. This
implies that the Gateway can't decipher the TLS stream except for
the ClientHello message of the TLS protocol.
Note that SSL passthrough is only supported by TLSRoute.

TrueField

Underlying type: boolean

TrueField is a boolean value that can only be set to true

Validation: - Enum: [true]

Appears in: - HTTPCORSFilter

gateway.networking.k8s.io/v1alpha2

Package v1alpha2 contains API Schema definitions for the gateway.networking.k8s.io API group.

Resource Types

GRPCRoute

Underlying type: GRPCRoute

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1alpha2
kind string GRPCRoute
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec GRPCRouteSpec Spec defines the desired state of GRPCRoute.
status GRPCRouteStatus Status defines the current state of GRPCRoute.

LocalPolicyTargetReference

LocalPolicyTargetReference identifies an API object to apply a direct or inherited policy to. This should be used as part of Policy resources that can target Gateway API resources. For more information on how this policy attachment model works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API.

Appears in: - LocalPolicyTargetReferenceWithSectionName

Field Description Default Validation
group Group Group is the group of the target resource. MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is kind of the target resource. MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name ObjectName Name is the name of the target resource. MaxLength: 253
MinLength: 1

LocalPolicyTargetReferenceWithSectionName

LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a direct policy to. This should be used as part of Policy resources that can target single resources. For more information on how this policy attachment mode works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API.

Note: This should only be used for direct policy attachment when references to SectionName are actually needed. In all other cases, LocalPolicyTargetReference should be used.

Appears in: - BackendTLSPolicySpec

Field Description Default Validation
group Group Group is the group of the target resource. MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is kind of the target resource. MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name ObjectName Name is the name of the target resource. MaxLength: 253
MinLength: 1
sectionName SectionName SectionName is the name of a section within the target resource. When
unspecified, this targetRef targets the entire resource. In the following
resources, SectionName is interpreted as the following:
Gateway: Listener name
 HTTPRoute: HTTPRouteRule name
* Service: Port name
If a SectionName is specified, but does not exist on the targeted object,
the Policy must fail to attach, and the policy implementation should record
a ResolvedRefs or similar Condition in the Policy's status.		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

PolicyAncestorStatus

PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor.

Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most useful object to place Policy status on, so we recommend that implementations SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a very good reason otherwise.

In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway.

Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations.

For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status.

Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used.

This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName.

Appears in: - PolicyStatus

Field Description Default Validation
ancestorRef ParentReference AncestorRef corresponds with a ParentRef in the spec that this
PolicyAncestorStatus struct describes the status of.
controllerName GatewayController ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
controllerName field on GatewayClass.
Example: "example.net/gateway-controller".
The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
valid Kubernetes names
(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
Controllers MUST populate this field when writing status. Controllers should ensure that
entries to status populated with their ControllerName are cleaned up when they are no
longer necessary.		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
conditions Condition array Conditions describes the status of the Policy with respect to the given Ancestor. MaxItems: 8
MinItems: 1

PolicyStatus

PolicyStatus defines the common attributes that all Policies should include within their status.

Appears in: - BackendTLSPolicy

Field Description Default Validation
ancestors PolicyAncestorStatus array Ancestors is a list of ancestor resources (usually Gateways) that are
associated with the policy, and the status of the policy with respect to
each ancestor. When this policy attaches to a parent, the controller that
manages the parent and the ancestors MUST add an entry to this list when
the controller first sees the policy and SHOULD update the entry as
appropriate when the relevant ancestor is modified.
Note that choosing the relevant ancestor is left to the Policy designers;
an important part of Policy design is designing the right object level at
which to namespace this status.
Note also that implementations MUST ONLY populate ancestor status for
the Ancestor resources they are responsible for. Implementations MUST
use the ControllerName field to uniquely identify the entries in this list
that they are responsible for.
Note that to achieve this, the list of PolicyAncestorStatus structs
MUST be treated as a map with a composite key, made up of the AncestorRef
and ControllerName fields combined.
A maximum of 16 ancestors will be represented in this list. An empty list
means the Policy is not relevant for any ancestors.
If this slice is full, implementations MUST NOT add further entries.
Instead they MUST consider the policy unimplementable and signal that
on any related resources such as the ancestor that would be referenced
here. For example, if this list was full on BackendTLSPolicy, no
additional Gateways would be able to reference the Service targeted by
the BackendTLSPolicy.		 MaxItems: 16

ReferenceGrant

Underlying type: ReferenceGrant

ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy.

Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within.

A ReferenceGrant is required for all cross-namespace references in Gateway API (with the exception of cross-namespace Route-Gateway attachment, which is governed by the AllowedRoutes configuration on the Gateway, and cross-namespace Service ParentRefs on a "consumer" mesh Route, which defines routing rules applicable only to workloads in the Route namespace). ReferenceGrants allowing a reference from a Route to a Service are only applicable to BackendRefs.

ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed.

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1alpha2
kind string ReferenceGrant
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec ReferenceGrantSpec Spec defines the desired state of ReferenceGrant.

TCPRoute

TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute.

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1alpha2
kind string TCPRoute
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec TCPRouteSpec Spec defines the desired state of TCPRoute.
status TCPRouteStatus Status defines the current state of TCPRoute.

TCPRouteRule

TCPRouteRule is the configuration for a given rule.

Appears in: - TCPRouteSpec

Field Description Default Validation
name SectionName Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Support: Extended		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
backendRefs BackendRef array BackendRefs defines the backend(s) where matching requests should be
sent. If unspecified or invalid (refers to a nonexistent resource or a
Service with no endpoints), the underlying implementation MUST actively
reject connection attempts to this backend. Connection rejections must
respect weight; if an invalid backend is requested to have 80% of
connections, then 80% of connections must be rejected instead.
Support: Core for Kubernetes Service
Support: Extended for Kubernetes ServiceImport
Support: Implementation-specific for any other resource
Support for weight: Extended		 MaxItems: 16
MinItems: 1

TCPRouteSpec

TCPRouteSpec defines the desired state of TCPRoute

Appears in: - TCPRoute

Field Description Default Validation
rules TCPRouteRule array Rules are a list of TCP matchers and actions.
 MaxItems: 16
MinItems: 1

TCPRouteStatus

TCPRouteStatus defines the observed state of TCPRoute

Appears in: - TCPRoute

TLSRoute

The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener.

If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener.

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1alpha2
kind string TLSRoute
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec TLSRouteSpec Spec defines the desired state of TLSRoute.
status TLSRouteStatus Status defines the current state of TLSRoute.

TLSRouteRule

TLSRouteRule is the configuration for a given rule.

Appears in: - TLSRouteSpec

Field Description Default Validation
name SectionName Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Support: Extended		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
backendRefs BackendRef array BackendRefs defines the backend(s) where matching requests should be
sent. If unspecified or invalid (refers to a nonexistent resource or
a Service with no endpoints), the rule performs no forwarding; if no
filters are specified that would result in a response being sent, the
underlying implementation must actively reject request attempts to this
backend, by rejecting the connection or returning a 500 status code.
Request rejections must respect weight; if an invalid backend is
requested to have 80% of requests, then 80% of requests must be rejected
instead.
Support: Core for Kubernetes Service
Support: Extended for Kubernetes ServiceImport
Support: Implementation-specific for any other resource
Support for weight: Extended		 MaxItems: 16
MinItems: 1

TLSRouteSpec

TLSRouteSpec defines the desired state of a TLSRoute resource.

Appears in: - TLSRoute

Field Description Default Validation
hostnames Hostname array Hostnames defines a set of SNI names that should match against the
SNI attribute of TLS ClientHello message in TLS handshake. This matches
the RFC 1123 definition of a hostname with 2 notable exceptions:
1. IPs are not allowed in SNI names per RFC 6066.
2. A hostname may be prefixed with a wildcard label (*.). The wildcard
label must appear by itself as the first label.
If a hostname is specified by both the Listener and TLSRoute, there
must be at least one intersecting hostname for the TLSRoute to be
attached to the Listener. For example:
A Listener with test.example.com as the hostname matches TLSRoutes
that have either not specified any hostnames, or have specified at
least one of test.example.com or *.example.com.
 A Listener with *.example.com as the hostname matches TLSRoutes
that have either not specified any hostnames or have specified at least
one hostname that matches the Listener hostname. For example,
test.example.com and *.example.com would both match. On the other
hand, example.com and test.example.net would not match.
If both the Listener and TLSRoute have specified hostnames, any
TLSRoute hostnames that do not match the Listener hostname MUST be
ignored. For example, if a Listener specified *.example.com, and the
TLSRoute specified test.example.com and test.example.net,
test.example.net must not be considered for a match.
If both the Listener and TLSRoute have specified hostnames, and none
match with the criteria above, then the TLSRoute is not accepted. The
implementation must raise an 'Accepted' Condition with a status of
False in the corresponding RouteParentStatus.
Support: Core		 MaxItems: 16
MaxLength: 253
MinLength: 1
Pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
rules TLSRouteRule array Rules are a list of TLS matchers and actions.
 MaxItems: 16
MinItems: 1

TLSRouteStatus

TLSRouteStatus defines the observed state of TLSRoute

Appears in: - TLSRoute

UDPRoute

UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute.

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1alpha2
kind string UDPRoute
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec UDPRouteSpec Spec defines the desired state of UDPRoute.
status UDPRouteStatus Status defines the current state of UDPRoute.

UDPRouteRule

UDPRouteRule is the configuration for a given rule.

Appears in: - UDPRouteSpec

Field Description Default Validation
name SectionName Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Support: Extended		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
backendRefs BackendRef array BackendRefs defines the backend(s) where matching requests should be
sent. If unspecified or invalid (refers to a nonexistent resource or a
Service with no endpoints), the underlying implementation MUST actively
reject connection attempts to this backend. Packet drops must
respect weight; if an invalid backend is requested to have 80% of
the packets, then 80% of packets must be dropped instead.
Support: Core for Kubernetes Service
Support: Extended for Kubernetes ServiceImport
Support: Implementation-specific for any other resource
Support for weight: Extended		 MaxItems: 16
MinItems: 1

UDPRouteSpec

UDPRouteSpec defines the desired state of UDPRoute.

Appears in: - UDPRoute

Field Description Default Validation
rules UDPRouteRule array Rules are a list of UDP matchers and actions.
 MaxItems: 16
MinItems: 1

UDPRouteStatus

UDPRouteStatus defines the observed state of UDPRoute.

Appears in: - UDPRoute

gateway.networking.k8s.io/v1alpha3

Package v1alpha3 contains API Schema definitions for the gateway.networking.k8s.io API group.

Resource Types

BackendTLSPolicy

BackendTLSPolicy provides a way to configure how a Gateway connects to a Backend via TLS.

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1alpha3
kind string BackendTLSPolicy
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec BackendTLSPolicySpec Spec defines the desired state of BackendTLSPolicy.
status PolicyStatus Status defines the current state of BackendTLSPolicy.

BackendTLSPolicySpec

BackendTLSPolicySpec defines the desired state of BackendTLSPolicy.

Support: Extended

Appears in: - BackendTLSPolicy

Field Description Default Validation
targetRefs LocalPolicyTargetReferenceWithSectionName array TargetRefs identifies an API object to apply the policy to.
Only Services have Extended support. Implementations MAY support
additional objects, with Implementation Specific support.
Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide
a more granular application of the policy.
TargetRefs must be distinct. This means either that:
They select different targets. If this is the case, then targetRef
entries are distinct. In terms of fields, this means that the
multi-part key defined by group, kind, and name must
be unique across all targetRef entries in the BackendTLSPolicy.
 They select different sectionNames in the same target.
Support: Extended for Kubernetes Service
Support: Implementation-specific for any other resource		 MaxItems: 16
MinItems: 1
validation BackendTLSPolicyValidation Validation contains backend TLS validation configuration.
options object (keys:AnnotationKey, values:AnnotationValue) Options are a list of key/value pairs to enable extended TLS
configuration for each implementation. For example, configuring the
minimum TLS version or supported cipher suites.
A set of common keys MAY be defined by the API in the future. To avoid
any ambiguity, implementation-specific definitions MUST use
domain-prefixed names, such as example.com/my-custom-option.
Un-prefixed names are reserved for key names defined by Gateway API.
Support: Implementation-specific		 MaxProperties: 16

BackendTLSPolicyValidation

BackendTLSPolicyValidation contains backend TLS validation configuration.

Appears in: - BackendTLSPolicySpec

Field Description Default Validation
caCertificateRefs LocalObjectReference array CACertificateRefs contains one or more references to Kubernetes objects that
contain a PEM-encoded TLS CA certificate bundle, which is used to
validate a TLS handshake between the Gateway and backend Pod.
If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
not both. If CACertificateRefs is empty or unspecified, the configuration for
WellKnownCACertificates MUST be honored instead if supported by the implementation.
References to a resource in a different namespace are invalid for the
moment, although we will revisit this in the future.
A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
Implementations MAY choose to support attaching multiple certificates to
a backend, but this behavior is implementation-specific.
Support: Core - An optional single reference to a Kubernetes ConfigMap,
with the CA certificate in a key named ca.crt.
Support: Implementation-specific (More than one reference, or other kinds
of resources).		 MaxItems: 8
wellKnownCACertificates WellKnownCACertificatesType WellKnownCACertificates specifies whether system CA certificates may be used in
the TLS handshake between the gateway and backend pod.
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
must be specified with at least one entry for a valid configuration. Only one of
CACertificateRefs or WellKnownCACertificates may be specified, not both. If an
implementation does not support the WellKnownCACertificates field or the value
supplied is not supported, the Status Conditions on the Policy MUST be
updated to include an Accepted: False Condition with Reason: Invalid.
Support: Implementation-specific		 Enum: [System]
hostname PreciseHostname Hostname is used for two purposes in the connection between Gateways and
backends:
1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
2. Hostname MUST be used for authentication and MUST match the certificate served by the matching backend, unless SubjectAltNames is specified.
authentication and MUST match the certificate served by the matching
backend.
Support: Core		 MaxLength: 253
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
subjectAltNames SubjectAltName array SubjectAltNames contains one or more Subject Alternative Names.
When specified the certificate served from the backend MUST
have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
Support: Extended		 MaxItems: 5

SubjectAltName

SubjectAltName represents Subject Alternative Name.

Appears in: - BackendTLSPolicyValidation

Field Description Default Validation
type SubjectAltNameType Type determines the format of the Subject Alternative Name. Always required.
Support: Core		 Enum: [Hostname URI]
hostname Hostname Hostname contains Subject Alternative Name specified in DNS name format.
Required when Type is set to Hostname, ignored otherwise.
Support: Core		 MaxLength: 253
MinLength: 1
Pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
uri AbsoluteURI URI contains Subject Alternative Name specified in a full URI format.
It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
Required when Type is set to URI, ignored otherwise.
Support: Core		 MaxLength: 253
MinLength: 1
Pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?

SubjectAltNameType

Underlying type: string

SubjectAltNameType is the type of the Subject Alternative Name.

Validation: - Enum: [Hostname URI]

Appears in: - SubjectAltName

Field Description
Hostname HostnameSubjectAltNameType specifies hostname-based SAN.
Support: Core
URI URISubjectAltNameType specifies URI-based SAN, e.g. SPIFFE id.
Support: Core

WellKnownCACertificatesType

Underlying type: string

WellKnownCACertificatesType is the type of CA certificate that will be used when the caCertificateRefs field is unspecified.

Validation: - Enum: [System]

Appears in: - BackendTLSPolicyValidation

Field Description
System WellKnownCACertificatesSystem indicates that well known system CA certificates should be used.

gateway.networking.k8s.io/v1beta1

Package v1beta1 contains API Schema definitions for the gateway.networking.k8s.io API group.

Resource Types

Gateway

Underlying type: Gateway

Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses.

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1beta1
kind string Gateway
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec GatewaySpec Spec defines the desired state of Gateway.
status GatewayStatus Status defines the current state of Gateway. { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Accepted] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed]] }

GatewayClass

Underlying type: GatewayClass

GatewayClass describes a class of Gateways available to the user for creating Gateway resources.

It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation.

Whenever one or more Gateways are using a GatewayClass, implementations SHOULD add the gateway-exists-finalizer.gateway.networking.k8s.io finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use.

GatewayClass is a Cluster level resource.

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1beta1
kind string GatewayClass
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec GatewayClassSpec Spec defines the desired state of GatewayClass.
status GatewayClassStatus Status defines the current state of GatewayClass.
Implementations MUST populate status on all GatewayClass resources which
specify their controller name.		 { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Accepted]] }

HTTPRoute

Underlying type: HTTPRoute

HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1beta1
kind string HTTPRoute
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec HTTPRouteSpec Spec defines the desired state of HTTPRoute.
status HTTPRouteStatus Status defines the current state of HTTPRoute.

ReferenceGrant

ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy.

Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within.

All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant.

ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed.

Appears in: - ReferenceGrant

Field Description Default Validation
apiVersion string gateway.networking.k8s.io/v1beta1
kind string ReferenceGrant
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec ReferenceGrantSpec Spec defines the desired state of ReferenceGrant.

ReferenceGrantFrom

ReferenceGrantFrom describes trusted namespaces and kinds.

Appears in: - ReferenceGrantSpec

Field Description Default Validation
group Group Group is the group of the referent.
When empty, the Kubernetes core API group is inferred.
Support: Core		 MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is the kind of the referent. Although implementations may support
additional resources, the following types are part of the "Core"
support level for this field.
When used to permit a SecretObjectReference:
Gateway
When used to permit a BackendObjectReference:
 GRPCRoute
HTTPRoute
 TCPRoute
TLSRoute
 UDPRoute		 MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
namespace Namespace Namespace is the namespace of the referent.
Support: Core		 MaxLength: 63
MinLength: 1
Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

ReferenceGrantSpec

ReferenceGrantSpec identifies a cross namespace relationship that is trusted for Gateway API.

Appears in: - ReferenceGrant

Field Description Default Validation
from ReferenceGrantFrom array From describes the trusted namespaces and kinds that can reference the
resources described in "To". Each entry in this list MUST be considered
to be an additional place that references can be valid from, or to put
this another way, entries MUST be combined using OR.
Support: Core		 MaxItems: 16
MinItems: 1
to ReferenceGrantTo array To describes the resources that may be referenced by the resources
described in "From". Each entry in this list MUST be considered to be an
additional place that references can be valid to, or to put this another
way, entries MUST be combined using OR.
Support: Core		 MaxItems: 16
MinItems: 1

ReferenceGrantTo

ReferenceGrantTo describes what Kinds are allowed as targets of the references.

Appears in: - ReferenceGrantSpec

Field Description Default Validation
group Group Group is the group of the referent.
When empty, the Kubernetes core API group is inferred.
Support: Core		 MaxLength: 253
Pattern: ^$\|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind Kind Kind is the kind of the referent. Although implementations may support
additional resources, the following types are part of the "Core"
support level for this field:
Secret when used to permit a SecretObjectReference
 Service when used to permit a BackendObjectReference		 MaxLength: 63
MinLength: 1
Pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name ObjectName Name is the name of the referent. When unspecified, this policy
refers to all resources of the specified Group and Kind in the local
namespace.		 MaxLength: 253
MinLength: 1