Skip to content

API Specification

This page contains the API field specification for Gateway API.

Packages:

gateway.networking.k8s.io/v1

Package v1 contains API Schema definitions for the gateway.networking.k8s.io API group.

Resource Types:

GRPCRoute

GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed.

GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word “MUST” indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated.

Implementations supporting GRPCRoute with the HTTPS ProtocolType MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the “Accepted” condition to “False” for the affected listener with a reason of “UnsupportedProtocol”. Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1.

Implementations supporting GRPCRoute with the HTTP ProtocolType MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the “Accepted” condition to “False” for the affected listener with a reason of “UnsupportedProtocol”. Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1
kind
string
GRPCRoute
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GRPCRouteSpec

Spec defines the desired state of GRPCRoute.



CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

hostnames
[]Hostname
(Optional)

Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions:

  1. IPs are not allowed.
  2. A hostname may be prefixed with a wildcard label (*.). The wildcard label MUST appear by itself as the first label.

If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example:

  • A Listener with test.example.com as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of test.example.com or *.example.com.
  • A Listener with *.example.com as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, test.example.com and *.example.com would both match. On the other hand, example.com and test.example.net would not match.

Hostnames that are prefixed with a wildcard label (*.) are interpreted as a suffix match. That means that a match for *.example.com would match both test.example.com, and foo.test.example.com, but not example.com.

If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified *.example.com, and the GRPCRoute specified test.example.com and test.example.net, test.example.net MUST NOT be considered for a match.

If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an ‘Accepted’ Condition with a status of False in the corresponding RouteParentStatus.

If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order:

  • The oldest Route based on creation timestamp.
  • The Route appearing first in alphabetical order by “{namespace}/{name}”.

The rejected Route MUST raise an ‘Accepted’ condition with a status of ‘False’ in the corresponding RouteParentStatus.

Support: Core

rules
[]GRPCRouteRule
(Optional)

Rules are a list of GRPC matchers, filters and actions.

status
GRPCRouteStatus

Status defines the current state of GRPCRoute.

Gateway

Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1
kind
string
Gateway
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GatewaySpec

Spec defines the desired state of Gateway.



gatewayClassName
ObjectName

GatewayClassName used for this Gateway. This is the name of a GatewayClass resource.

listeners
[]Listener

Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway’s addresses. At least one Listener MUST be specified.

Distinct Listeners

Each Listener in a set of Listeners (for example, in a single Gateway) MUST be distinct, in that a traffic flow MUST be able to be assigned to exactly one listener. (This section uses “set of Listeners” rather than “Listeners in a single Gateway” because implementations MAY merge configuration from multiple Gateways onto a single data plane, and these rules also apply in that case).

Practically, this means that each listener in a set MUST have a unique combination of Port, Protocol, and, if supported by the protocol, Hostname.

Some combinations of port, protocol, and TLS settings are considered Core support and MUST be supported by implementations based on the objects they support:

HTTPRoute

  1. HTTPRoute, Port: 80, Protocol: HTTP
  2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided

TLSRoute

  1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough

“Distinct” Listeners have the following property:

The implementation can match inbound requests to a single distinct Listener.

When multiple Listeners share values for fields (for example, two Listeners with the same Port value), the implementation can match requests to only one of the Listeners using other Listener fields.

When multiple listeners have the same value for the Protocol field, then each of the Listeners with matching Protocol values MUST have different values for other fields.

The set of fields that MUST be different for a Listener differs per protocol. The following rules define the rules for what fields MUST be considered for Listeners to be distinct with each protocol currently defined in the Gateway API spec.

The set of listeners that all share a protocol value MUST have different values for at least one of these fields to be distinct:

  • HTTP, HTTPS, TLS: Port, Hostname
  • TCP, UDP: Port

One very important rule to call out involves what happens when an implementation:

  • Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol Listeners, and
  • sees HTTP, HTTPS, or TLS protocols with the same port as one with TCP Protocol.

In this case all the Listeners that share a port with the TCP Listener are not distinct and so MUST NOT be accepted.

If an implementation does not support TCP Protocol Listeners, then the previous rule does not apply, and the TCP Listeners SHOULD NOT be accepted.

Note that the tls field is not used for determining if a listener is distinct, because Listeners that only differ on TLS config will still conflict in all cases.

Listeners that are distinct only by Hostname

When the Listeners are distinct based only on Hostname, inbound request hostnames MUST match from the most specific to least specific Hostname values to choose the correct Listener and its associated set of Routes.

Exact matches MUST be processed before wildcard matches, and wildcard matches MUST be processed before fallback (empty Hostname value) matches. For example, "foo.example.com" takes precedence over "*.example.com", and "*.example.com" takes precedence over "".

Additionally, if there are multiple wildcard entries, more specific wildcard entries must be processed before less specific wildcard entries. For example, "*.foo.example.com" takes precedence over "*.example.com".

The precise definition here is that the higher the number of dots in the hostname to the right of the wildcard character, the higher the precedence.

The wildcard character will match any number of characters and dots to the left, however, so "*.example.com" will match both "foo.bar.example.com" and "bar.example.com".

Handling indistinct Listeners

If a set of Listeners contains Listeners that are not distinct, then those Listeners are Conflicted, and the implementation MUST set the “Conflicted” condition in the Listener Status to “True”.

The words “indistict” and “conflicted” are considered equivalent for the purpose of this documentation.

Implementations MAY choose to accept a Gateway with some Conflicted Listeners only if they only accept the partial Listener set that contains no Conflicted Listeners.

Specifically, an implementation MAY accept a partial Listener set subject to the following rules:

  • The implementation MUST NOT pick one conflicting Listener as the winner. ALL indistinct Listeners must not be accepted for processing.
  • At least one distinct Listener MUST be present, or else the Gateway effectively contains no Listeners, and must be rejected from processing as a whole.

The implementation MUST set a “ListenersNotValid” condition on the Gateway Status when the Gateway contains Conflicted Listeners whether or not they accept the Gateway. That Condition SHOULD clearly indicate in the Message which Listeners are conflicted, and which are Accepted. Additionally, the Listener status for those listeners SHOULD indicate which Listeners are conflicted and not Accepted.

General Listener behavior

Note that, for all distinct Listeners, requests SHOULD match at most one Listener. For example, if Listeners are defined for “foo.example.com” and “.example.com”, a request to “foo.example.com” SHOULD only be routed using routes attached to the “foo.example.com” Listener (and not the “.example.com” Listener).

This concept is known as “Listener Isolation”, and it is an Extended feature of Gateway API. Implementations that do not support Listener Isolation MUST clearly document this, and MUST NOT claim support for the GatewayHTTPListenerIsolation feature.

Implementations that do support Listener Isolation SHOULD claim support for the Extended GatewayHTTPListenerIsolation feature and pass the associated conformance tests.

Compatible Listeners

A Gateway’s Listeners are considered compatible if:

  1. They are distinct.
  2. The implementation can serve them in compliance with the Addresses requirement that all Listeners are available on all assigned addresses.

Compatible combinations in Extended support are expected to vary across implementations. A combination that is compatible for one implementation may not be compatible for another.

For example, an implementation that cannot serve both TCP and UDP listeners on the same address, or cannot mix HTTPS and generic TLS listens on the same port would not consider those cases compatible, even though they are distinct.

Implementations MAY merge separate Gateways onto a single set of Addresses if all Listeners across all Gateways are compatible.

Support: Core

addresses
[]GatewayAddress
(Optional)

Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses.

The Addresses field represents a request for the address(es) on the “outside of the Gateway”, that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to.

If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses.

The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses.

Support: Extended

gateway:validateIPAddress

infrastructure
GatewayInfrastructure
(Optional)

Infrastructure defines infrastructure level attributes about this Gateway instance.

Support: Extended

backendTLS
GatewayBackendTLS
(Optional)

BackendTLS configures TLS settings for when this Gateway is connecting to backends with TLS.

Support: Core

gateway:experimental

status
GatewayStatus

Status defines the current state of Gateway.

GatewayClass

GatewayClass describes a class of Gateways available to the user for creating Gateway resources.

It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation.

Whenever one or more Gateways are using a GatewayClass, implementations SHOULD add the gateway-exists-finalizer.gateway.networking.k8s.io finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use.

GatewayClass is a Cluster level resource.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1
kind
string
GatewayClass
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GatewayClassSpec

Spec defines the desired state of GatewayClass.



controllerName
GatewayController

ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path.

Example: “example.net/gateway-controller”.

This field is not mutable and cannot be empty.

Support: Core

parametersRef
ParametersReference
(Optional)

ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration.

ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped.

If the referent cannot be found, refers to an unsupported kind, or when the data within that resource is malformed, the GatewayClass SHOULD be rejected with the “Accepted” status condition set to “False” and an “InvalidParameters” reason.

A Gateway for this GatewayClass may provide its own parametersRef. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.

Support: Implementation-specific

description
string
(Optional)

Description helps describe a GatewayClass with more details.

status
GatewayClassStatus

Status defines the current state of GatewayClass.

Implementations MUST populate status on all GatewayClass resources which specify their controller name.

HTTPRoute

HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1
kind
string
HTTPRoute
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
HTTPRouteSpec

Spec defines the desired state of HTTPRoute.



CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

hostnames
[]Hostname
(Optional)

Hostnames defines a set of hostnames that should match against the HTTP Host header to select a HTTPRoute used to process the request. Implementations MUST ignore any port value specified in the HTTP Host header while performing a match and (absent of any applicable header modification configuration) MUST forward this header unmodified to the backend.

Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 2 notable exceptions:

  1. IPs are not allowed.
  2. A hostname may be prefixed with a wildcard label (*.). The wildcard label must appear by itself as the first label.

If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example:

  • A Listener with test.example.com as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of test.example.com or *.example.com.
  • A Listener with *.example.com as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, *.example.com, test.example.com, and foo.test.example.com would all match. On the other hand, example.com and test.example.net would not match.

Hostnames that are prefixed with a wildcard label (*.) are interpreted as a suffix match. That means that a match for *.example.com would match both test.example.com, and foo.test.example.com, but not example.com.

If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified *.example.com, and the HTTPRoute specified test.example.com and test.example.net, test.example.net must not be considered for a match.

If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an ‘Accepted’ Condition with a status of False in the corresponding RouteParentStatus.

In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of:

  • Characters in a matching non-wildcard hostname.
  • Characters in a matching hostname.

If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over.

Support: Core

rules
[]HTTPRouteRule
(Optional)

Rules are a list of HTTP matchers, filters and actions.

status
HTTPRouteStatus

Status defines the current state of HTTPRoute.

AbsoluteURI (string alias)

(Appears on: SubjectAltName)

The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The AbsoluteURI MUST include both a scheme (e.g., “http” or “spiffe”) and a scheme-specific-part. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. gateway:util:excludeFromCRD The below regex is taken from the regex section in RFC 3986 with a slight modification to enforce a full URI and not relative. /gateway:util:excludeFromCRD

AddressType (string alias)

(Appears on: GatewayAddress, GatewayStatusAddress)

AddressType defines how a network address is represented as a text string. This may take two possible forms:

  • A predefined CamelCase string identifier (currently limited to IPAddress or Hostname)
  • A domain-prefixed string identifier (like acme.io/CustomAddressType)

Values IPAddress and Hostname have Extended support.

The NamedAddress value has been deprecated in favor of implementation specific domain-prefixed strings.

All other values, including domain-prefixed values have Implementation-specific support, which are used in implementation-specific behaviors. Support for additional predefined CamelCase identifiers may be added in future releases.

Value Description

"Hostname"

A Hostname represents a DNS based ingress point. This is similar to the corresponding hostname field in Kubernetes load balancer status. For example, this concept may be used for cloud load balancers where a DNS name is used to expose a load balancer.

Support: Extended

"IPAddress"

A textual representation of a numeric IP address. IPv4 addresses must be in dotted-decimal form. IPv6 addresses must be in a standard IPv6 text representation (see RFC 5952).

This type is intended for specific addresses. Address ranges are not supported (e.g. you can not use a CIDR range like 127.0.0.0/24 as an IPAddress).

Support: Extended

"NamedAddress"

A NamedAddress provides a way to reference a specific IP address by name. For example, this may be a name or other unique identifier that refers to a resource on a cloud provider such as a static IP.

The NamedAddress type has been deprecated in favor of implementation specific domain-prefixed strings.

Support: Implementation-specific

AllowedRoutes

(Appears on: Listener)

AllowedRoutes defines which Routes may be attached to this Listener.

Field Description
namespaces
RouteNamespaces
(Optional)

Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default.

Support: Core

kinds
[]RouteGroupKind
(Optional)

Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol.

A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener’s Protocol field. If an implementation does not support or recognize this resource type, it MUST set the “ResolvedRefs” condition to False for this Listener with the “InvalidRouteKinds” reason.

Support: Core

AnnotationKey (string alias)

AnnotationKey is the key of an annotation in Gateway API. This is used for validation of maps such as TLS options. This matches the Kubernetes “qualified name” validation that is used for annotations and other common values.

Valid values include:

  • example
  • example.com
  • example.com/path
  • example.com/path.html

Invalid values include:

  • example~ - “~” is an invalid character
  • example.com. - can not start or end with “.”

AnnotationValue (string alias)

(Appears on: GatewayInfrastructure, GatewayTLSConfig, BackendTLSPolicySpec)

AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct.

BackendObjectReference

(Appears on: BackendRef, HTTPRequestMirrorFilter)

BackendObjectReference defines how an ObjectReference that is specific to BackendRef. It includes a few additional fields and features than a regular ObjectReference.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.

The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.

Field Description
group
Group
(Optional)

Group is the group of the referent. For example, “gateway.networking.k8s.io”. When unspecified or empty string, core API group is inferred.

kind
Kind
(Optional)

Kind is the Kubernetes resource kind of the referent. For example “Service”.

Defaults to “Service” when not specified.

ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services.

Support: Core (Services with a type other than ExternalName)

Support: Implementation-specific (Services with type ExternalName)

name
ObjectName

Name is the name of the referent.

namespace
Namespace
(Optional)

Namespace is the namespace of the backend. When unspecified, the local namespace is inferred.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.

Support: Core

port
PortNumber
(Optional)

Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.

BackendRef

(Appears on: GRPCBackendRef, HTTPBackendRef, TCPRouteRule, TLSRouteRule, UDPRouteRule)

BackendRef defines how a Route should forward a request to a Kubernetes resource.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.

Field Description
BackendObjectReference
BackendObjectReference

(Members of BackendObjectReference are embedded into this type.)

BackendObjectReference references a Kubernetes object.

weight
int32
(Optional)

Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100.

If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1.

Support for this field varies based on the context where used.

CommonRouteSpec

(Appears on: GRPCRouteSpec, HTTPRouteSpec, TCPRouteSpec, TLSRouteSpec, UDPRouteSpec)

CommonRouteSpec defines the common attributes that all Routes MUST include within their spec.

Field Description
parentRefs
[]ParentReference
(Optional)

ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. For Services, that means the Service must either be in the same namespace for a “producer” route, or the mesh implementation must support and allow “consumer” routes for the referenced Service. ReferenceGrant is not applicable for governing ParentRefs to Services - it is not possible to create a “producer” route for a Service in a different namespace from the Route.

There are two kinds of parent resources with “Core” support:

  • Gateway (Gateway conformance profile)
  • Service (Mesh conformance profile, ClusterIP Services only)

This API may be extended in the future to support additional kinds of parent resources.

ParentRefs must be distinct. This means either that:

  • They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by group, kind, namespace, and name must be unique across all parentRef entries in the Route.
  • They do not select different objects, but for each optional field used, each ParentRef that selects the same object must set the same set of optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination.

Some examples:

  • If one ParentRef sets sectionName, all ParentRefs referencing the same object must also set sectionName.
  • If one ParentRef sets port, all ParentRefs referencing the same object must also set port.
  • If one ParentRef sets sectionName and port, all ParentRefs referencing the same object must also set sectionName and port.

It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged.

Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable other kinds of cross-namespace reference.

gateway:experimental:description ParentRefs from a Route to a Service in the same namespace are “producer” routes, which apply default routing rules to inbound connections from any namespace to the Service.

ParentRefs from a Route to a Service in a different namespace are “consumer” routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. /gateway:experimental:description

CookieConfig

(Appears on: SessionPersistence)

CookieConfig defines the configuration for cookie-based session persistence.

Field Description
lifetimeType
CookieLifetimeType
(Optional)

LifetimeType specifies whether the cookie has a permanent or session-based lifetime. A permanent cookie persists until its specified expiry time, defined by the Expires or Max-Age cookie attributes, while a session cookie is deleted when the current session ends.

When set to “Permanent”, AbsoluteTimeout indicates the cookie’s lifetime via the Expires or Max-Age cookie attributes and is required.

When set to “Session”, AbsoluteTimeout indicates the absolute lifetime of the cookie tracked by the gateway and is optional.

Support: Core for “Session” type

Support: Extended for “Permanent” type

CookieLifetimeType (string alias)

(Appears on: CookieConfig)

Value Description

"Permanent"

PermanentCookieLifetimeType specifies the type for a permanent cookie.

Support: Extended

"Session"

SessionCookieLifetimeType specifies the type for a session cookie.

Support: Core

Duration (string alias)

(Appears on: HTTPRouteRetry, HTTPRouteTimeouts, SessionPersistence)

Duration is a string value representing a duration in time. The format is as specified in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.

FeatureName (string alias)

(Appears on: SupportedFeature)

FeatureName is used to describe distinct features that are covered by conformance tests.

Fraction

(Appears on: HTTPRequestMirrorFilter)

Field Description
numerator
int32
denominator
int32
(Optional)

FromNamespaces (string alias)

(Appears on: RouteNamespaces)

FromNamespaces specifies namespace from which Routes may be attached to a Gateway.

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Ready Condition for the Listener to status: False, with a Reason of Invalid.

Value Description

"All"

Routes in all namespaces may be attached to this Gateway.

"Same"

Only Routes in the same namespace as the Gateway may be attached to this Gateway.

"Selector"

Only Routes in namespaces selected by the selector may be attached to this Gateway.

FrontendTLSValidation

(Appears on: GatewayTLSConfig)

FrontendTLSValidation holds configuration information that can be used to validate the frontend initiating the TLS connection

Field Description
caCertificateRefs
[]ObjectReference

CACertificateRefs contains one or more references to Kubernetes objects that contain TLS certificates of the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client.

A single CA certificate reference to a Kubernetes ConfigMap has “Core” support. Implementations MAY choose to support attaching multiple CA certificates to a Listener, but this behavior is implementation-specific.

Support: Core - A single reference to a Kubernetes ConfigMap with the CA certificate in a key named ca.crt.

Support: Implementation-specific (More than one reference, or other kinds of resources).

References to a resource in a different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the “ResolvedRefs” condition MUST be set to False for this listener with the “RefNotPermitted” reason.

GRPCBackendRef

(Appears on: GRPCRouteRule)

GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.

gateway:experimental:description

When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port.

Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726.

If a Service appProtocol isn’t specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service.

If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the “ResolvedRefs” condition to “False” with the “UnsupportedProtocol” reason.

/gateway:experimental:description

Field Description
BackendRef
BackendRef

(Members of BackendRef are embedded into this type.)

(Optional)

BackendRef is a reference to a backend to forward matched requests to.

A BackendRef can be invalid for the following reasons. In all cases, the implementation MUST ensure the ResolvedRefs Condition on the Route is set to status: False, with a Reason and Message that indicate what is the cause of the error.

A BackendRef is invalid if:

  • It refers to an unknown or unsupported kind of resource. In this case, the Reason MUST be set to InvalidKind and Message of the Condition MUST explain which kind of resource is unknown or unsupported.

  • It refers to a resource that does not exist. In this case, the Reason MUST be set to BackendNotFound and the Message of the Condition MUST explain which resource does not exist.

  • It refers a resource in another namespace when the reference has not been explicitly allowed by a ReferenceGrant (or equivalent concept). In this case, the Reason MUST be set to RefNotPermitted and the Message of the Condition MUST explain which cross-namespace reference is not allowed.

Support: Core for Kubernetes Service

Support: Extended for Kubernetes ServiceImport

Support: Implementation-specific for any other resource

Support for weight: Core

filters
[]GRPCRouteFilter
(Optional)

Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here.

Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)

GRPCHeaderMatch

(Appears on: GRPCRouteMatch)

GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers.

Field Description
type
GRPCHeaderMatchType
(Optional)

Type specifies how to match against the value of the header.

name
GRPCHeaderName

Name is the name of the gRPC Header to be matched.

If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, “foo” and “Foo” are considered equivalent.

value
string

Value is the value of the gRPC Header to be matched.

GRPCHeaderMatchType (string alias)

(Appears on: GRPCHeaderMatch)

GRPCHeaderMatchType specifies the semantics of how GRPC header values should be compared. Valid GRPCHeaderMatchType values, along with their conformance levels, are:

  • “Exact” - Core
  • “RegularExpression” - Implementation Specific

Note that new values may be added to this enum in future releases of the API, implementations MUST ensure that unknown values will not cause a crash.

Unknown values here MUST result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Value Description

"Exact"

"RegularExpression"

GRPCHeaderName (string alias)

(Appears on: GRPCHeaderMatch)

GRPCMethodMatch

(Appears on: GRPCRouteMatch)

GRPCMethodMatch describes how to select a gRPC route by matching the gRPC request service and/or method.

At least one of Service and Method MUST be a non-empty string.

Field Description
type
GRPCMethodMatchType
(Optional)

Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified)

Support: Implementation-specific (Exact with method specified but no service specified)

Support: Implementation-specific (RegularExpression)

service
string
(Optional)

Value of the service to match against. If left empty or omitted, will match any service.

At least one of Service and Method MUST be a non-empty string.

method
string
(Optional)

Value of the method to match against. If left empty or omitted, will match all services.

At least one of Service and Method MUST be a non-empty string.

GRPCMethodMatchType (string alias)

(Appears on: GRPCMethodMatch)

MethodMatchType specifies the semantics of how gRPC methods and services are compared. Valid MethodMatchType values, along with their conformance levels, are:

  • “Exact” - Core
  • “RegularExpression” - Implementation Specific

Exact methods MUST be syntactically valid:

  • Must not contain / character

Value Description

"Exact"

Matches the method or service exactly and with case sensitivity.

"RegularExpression"

Matches if the method or service matches the given regular expression with case sensitivity.

Since "RegularExpression" has implementation-specific conformance, implementations can support POSIX, PCRE, RE2 or any other regular expression dialect. Please read the implementation’s documentation to determine the supported dialect.

GRPCRouteFilter

(Appears on: GRPCBackendRef, GRPCRouteRule)

GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.

Field Description
type
GRPCRouteFilterType

Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels:

  • Core: Filter types and their corresponding configuration defined by “Support: Core” in this package, e.g. “RequestHeaderModifier”. All implementations supporting GRPCRoute MUST support core filters.

  • Extended: Filter types and their corresponding configuration defined by “Support: Extended” in this package, e.g. “RequestMirror”. Implementers are encouraged to support extended filters.

  • Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. Type MUST be set to “ExtensionRef” for custom filters.

Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior.

If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response.

gateway:experimental:validation:Enum=ResponseHeaderModifier;RequestHeaderModifier;RequestMirror;ExtensionRef

requestHeaderModifier
HTTPHeaderFilter
(Optional)

RequestHeaderModifier defines a schema for a filter that modifies request headers.

Support: Core

responseHeaderModifier
HTTPHeaderFilter
(Optional)

ResponseHeaderModifier defines a schema for a filter that modifies response headers.

Support: Extended

requestMirror
HTTPRequestMirrorFilter
(Optional)

RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored.

This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends.

Support: Extended

extensionRef
LocalObjectReference
(Optional)

ExtensionRef is an optional, implementation-specific extension to the “filter” behavior. For example, resource “myroutefilter” in group “networking.example.net”). ExtensionRef MUST NOT be used for core and extended filters.

Support: Implementation-specific

This filter can be used multiple times within the same rule.

GRPCRouteFilterType (string alias)

(Appears on: GRPCRouteFilter)

GRPCRouteFilterType identifies a type of GRPCRoute filter.

Value Description

"ExtensionRef"

GRPCRouteFilterExtensionRef should be used for configuring custom gRPC filters.

Support in GRPCRouteRule: Implementation-specific

Support in GRPCBackendRef: Implementation-specific

"RequestHeaderModifier"

GRPCRouteFilterRequestHeaderModifier can be used to add or remove a gRPC header from a gRPC request before it is sent to the upstream target.

Support in GRPCRouteRule: Core

Support in GRPCBackendRef: Extended

"RequestMirror"

GRPCRouteFilterRequestMirror can be used to mirror gRPC requests to a different backend. The responses from this backend MUST be ignored by the Gateway.

Support in GRPCRouteRule: Extended

Support in GRPCBackendRef: Extended

"ResponseHeaderModifier"

GRPCRouteFilterRequestHeaderModifier can be used to add or remove a gRPC header from a gRPC response before it is sent to the client.

Support in GRPCRouteRule: Core

Support in GRPCBackendRef: Extended

GRPCRouteMatch

(Appears on: GRPCRouteRule)

GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied.

For example, the match below will match a gRPC request only if its service is foo AND it contains the version: v1 header:

matches:
- method:
type: Exact
service: "foo"
headers:
- name: "version"
value "v1"

Field Description
method
GRPCMethodMatch
(Optional)

Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match.

headers
[]GRPCHeaderMatch
(Optional)

Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route.

GRPCRouteRule

(Appears on: GRPCRouteSpec)

GRPCRouteRule defines the semantics for matching a gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs).

Field Description
name
SectionName
(Optional)

Name is the name of the route rule. This name MUST be unique within a Route if it is set.

Support: Extended gateway:experimental

matches
[]GRPCRouteMatch
(Optional)

Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied.

For example, take the following matches configuration:

matches:
- method:
service: foo.bar
headers:
values:
version: 2
- method:
service: foo.bar.v2

For a request to match against this rule, it MUST satisfy EITHER of the two conditions:

  • service of foo.bar AND contains the header version: 2
  • service of foo.bar.v2

See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together.

If no matches are specified, the implementation MUST match every gRPC request.

Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of:

  • Characters in a matching non-wildcard hostname.
  • Characters in a matching hostname.
  • Characters in a matching service.
  • Characters in a matching method.
  • Header matches.

If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties:

  • The oldest Route based on creation timestamp.
  • The Route appearing first in alphabetical order by “{namespace}/{name}”.

If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria.

filters
[]GRPCRouteFilter
(Optional)

Filters define the filters that are applied to requests that match this rule.

The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage.

Conformance-levels at this level are defined based on the type of filter:

  • ALL core filters MUST be supported by all implementations that support GRPCRoute.
  • Implementers are encouraged to support extended filters.
  • Implementation-specific custom filters have no API guarantees across implementations.

Specifying the same filter multiple times is not supported unless explicitly indicated in the filter.

If an implementation can not support a combination of filters, it must clearly document that limitation. In cases where incompatible or unsupported filters are specified and cause the Accepted condition to be set to status False, implementations may use the IncompatibleFilters reason to specify this configuration error.

Support: Core

backendRefs
[]GRPCBackendRef
(Optional)

BackendRefs defines the backend(s) where matching requests should be sent.

Failure behavior here depends on how many BackendRefs are specified and how many are invalid.

If all entries in BackendRefs are invalid, and there are also no filters specified in this route rule, all traffic which matches this rule MUST receive an UNAVAILABLE status.

See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid.

When a GRPCBackendRef is invalid, UNAVAILABLE statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an UNAVAILABLE status.

For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an UNAVAILABLE status. Implementations may choose how that 50 percent is determined.

Support: Core for Kubernetes Service

Support: Implementation-specific for any other resource

Support for weight: Core

sessionPersistence
SessionPersistence
(Optional)

SessionPersistence defines and configures session persistence for the route rule.

Support: Extended

gateway:experimental

GRPCRouteSpec

(Appears on: GRPCRoute, GRPCRoute)

GRPCRouteSpec defines the desired state of GRPCRoute

Field Description
CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

hostnames
[]Hostname
(Optional)

Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions:

  1. IPs are not allowed.
  2. A hostname may be prefixed with a wildcard label (*.). The wildcard label MUST appear by itself as the first label.

If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example:

  • A Listener with test.example.com as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of test.example.com or *.example.com.
  • A Listener with *.example.com as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, test.example.com and *.example.com would both match. On the other hand, example.com and test.example.net would not match.

Hostnames that are prefixed with a wildcard label (*.) are interpreted as a suffix match. That means that a match for *.example.com would match both test.example.com, and foo.test.example.com, but not example.com.

If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified *.example.com, and the GRPCRoute specified test.example.com and test.example.net, test.example.net MUST NOT be considered for a match.

If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an ‘Accepted’ Condition with a status of False in the corresponding RouteParentStatus.

If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order:

  • The oldest Route based on creation timestamp.
  • The Route appearing first in alphabetical order by “{namespace}/{name}”.

The rejected Route MUST raise an ‘Accepted’ condition with a status of ‘False’ in the corresponding RouteParentStatus.

Support: Core

rules
[]GRPCRouteRule
(Optional)

Rules are a list of GRPC matchers, filters and actions.

GRPCRouteStatus

(Appears on: GRPCRoute, GRPCRoute)

GRPCRouteStatus defines the observed state of GRPCRoute.

Field Description
RouteStatus
RouteStatus

(Members of RouteStatus are embedded into this type.)

GatewayAddress

(Appears on: GatewaySpec)

GatewayAddress describes an address that can be bound to a Gateway.

Field Description
type
AddressType
(Optional)

Type of the address.

value
string

Value of the address. The validity of the values will depend on the type and support by the controller.

Examples: 1.2.3.4, 128::1, my-ip-address.

GatewayBackendTLS

(Appears on: GatewaySpec)

GatewayBackendTLS describes backend TLS configuration for gateway.

Field Description
clientCertificateRef
SecretObjectReference
(Optional)

ClientCertificateRef is a reference to an object that contains a Client Certificate and the associated private key.

References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the “ResolvedRefs” condition MUST be set to False for this listener with the “RefNotPermitted” reason.

ClientCertificateRef can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources.

This setting can be overridden on the service level by use of BackendTLSPolicy.

Support: Core

gateway:experimental

GatewayClassConditionReason (string alias)

GatewayClassConditionReason defines the set of reasons that explain why a particular GatewayClass condition type has been raised.

Value Description

"Accepted"

This reason is used with the “Accepted” condition when the condition is true.

"InvalidParameters"

This reason is used with the “Accepted” condition when the GatewayClass was not accepted because the parametersRef field refers to a nonexistent or unsupported resource or kind, or when the data within that resource is malformed.

"Pending"

This reason is used with the “Accepted” condition when the requested controller has not yet made a decision about whether to admit the GatewayClass. It is the default Reason on a new GatewayClass.

"SupportedVersion"

This reason is used with the “SupportedVersion” condition when the condition is true.

"Unsupported"

This reason is used with the “Accepted” condition when the GatewayClass was not accepted because the implementation does not support a user-defined GatewayClass.

"UnsupportedVersion"

This reason is used with the “SupportedVersion” or “Accepted” condition when the condition is false. A message SHOULD be included in this condition that includes the detected CRD version(s) present in the cluster and the CRD version(s) that are supported by the GatewayClass.

"Waiting"

Deprecated: Use “Pending” instead.

GatewayClassConditionType (string alias)

GatewayClassConditionType is the type for status conditions on Gateway resources. This type should be used with the GatewayClassStatus.Conditions field.

Value Description

"Accepted"

This condition indicates whether the GatewayClass has been accepted by the controller requested in the spec.controller field.

This condition defaults to Unknown, and MUST be set by a controller when it sees a GatewayClass using its controller string. The status of this condition MUST be set to True if the controller will support provisioning Gateways using this class. Otherwise, this status MUST be set to False. If the status is set to False, the controller SHOULD set a Message and Reason as an explanation.

Possible reasons for this condition to be true are:

  • “Accepted”

Possible reasons for this condition to be False are:

  • “InvalidParameters”
  • “Unsupported”
  • “UnsupportedVersion”

Possible reasons for this condition to be Unknown are:

  • “Pending”

Controllers should prefer to use the values of GatewayClassConditionReason for the corresponding Reason, where appropriate.

"SupportedVersion"

This condition indicates whether the GatewayClass supports the version(s) of Gateway API CRDs present in the cluster. This condition MUST be set by a controller when it marks a GatewayClass “Accepted”.

The version of a Gateway API CRD is defined by the gateway.networking.k8s.io/bundle-version annotation on the CRD. If implementations detect any Gateway API CRDs that either do not have this annotation set, or have it set to a version that is not recognized or supported by the implementation, this condition MUST be set to false.

Implementations MAY choose to either provide “best effort” support when an unrecognized CRD version is present. This would be communicated by setting the “Accepted” condition to true and the “SupportedVersion” condition to false.

Alternatively, implementations MAY choose not to support CRDs with unrecognized versions. This would be communicated by setting the “Accepted” condition to false with the reason “UnsupportedVersions”.

Possible reasons for this condition to be true are:

  • “SupportedVersion”

Possible reasons for this condition to be False are:

  • “UnsupportedVersion”

Controllers should prefer to use the values of GatewayClassConditionReason for the corresponding Reason, where appropriate.

gateway:experimental

GatewayClassSpec

(Appears on: GatewayClass, GatewayClass)

GatewayClassSpec reflects the configuration of a class of Gateways.

Field Description
controllerName
GatewayController

ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path.

Example: “example.net/gateway-controller”.

This field is not mutable and cannot be empty.

Support: Core

parametersRef
ParametersReference
(Optional)

ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration.

ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped.

If the referent cannot be found, refers to an unsupported kind, or when the data within that resource is malformed, the GatewayClass SHOULD be rejected with the “Accepted” status condition set to “False” and an “InvalidParameters” reason.

A Gateway for this GatewayClass may provide its own parametersRef. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.

Support: Implementation-specific

description
string
(Optional)

Description helps describe a GatewayClass with more details.

GatewayClassStatus

(Appears on: GatewayClass, GatewayClass)

GatewayClassStatus is the current status for the GatewayClass.

Field Description
conditions
[]Kubernetes meta/v1.Condition
(Optional)

Conditions is the current status from the controller for this GatewayClass.

Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition.

supportedFeatures
[]SupportedFeature
(Optional)

SupportedFeatures is the set of features the GatewayClass support. It MUST be sorted in ascending alphabetical order by the Name key. gateway:experimental

GatewayConditionReason (string alias)

GatewayConditionReason defines the set of reasons that explain why a particular Gateway condition type has been raised.

Value Description

"Accepted"

This reason is used with the “Accepted” condition when the condition is True.

"AddressNotAssigned"

This reason is used with the “Programmed” condition when the underlying implementation and network have yet to dynamically assign addresses for a Gateway.

Some example situations where this reason can be used:

  • IPAM address exhaustion
  • Address not yet allocated

When this reason is used the implementation SHOULD provide a clear message explaining the underlying problem, ideally with some hints as to what actions can be taken that might resolve the problem.

"AddressNotUsable"

This reason is used with the “Programmed” condition when the underlying implementation (and possibly, network) are unable to use an address that was provided in the Gateway specification.

Some example situations where this reason can be used:

  • a named address not being found
  • a provided static address can’t be used
  • the address is already in use

When this reason is used the implementation SHOULD provide prescriptive information on which address is causing the problem and how to resolve it in the condition message.

"Invalid"

This reason is used with the “Programmed” and “Accepted” conditions when the Gateway is syntactically or semantically invalid. For example, this could include unspecified TLS configuration, or some unrecognized or invalid values in the TLS configuration.

"InvalidParameters"

This reason is used with the “Accepted” condition when the Gateway was not accepted because the parametersRef field was invalid, with more detail in the message.

"ListenersNotReady"

Deprecated: Ready is reserved for future use

"ListenersNotValid"

This reason is used with the “Accepted” condition when one or more Listeners have an invalid or unsupported configuration and cannot be configured on the Gateway. This can be the reason when “Accepted” is “True” or “False”, depending on whether the listener being invalid causes the entire Gateway to not be accepted.

"NoResources"

This reason is used with the “Programmed” condition when the Gateway is not scheduled because insufficient infrastructure resources are available.

"NotReconciled"

Deprecated: Use “Pending” instead.

"Pending"

This reason is used with the “Accepted” and “Programmed” conditions when the status is “Unknown” and no controller has reconciled the Gateway.

"Programmed"

This reason is used with the “Programmed” condition when the condition is true.

"Ready"

Deprecated: Ready is reserved for future use

"Scheduled"

This reason is used with the “Scheduled” condition when the condition is True.

Deprecated: use the “Accepted” condition with reason “Accepted” instead.

"UnsupportedAddress"

This reason is used with the “Accepted” condition to indicate that the Gateway could not be accepted because an address that was provided is a type which is not supported by the implementation.

GatewayConditionType (string alias)

GatewayConditionType is a type of condition associated with a Gateway. This type should be used with the GatewayStatus.Conditions field.

Value Description

"Accepted"

This condition is true when the controller managing the Gateway is syntactically and semantically valid enough to produce some configuration in the underlying data plane. This does not indicate whether or not the configuration has been propagated to the data plane.

Possible reasons for this condition to be True are:

  • “Accepted”
  • “ListenersNotValid”

Possible reasons for this condition to be False are:

  • “Invalid”
  • “InvalidParameters”
  • “NotReconciled”
  • “UnsupportedAddress”
  • “ListenersNotValid”

Possible reasons for this condition to be Unknown are:

  • “Pending”

Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability.

"Programmed"

This condition indicates whether a Gateway has generated some configuration that is assumed to be ready soon in the underlying data plane.

It is a positive-polarity summary condition, and so should always be present on the resource with ObservedGeneration set.

It should be set to Unknown if the controller performs updates to the status before it has all the information it needs to be able to determine if the condition is true.

Possible reasons for this condition to be True are:

  • “Programmed”

Possible reasons for this condition to be False are:

  • “Invalid”
  • “Pending”
  • “NoResources”
  • “AddressNotAssigned”

Possible reasons for this condition to be Unknown are:

  • “Pending”

Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability.

"Ready"

“Ready” is a condition type reserved for future use. It should not be used by implementations.

If used in the future, “Ready” will represent the final state where all configuration is confirmed good and has completely propagated to the data plane. That is, it is a guarantee that, as soon as something sees the Condition as true, then connections will be correctly routed immediately.

This is a very strong guarantee, and to date no implementation has satisfied it enough to implement it. This reservation can be discussed in the future if necessary.

Note: This condition is not really “deprecated”, but rather “reserved”; however, deprecated triggers Go linters to alert about usage. Deprecated: Ready is reserved for future use

"Scheduled"

Deprecated: use “Accepted” instead.

GatewayController (string alias)

(Appears on: GatewayClassSpec, RouteParentStatus, PolicyAncestorStatus)

GatewayController is the name of a Gateway API controller. It must be a domain prefixed path.

Valid values include:

  • “example.com/bar”

Invalid values include:

  • “example.com” - must include path
  • “foo.example.com” - must include path

GatewayInfrastructure

(Appears on: GatewaySpec)

GatewayInfrastructure defines infrastructure level attributes about a Gateway instance.

Field Description
labels
map[sigs.k8s.io/gateway-api/apis/v1.LabelKey]sigs.k8s.io/gateway-api/apis/v1.LabelValue
(Optional)

Labels that SHOULD be applied to any resources created in response to this Gateway.

For implementations creating other Kubernetes objects, this should be the metadata.labels field on resources. For other implementations, this refers to any relevant (implementation specific) “labels” concepts.

An implementation may chose to add additional implementation-specific labels as they see fit.

If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels change, it SHOULD clearly warn about this behavior in documentation.

Support: Extended

annotations
map[sigs.k8s.io/gateway-api/apis/v1.AnnotationKey]sigs.k8s.io/gateway-api/apis/v1.AnnotationValue
(Optional)

Annotations that SHOULD be applied to any resources created in response to this Gateway.

For implementations creating other Kubernetes objects, this should be the metadata.annotations field on resources. For other implementations, this refers to any relevant (implementation specific) “annotations” concepts.

An implementation may chose to add additional implementation-specific annotations as they see fit.

Support: Extended

parametersRef
LocalParametersReference
(Optional)

ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the Gateway. This is optional if the controller does not require any additional configuration.

This follows the same semantics as GatewayClass’s parametersRef, but on a per-Gateway basis

The Gateway’s GatewayClass may provide its own parametersRef. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.

Support: Implementation-specific

GatewaySpec

(Appears on: Gateway, Gateway)

GatewaySpec defines the desired state of Gateway.

Not all possible combinations of options specified in the Spec are valid. Some invalid configurations can be caught synchronously via CRD validation, but there are many cases that will require asynchronous signaling via the GatewayStatus block.

Field Description
gatewayClassName
ObjectName

GatewayClassName used for this Gateway. This is the name of a GatewayClass resource.

listeners
[]Listener

Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway’s addresses. At least one Listener MUST be specified.

Distinct Listeners

Each Listener in a set of Listeners (for example, in a single Gateway) MUST be distinct, in that a traffic flow MUST be able to be assigned to exactly one listener. (This section uses “set of Listeners” rather than “Listeners in a single Gateway” because implementations MAY merge configuration from multiple Gateways onto a single data plane, and these rules also apply in that case).

Practically, this means that each listener in a set MUST have a unique combination of Port, Protocol, and, if supported by the protocol, Hostname.

Some combinations of port, protocol, and TLS settings are considered Core support and MUST be supported by implementations based on the objects they support:

HTTPRoute

  1. HTTPRoute, Port: 80, Protocol: HTTP
  2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided

TLSRoute

  1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough

“Distinct” Listeners have the following property:

The implementation can match inbound requests to a single distinct Listener.

When multiple Listeners share values for fields (for example, two Listeners with the same Port value), the implementation can match requests to only one of the Listeners using other Listener fields.

When multiple listeners have the same value for the Protocol field, then each of the Listeners with matching Protocol values MUST have different values for other fields.

The set of fields that MUST be different for a Listener differs per protocol. The following rules define the rules for what fields MUST be considered for Listeners to be distinct with each protocol currently defined in the Gateway API spec.

The set of listeners that all share a protocol value MUST have different values for at least one of these fields to be distinct:

  • HTTP, HTTPS, TLS: Port, Hostname
  • TCP, UDP: Port

One very important rule to call out involves what happens when an implementation:

  • Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol Listeners, and
  • sees HTTP, HTTPS, or TLS protocols with the same port as one with TCP Protocol.

In this case all the Listeners that share a port with the TCP Listener are not distinct and so MUST NOT be accepted.

If an implementation does not support TCP Protocol Listeners, then the previous rule does not apply, and the TCP Listeners SHOULD NOT be accepted.

Note that the tls field is not used for determining if a listener is distinct, because Listeners that only differ on TLS config will still conflict in all cases.

Listeners that are distinct only by Hostname

When the Listeners are distinct based only on Hostname, inbound request hostnames MUST match from the most specific to least specific Hostname values to choose the correct Listener and its associated set of Routes.

Exact matches MUST be processed before wildcard matches, and wildcard matches MUST be processed before fallback (empty Hostname value) matches. For example, "foo.example.com" takes precedence over "*.example.com", and "*.example.com" takes precedence over "".

Additionally, if there are multiple wildcard entries, more specific wildcard entries must be processed before less specific wildcard entries. For example, "*.foo.example.com" takes precedence over "*.example.com".

The precise definition here is that the higher the number of dots in the hostname to the right of the wildcard character, the higher the precedence.

The wildcard character will match any number of characters and dots to the left, however, so "*.example.com" will match both "foo.bar.example.com" and "bar.example.com".

Handling indistinct Listeners

If a set of Listeners contains Listeners that are not distinct, then those Listeners are Conflicted, and the implementation MUST set the “Conflicted” condition in the Listener Status to “True”.

The words “indistict” and “conflicted” are considered equivalent for the purpose of this documentation.

Implementations MAY choose to accept a Gateway with some Conflicted Listeners only if they only accept the partial Listener set that contains no Conflicted Listeners.

Specifically, an implementation MAY accept a partial Listener set subject to the following rules:

  • The implementation MUST NOT pick one conflicting Listener as the winner. ALL indistinct Listeners must not be accepted for processing.
  • At least one distinct Listener MUST be present, or else the Gateway effectively contains no Listeners, and must be rejected from processing as a whole.

The implementation MUST set a “ListenersNotValid” condition on the Gateway Status when the Gateway contains Conflicted Listeners whether or not they accept the Gateway. That Condition SHOULD clearly indicate in the Message which Listeners are conflicted, and which are Accepted. Additionally, the Listener status for those listeners SHOULD indicate which Listeners are conflicted and not Accepted.

General Listener behavior

Note that, for all distinct Listeners, requests SHOULD match at most one Listener. For example, if Listeners are defined for “foo.example.com” and “.example.com”, a request to “foo.example.com” SHOULD only be routed using routes attached to the “foo.example.com” Listener (and not the “.example.com” Listener).

This concept is known as “Listener Isolation”, and it is an Extended feature of Gateway API. Implementations that do not support Listener Isolation MUST clearly document this, and MUST NOT claim support for the GatewayHTTPListenerIsolation feature.

Implementations that do support Listener Isolation SHOULD claim support for the Extended GatewayHTTPListenerIsolation feature and pass the associated conformance tests.

Compatible Listeners

A Gateway’s Listeners are considered compatible if:

  1. They are distinct.
  2. The implementation can serve them in compliance with the Addresses requirement that all Listeners are available on all assigned addresses.

Compatible combinations in Extended support are expected to vary across implementations. A combination that is compatible for one implementation may not be compatible for another.

For example, an implementation that cannot serve both TCP and UDP listeners on the same address, or cannot mix HTTPS and generic TLS listens on the same port would not consider those cases compatible, even though they are distinct.

Implementations MAY merge separate Gateways onto a single set of Addresses if all Listeners across all Gateways are compatible.

Support: Core

addresses
[]GatewayAddress
(Optional)

Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses.

The Addresses field represents a request for the address(es) on the “outside of the Gateway”, that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to.

If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses.

The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses.

Support: Extended

gateway:validateIPAddress

infrastructure
GatewayInfrastructure
(Optional)

Infrastructure defines infrastructure level attributes about this Gateway instance.

Support: Extended

backendTLS
GatewayBackendTLS
(Optional)

BackendTLS configures TLS settings for when this Gateway is connecting to backends with TLS.

Support: Core

gateway:experimental

GatewayStatus

(Appears on: Gateway, Gateway)

GatewayStatus defines the observed state of Gateway.

Field Description
addresses
[]GatewayStatusAddress
(Optional)

Addresses lists the network addresses that have been bound to the Gateway.

This list may differ from the addresses provided in the spec under some conditions:

  • no addresses are specified, all addresses are dynamically assigned
  • a combination of specified and dynamic addresses are assigned
  • a specified address was unusable (e.g. already in use)

gateway:validateIPAddress

conditions
[]Kubernetes meta/v1.Condition
(Optional)

Conditions describe the current conditions of the Gateway.

Implementations should prefer to express Gateway conditions using the GatewayConditionType and GatewayConditionReason constants so that operators and tools can converge on a common vocabulary to describe Gateway state.

Known condition types are:

  • “Accepted”
  • “Programmed”
  • “Ready”
listeners
[]ListenerStatus
(Optional)

Listeners provide status for each unique listener port defined in the Spec.

GatewayStatusAddress

(Appears on: GatewayStatus)

GatewayStatusAddress describes a network address that is bound to a Gateway.

Field Description
type
AddressType
(Optional)

Type of the address.

value
string

Value of the address. The validity of the values will depend on the type and support by the controller.

Examples: 1.2.3.4, 128::1, my-ip-address.

GatewayTLSConfig

(Appears on: Listener)

GatewayTLSConfig describes a TLS configuration.

Field Description
mode
TLSModeType
(Optional)

Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes:

  • Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificates to be specified in some way, such as populating the certificateRefs field.
  • Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can’t decipher the TLS stream except for the ClientHello message of the TLS protocol. The certificateRefs field is ignored in this mode.

Support: Core

certificateRefs
[]SecretObjectReference
(Optional)

CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener.

A single CertificateRef to a Kubernetes Secret has “Core” support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific.

References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the “ResolvedRefs” condition MUST be set to False for this listener with the “RefNotPermitted” reason.

This field is required to have at least one element when the mode is set to “Terminate” (default) and is optional otherwise.

CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources.

Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls

Support: Implementation-specific (More than one reference or other resource types)

frontendValidation
FrontendTLSValidation
(Optional)

FrontendValidation holds configuration information for validating the frontend (client). Setting this field will require clients to send a client certificate required for validation during the TLS handshake. In browsers this may result in a dialog appearing that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific.

Support: Extended

gateway:experimental

options
map[sigs.k8s.io/gateway-api/apis/v1.AnnotationKey]sigs.k8s.io/gateway-api/apis/v1.AnnotationValue
(Optional)

Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites.

A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as example.com/my-custom-option. Un-prefixed names are reserved for key names defined by Gateway API.

Support: Implementation-specific

Group (string alias)

(Appears on: BackendObjectReference, LocalObjectReference, LocalParametersReference, ObjectReference, ParametersReference, ParentReference, RouteGroupKind, SecretObjectReference, LocalPolicyTargetReference, NamespacedPolicyTargetReference, ReferenceGrantFrom, ReferenceGrantTo)

Group refers to a Kubernetes Group. It must either be an empty string or a RFC 1123 subdomain.

This validation is based off of the corresponding Kubernetes validation: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L208

Valid values include:

  • ”” - empty string implies core Kubernetes API group
  • “networking.k8s.io”
  • “foo.example.com”

Invalid values include:

  • “example.com/bar” - “/” is an invalid character

HTTPBackendRef

(Appears on: HTTPRouteRule)

HTTPBackendRef defines how a HTTPRoute should forward an HTTP request.

Field Description
BackendRef
BackendRef

(Members of BackendRef are embedded into this type.)

(Optional)

BackendRef is a reference to a backend to forward matched requests to.

A BackendRef can be invalid for the following reasons. In all cases, the implementation MUST ensure the ResolvedRefs Condition on the Route is set to status: False, with a Reason and Message that indicate what is the cause of the error.

A BackendRef is invalid if:

  • It refers to an unknown or unsupported kind of resource. In this case, the Reason must be set to InvalidKind and Message of the Condition must explain which kind of resource is unknown or unsupported.

  • It refers to a resource that does not exist. In this case, the Reason must be set to BackendNotFound and the Message of the Condition must explain which resource does not exist.

  • It refers a resource in another namespace when the reference has not been explicitly allowed by a ReferenceGrant (or equivalent concept). In this case, the Reason must be set to RefNotPermitted and the Message of the Condition must explain which cross-namespace reference is not allowed.

  • It refers to a Kubernetes Service that has an incompatible appProtocol for the given Route type

  • The BackendTLSPolicy object is installed in the cluster, a BackendTLSPolicy is present that refers to the Service, and the implementation is unable to meet the requirement. At the time of writing, BackendTLSPolicy is experimental, but once it becomes standard, this will become a MUST requirement.

Support: Core for Kubernetes Service

Support: Implementation-specific for any other resource

Support for weight: Core

Support for Kubernetes Service appProtocol: Extended

Support for BackendTLSPolicy: Experimental and ImplementationSpecific

filters
[]HTTPRouteFilter
(Optional)

Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here.

Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)

HTTPHeader

(Appears on: HTTPHeaderFilter)

HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.

Field Description
name
HTTPHeaderName

Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).

If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, “foo” and “Foo” are considered equivalent.

value
string

Value is the value of HTTP Header to be matched.

HTTPHeaderFilter

(Appears on: GRPCRouteFilter, HTTPRouteFilter)

HTTPHeaderFilter defines a filter that modifies the headers of an HTTP request or response.

Field Description
set
[]HTTPHeader
(Optional)

Set overwrites the request with the given header (name, value) before the action.

Input: GET /foo HTTP/1.1 my-header: foo

Config: set: - name: “my-header” value: “bar”

Output: GET /foo HTTP/1.1 my-header: bar

add
[]HTTPHeader
(Optional)

Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name.

Input: GET /foo HTTP/1.1 my-header: foo

Config: add: - name: “my-header” value: “bar,baz”

Output: GET /foo HTTP/1.1 my-header: foo,bar,baz

remove
[]string
(Optional)

Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).

Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz

Config: remove: [“my-header1”, “my-header3”]

Output: GET /foo HTTP/1.1 my-header2: bar

HTTPHeaderMatch

(Appears on: HTTPRouteMatch)

HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers.

Field Description
type
HeaderMatchType
(Optional)

Type specifies how to match against the value of the header.

Support: Core (Exact)

Support: Implementation-specific (RegularExpression)

Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation’s documentation to determine the supported dialect.

name
HTTPHeaderName

Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).

If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, “foo” and “Foo” are considered equivalent.

When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for “Set-Cookie”.

value
string

Value is the value of HTTP Header to be matched.

HTTPHeaderName (string alias)

(Appears on: HTTPHeader, HTTPHeaderMatch, HTTPQueryParamMatch)

HTTPHeaderName is the name of an HTTP header.

Valid values include: * “Authorization” * “Set-Cookie”

Invalid values include:

  • ”:method” - “:” is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type.

  • ”/invalid” - “/” is an invalid character

HTTPMethod (string alias)

(Appears on: HTTPRouteMatch)

HTTPMethod describes how to select a HTTP route by matching the HTTP method as defined by RFC 7231 and RFC 5789. The value is expected in upper case.

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Value Description

"CONNECT"

"DELETE"

"GET"

"HEAD"

"OPTIONS"

"PATCH"

"POST"

"PUT"

"TRACE"

HTTPPathMatch

(Appears on: HTTPRouteMatch)

HTTPPathMatch describes how to select a HTTP route by matching the HTTP request path.

Field Description
type
PathMatchType
(Optional)

Type specifies how to match against the path Value.

Support: Core (Exact, PathPrefix)

Support: Implementation-specific (RegularExpression)

value
string
(Optional)

Value of the HTTP path to match against.

HTTPPathModifier

(Appears on: HTTPRequestRedirectFilter, HTTPURLRewriteFilter)

HTTPPathModifier defines configuration for path modifiers. gateway:experimental

Field Description
type
HTTPPathModifierType

Type defines the type of path modifier. Additional types may be added in a future release of the API.

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

replaceFullPath
string
(Optional)

ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect.

replacePrefixMatch
string
(Optional)

ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to “/foo/bar” with a prefix match of “/foo” and a ReplacePrefixMatch of “/xyz” would be modified to “/xyz/bar”.

Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the / separator. When specified, a trailing / is ignored. For example, the paths /abc, /abc/, and /abc/def would all match the prefix /abc, but the path /abcd would not.

ReplacePrefixMatch is only compatible with a PathPrefix HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to status: False.

Request Path Prefix Match Replace Prefix Modified Path
/foo/bar /foo /xyz /xyz/bar
/foo/bar /foo /xyz/ /xyz/bar
/foo/bar /foo/ /xyz /xyz/bar
/foo/bar /foo/ /xyz/ /xyz/bar
/foo /foo /xyz /xyz
/foo/ /foo /xyz /xyz/
/foo/bar /foo /bar
/foo/ /foo /
/foo /foo /
/foo/ /foo / /
/foo /foo / /

HTTPPathModifierType (string alias)

(Appears on: HTTPPathModifier)

HTTPPathModifierType defines the type of path redirect or rewrite.

Value Description

"ReplaceFullPath"

This type of modifier indicates that the full path will be replaced by the specified value.

"ReplacePrefixMatch"

This type of modifier indicates that any prefix path matches will be replaced by the substitution value. For example, a path with a prefix match of “/foo” and a ReplacePrefixMatch substitution of “/bar” will have the “/foo” prefix replaced with “/bar” in matching requests.

Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the / separator. When specified, a trailing / is ignored. For example, the paths /abc, /abc/, and /abc/def would all match the prefix /abc, but the path /abcd would not.

HTTPQueryParamMatch

(Appears on: HTTPRouteMatch)

HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters.

Field Description
type
QueryParamMatchType
(Optional)

Type specifies how to match against the value of the query parameter.

Support: Extended (Exact)

Support: Implementation-specific (RegularExpression)

Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation’s documentation to determine the supported dialect.

name
HTTPHeaderName

Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).

If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored.

If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is recommended that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API.

Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations.

value
string

Value is the value of HTTP query param to be matched.

HTTPRequestMirrorFilter

(Appears on: GRPCRouteFilter, HTTPRouteFilter)

HTTPRequestMirrorFilter defines configuration for the RequestMirror filter.

Field Description
backendRef
BackendObjectReference

BackendRef references a resource where mirrored requests are sent.

Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef.

If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the “ResolvedRefs” condition on the Route status is set to status: False and not configure this backend in the underlying implementation.

If there is a cross-namespace reference to an existing object that is not allowed by a ReferenceGrant, the controller must ensure the “ResolvedRefs” condition on the Route is set to status: False, with the “RefNotPermitted” reason and not configure this backend in the underlying implementation.

In either error case, the Message of the ResolvedRefs Condition should be used to provide more detail about the problem.

Support: Extended for Kubernetes Service

Support: Implementation-specific for any other resource

percent
int32
(Optional)

Percent represents the percentage of requests that should be mirrored to BackendRef. Its minimum value is 0 (indicating 0% of requests) and its maximum value is 100 (indicating 100% of requests).

Only one of Fraction or Percent may be specified. If neither field is specified, 100% of requests will be mirrored.

gateway:experimental

fraction
Fraction
(Optional)

Fraction represents the fraction of requests that should be mirrored to BackendRef.

Only one of Fraction or Percent may be specified. If neither field is specified, 100% of requests will be mirrored.

gateway:experimental

HTTPRequestRedirectFilter

(Appears on: HTTPRouteFilter)

HTTPRequestRedirect defines a filter that redirects a request. This filter MUST NOT be used on the same Route rule as a HTTPURLRewrite filter.

Field Description
scheme
string
(Optional)

Scheme is the scheme to be used in the value of the Location header in the response. When empty, the scheme of the request is used.

Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter.

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Support: Extended

hostname
PreciseHostname
(Optional)

Hostname is the hostname to be used in the value of the Location header in the response. When empty, the hostname in the Host header of the request is used.

Support: Core

path
HTTPPathModifier
(Optional)

Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the Location header. When empty, the request path is used as-is.

Support: Extended

port
PortNumber
(Optional)

Port is the port to be used in the value of the Location header in the response.

If no port is specified, the redirect port MUST be derived using the following rules:

  • If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically “http” to port 80 and “https” to port 443. If the redirect scheme does not have a well-known port, the listener port of the Gateway SHOULD be used.
  • If redirect scheme is empty, the redirect port MUST be the Gateway Listener port.

Implementations SHOULD NOT add the port number in the ‘Location’ header in the following cases:

  • A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) and use port 80.
  • A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) and use port 443.

Support: Extended

statusCode
int
(Optional)

StatusCode is the HTTP status code to be used in response.

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Support: Core

HTTPRouteFilter

(Appears on: HTTPBackendRef, HTTPRouteRule)

HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter.

Field Description
type
HTTPRouteFilterType

Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels:

  • Core: Filter types and their corresponding configuration defined by “Support: Core” in this package, e.g. “RequestHeaderModifier”. All implementations must support core filters.

  • Extended: Filter types and their corresponding configuration defined by “Support: Extended” in this package, e.g. “RequestMirror”. Implementers are encouraged to support extended filters.

  • Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. Type should be set to “ExtensionRef” for custom filters.

Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior.

If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response.

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

requestHeaderModifier
HTTPHeaderFilter
(Optional)

RequestHeaderModifier defines a schema for a filter that modifies request headers.

Support: Core

responseHeaderModifier
HTTPHeaderFilter
(Optional)

ResponseHeaderModifier defines a schema for a filter that modifies response headers.

Support: Extended

requestMirror
HTTPRequestMirrorFilter
(Optional)

RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored.

This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends.

Support: Extended

requestRedirect
HTTPRequestRedirectFilter
(Optional)

RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection.

Support: Core

urlRewrite
HTTPURLRewriteFilter
(Optional)

URLRewrite defines a schema for a filter that modifies a request during forwarding.

Support: Extended

extensionRef
LocalObjectReference
(Optional)

ExtensionRef is an optional, implementation-specific extension to the “filter” behavior. For example, resource “myroutefilter” in group “networking.example.net”). ExtensionRef MUST NOT be used for core and extended filters.

This filter can be used multiple times within the same rule.

Support: Implementation-specific

HTTPRouteFilterType (string alias)

(Appears on: HTTPRouteFilter)

HTTPRouteFilterType identifies a type of HTTPRoute filter.

Value Description

"ExtensionRef"

HTTPRouteFilterExtensionRef should be used for configuring custom HTTP filters.

Support in HTTPRouteRule: Implementation-specific

Support in HTTPBackendRef: Implementation-specific

"RequestHeaderModifier"

HTTPRouteFilterRequestHeaderModifier can be used to add or remove an HTTP header from an HTTP request before it is sent to the upstream target.

Support in HTTPRouteRule: Core

Support in HTTPBackendRef: Extended

"RequestMirror"

HTTPRouteFilterRequestMirror can be used to mirror HTTP requests to a different backend. The responses from this backend MUST be ignored by the Gateway.

Support in HTTPRouteRule: Extended

Support in HTTPBackendRef: Extended

"RequestRedirect"

HTTPRouteFilterRequestRedirect can be used to redirect a request to another location. This filter can also be used for HTTP to HTTPS redirects. This may not be used on the same Route rule or BackendRef as a URLRewrite filter.

Support in HTTPRouteRule: Core

Support in HTTPBackendRef: Extended

"ResponseHeaderModifier"

HTTPRouteFilterResponseHeaderModifier can be used to add or remove an HTTP header from an HTTP response before it is sent to the client.

Support in HTTPRouteRule: Extended

Support in HTTPBackendRef: Extended

"URLRewrite"

HTTPRouteFilterURLRewrite can be used to modify a request during forwarding. At most one of these filters may be used on a Route rule. This may not be used on the same Route rule or BackendRef as a RequestRedirect filter.

Support in HTTPRouteRule: Extended

Support in HTTPBackendRef: Extended

HTTPRouteMatch

(Appears on: HTTPRouteRule)

HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied.

For example, the match below will match a HTTP request only if its path starts with /foo AND it contains the version: v1 header:

match:
path:
value: "/foo"
headers:
- name: "version"
value "v1"

Field Description
path
HTTPPathMatch
(Optional)

Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the “/” path is provided.

headers
[]HTTPHeaderMatch
(Optional)

Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route.

queryParams
[]HTTPQueryParamMatch
(Optional)

QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route.

Support: Extended

method
HTTPMethod
(Optional)

Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method.

Support: Extended

HTTPRouteRetry

(Appears on: HTTPRouteRule)

HTTPRouteRetry defines retry configuration for an HTTPRoute.

Implementations SHOULD retry on connection errors (disconnect, reset, timeout, TCP failure) if a retry stanza is configured.

Field Description
codes
[]HTTPRouteRetryStatusCode
(Optional)

Codes defines the HTTP response status codes for which a backend request should be retried.

Support: Extended

attempts
int
(Optional)

Attempts specifies the maximum number of times an individual request from the gateway to a backend should be retried.

If the maximum number of retries has been attempted without a successful response from the backend, the Gateway MUST return an error.

When this field is unspecified, the number of times to attempt to retry a backend request is implementation-specific.

Support: Extended

backoff
Duration
(Optional)

Backoff specifies the minimum duration a Gateway should wait between retry attempts and is represented in Gateway API Duration formatting.

For example, setting the rules[].retry.backoff field to the value 100ms will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured to be retryable.

An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to some amount greater than the specified minimum, and MAY add arbitrary jitter to stagger requests, as long as unsuccessful backend requests are not retried before the configured minimum duration.

If a Request timeout (rules[].timeouts.request) is configured on the route, the entire duration of the initial request and any retry attempts MUST not exceed the Request timeout duration. If any retry attempts are still in progress when the Request timeout duration has been reached, these SHOULD be canceled if possible and the Gateway MUST immediately return a timeout error.

If a BackendRequest timeout (rules[].timeouts.backendRequest) is configured on the route, any retry attempts which reach the configured BackendRequest timeout duration without a response SHOULD be canceled if possible and the Gateway should wait for at least the specified backoff duration before attempting to retry the backend request again.

If a BackendRequest timeout is not configured on the route, retry attempts MAY time out after an implementation default duration, or MAY remain pending until a configured Request timeout or implementation default duration for total request time is reached.

When this field is unspecified, the time to wait between retry attempts is implementation-specific.

Support: Extended

HTTPRouteRetryStatusCode (int alias)

(Appears on: HTTPRouteRetry)

HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried.

Implementations MUST support the following status codes as retryable:

  • 500
  • 502
  • 503
  • 504

Implementations MAY support specifying additional discrete values in the 500-599 range.

Implementations MAY support specifying discrete values in the 400-499 range, which are often inadvisable to retry.

gateway:experimental

HTTPRouteRule

(Appears on: HTTPRouteSpec)

HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs).

Field Description
name
SectionName
(Optional)

Name is the name of the route rule. This name MUST be unique within a Route if it is set.

Support: Extended gateway:experimental

matches
[]HTTPRouteMatch
(Optional)

Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied.

For example, take the following matches configuration:

matches:
- path:
value: "/foo"
headers:
- name: "version"
value: "v2"
- path:
value: "/v2/foo"

For a request to match against this rule, a request must satisfy EITHER of the two conditions:

  • path prefixed with /foo AND contains the header version: v2
  • path prefix of /v2/foo

See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together.

If no matches are specified, the default is a prefix path match on “/”, which has the effect of matching every HTTP request.

Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match having:

  • “Exact” path match.
  • “Prefix” path match with largest number of characters.
  • Method match.
  • Largest number of header matches.
  • Largest number of query param matches.

Note: The precedence of RegularExpression path matches are implementation-specific.

If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties:

  • The oldest Route based on creation timestamp.
  • The Route appearing first in alphabetical order by “{namespace}/{name}”.

If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria.

When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned.

filters
[]HTTPRouteFilter
(Optional)

Filters define the filters that are applied to requests that match this rule.

Wherever possible, implementations SHOULD implement filters in the order they are specified.

Implementations MAY choose to implement this ordering strictly, rejecting any combination or order of filters that can not be supported. If implementations choose a strict interpretation of filter ordering, they MUST clearly document that behavior.

To reject an invalid combination or order of filters, implementations SHOULD consider the Route Rules with this configuration invalid. If all Route Rules in a Route are invalid, the entire Route would be considered invalid. If only a portion of Route Rules are invalid, implementations MUST set the “PartiallyInvalid” condition for the Route.

Conformance-levels at this level are defined based on the type of filter:

  • ALL core filters MUST be supported by all implementations.
  • Implementers are encouraged to support extended filters.
  • Implementation-specific custom filters have no API guarantees across implementations.

Specifying the same filter multiple times is not supported unless explicitly indicated in the filter.

All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In cases where incompatible or unsupported filters are specified and cause the Accepted condition to be set to status False, implementations may use the IncompatibleFilters reason to specify this configuration error.

Support: Core

backendRefs
[]HTTPBackendRef
(Optional)

BackendRefs defines the backend(s) where matching requests should be sent.

Failure behavior here depends on how many BackendRefs are specified and how many are invalid.

If all entries in BackendRefs are invalid, and there are also no filters specified in this route rule, all traffic which matches this rule MUST receive a 500 status code.

See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid.

When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code.

For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined.

When a HTTPBackendRef refers to a Service that has no ready endpoints, implementations SHOULD return a 503 for requests to that backend instead. If an implementation chooses to do this, all of the above rules for 500 responses MUST also apply for responses that return a 503.

Support: Core for Kubernetes Service

Support: Extended for Kubernetes ServiceImport

Support: Implementation-specific for any other resource

Support for weight: Core

timeouts
HTTPRouteTimeouts
(Optional)

Timeouts defines the timeouts that can be configured for an HTTP request.

Support: Extended

retry
HTTPRouteRetry
(Optional)

Retry defines the configuration for when to retry an HTTP request.

Support: Extended

gateway:experimental

sessionPersistence
SessionPersistence
(Optional)

SessionPersistence defines and configures session persistence for the route rule.

Support: Extended

gateway:experimental

HTTPRouteSpec

(Appears on: HTTPRoute, HTTPRoute)

HTTPRouteSpec defines the desired state of HTTPRoute

Field Description
CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

hostnames
[]Hostname
(Optional)

Hostnames defines a set of hostnames that should match against the HTTP Host header to select a HTTPRoute used to process the request. Implementations MUST ignore any port value specified in the HTTP Host header while performing a match and (absent of any applicable header modification configuration) MUST forward this header unmodified to the backend.

Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 2 notable exceptions:

  1. IPs are not allowed.
  2. A hostname may be prefixed with a wildcard label (*.). The wildcard label must appear by itself as the first label.

If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example:

  • A Listener with test.example.com as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of test.example.com or *.example.com.
  • A Listener with *.example.com as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, *.example.com, test.example.com, and foo.test.example.com would all match. On the other hand, example.com and test.example.net would not match.

Hostnames that are prefixed with a wildcard label (*.) are interpreted as a suffix match. That means that a match for *.example.com would match both test.example.com, and foo.test.example.com, but not example.com.

If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified *.example.com, and the HTTPRoute specified test.example.com and test.example.net, test.example.net must not be considered for a match.

If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an ‘Accepted’ Condition with a status of False in the corresponding RouteParentStatus.

In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of:

  • Characters in a matching non-wildcard hostname.
  • Characters in a matching hostname.

If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over.

Support: Core

rules
[]HTTPRouteRule
(Optional)

Rules are a list of HTTP matchers, filters and actions.

HTTPRouteStatus

(Appears on: HTTPRoute, HTTPRoute)

HTTPRouteStatus defines the observed state of HTTPRoute.

Field Description
RouteStatus
RouteStatus

(Members of RouteStatus are embedded into this type.)

HTTPRouteTimeouts

(Appears on: HTTPRouteRule)

HTTPRouteTimeouts defines timeouts that can be configured for an HTTPRoute.

Field Description
request
Duration
(Optional)

Request specifies the maximum duration for a gateway to respond to an HTTP request. If the gateway has not been able to respond before this deadline is met, the gateway MUST return a timeout error.

For example, setting the rules.timeouts.request field to the value 10s in an HTTPRoute will cause a timeout if a client request is taking longer than 10 seconds to complete.

Setting a timeout to the zero duration (e.g. “0s”) SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set.

This timeout is intended to cover as close to the whole request-response transaction as possible although an implementation MAY choose to start the timeout after the entire request stream has been received instead of immediately after the transaction is initiated by the client.

The value of Request is a Gateway API Duration string as defined by GEP-2257. When this field is unspecified, request timeout behavior is implementation-specific.

Support: Extended

backendRequest
Duration
(Optional)

BackendRequest specifies a timeout for an individual request from the gateway to a backend. This covers the time from when the request first starts being sent from the gateway to when the full response has been received from the backend.

Setting a timeout to the zero duration (e.g. “0s”) SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set.

An entire client HTTP transaction with a gateway, covered by the Request timeout, may result in more than one call from the gateway to the destination backend, for example, if automatic retries are supported.

The value of BackendRequest must be a Gateway API Duration string as defined by GEP-2257. When this field is unspecified, its behavior is implementation-specific; when specified, the value of BackendRequest must be no more than the value of the Request timeout (since the Request timeout encompasses the BackendRequest timeout).

Support: Extended

HTTPURLRewriteFilter

(Appears on: HTTPRouteFilter)

HTTPURLRewriteFilter defines a filter that modifies a request during forwarding. At most one of these filters may be used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequestRedirect filter.

Support: Extended

gateway:experimental

Field Description
hostname
PreciseHostname
(Optional)

Hostname is the value to be used to replace the Host header value during forwarding.

Support: Extended

path
HTTPPathModifier
(Optional)

Path defines a path rewrite.

Support: Extended

HeaderMatchType (string alias)

(Appears on: HTTPHeaderMatch)

HeaderMatchType specifies the semantics of how HTTP header values should be compared. Valid HeaderMatchType values, along with their conformance levels, are:

  • “Exact” - Core
  • “RegularExpression” - Implementation Specific

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Value Description

"Exact"

"RegularExpression"

HeaderName (string alias)

HeaderName is the name of a header or query parameter.

Hostname (string alias)

(Appears on: GRPCRouteSpec, HTTPRouteSpec, Listener, TLSRouteSpec, SubjectAltName)

Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions:

  1. IPs are not allowed.
  2. A hostname may be prefixed with a wildcard label (*.). The wildcard label must appear by itself as the first label.

Hostname can be “precise” which is a domain name without the terminating dot of a network host (e.g. “foo.example.com”) or “wildcard”, which is a domain name prefixed with a single wildcard label (e.g. *.example.com).

Note that as per RFC1035 and RFC1123, a label must consist of lower case alphanumeric characters or ‘-’, and must start and end with an alphanumeric character. No other punctuation is allowed.

Kind (string alias)

(Appears on: BackendObjectReference, LocalObjectReference, LocalParametersReference, ObjectReference, ParametersReference, ParentReference, RouteGroupKind, SecretObjectReference, LocalPolicyTargetReference, NamespacedPolicyTargetReference, ReferenceGrantFrom, ReferenceGrantTo)

Kind refers to a Kubernetes Kind.

Valid values include:

  • “Service”
  • “HTTPRoute”

Invalid values include:

  • “invalid/kind” - “/” is an invalid character

LabelKey (string alias)

LabelKey is the key of a label in the Gateway API. This is used for validation of maps such as Gateway infrastructure labels. This matches the Kubernetes “qualified name” validation that is used for labels.

Valid values include:

  • example
  • example.com
  • example.com/path
  • example.com/path.html

Invalid values include:

  • example~ - “~” is an invalid character
  • example.com. - can not start or end with “.”

LabelValue (string alias)

(Appears on: GatewayInfrastructure)

LabelValue is the value of a label in the Gateway API. This is used for validation of maps such as Gateway infrastructure labels. This matches the Kubernetes label validation rules: * must be 63 characters or less (can be empty), * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.

Valid values include:

  • MyValue
  • my.name
  • 123-my-value

Listener

(Appears on: GatewaySpec)

Listener embodies the concept of a logical endpoint where a Gateway accepts network connections.

Field Description
name
SectionName

Name is the name of the Listener. This name MUST be unique within a Gateway.

Support: Core

hostname
Hostname
(Optional)

Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don’t require hostname based matching.

Implementations MUST apply Hostname matching appropriately for each of the following protocols:

  • TLS: The Listener Hostname MUST match the SNI.
  • HTTP: The Listener Hostname MUST match the Host header of the request.
  • HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that.

For HTTPRoute and TLSRoute resources, there is an interaction with the spec.hostnames array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation.

Hostnames that are prefixed with a wildcard label (*.) are interpreted as a suffix match. That means that a match for *.example.com would match both test.example.com, and foo.test.example.com, but not example.com.

Support: Core

port
PortNumber

Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.

Support: Core

protocol
ProtocolType

Protocol specifies the network protocol this listener expects to receive.

Support: Core

tls
GatewayTLSConfig
(Optional)

TLS is the TLS configuration for the Listener. This field is required if the Protocol field is “HTTPS” or “TLS”. It is invalid to set this field if the Protocol field is “HTTP”, “TCP”, or “UDP”.

The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener.

The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake.

Support: Core

allowedRoutes
AllowedRoutes
(Optional)

AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present.

Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria:

  • The most specific match as defined by the Route type.
  • The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
  • If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz.

All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported.

Support: Core

ListenerConditionReason (string alias)

ListenerConditionReason defines the set of reasons that explain why a particular Listener condition type has been raised.

Value Description

"Accepted"

This reason is used with the “Accepted” condition when the condition is True.

"Attached"

This reason is used with the “Detached” condition when the condition is False.

Deprecated: use the “Accepted” condition with reason “Accepted” instead.

"HostnameConflict"

This reason is used with the “Conflicted” condition when the Listener conflicts with hostnames in other Listeners. For example, this reason would be used when multiple Listeners on the same port use example.com in the hostname field.

"Invalid"

This reason is used with the “Ready” and “Programmed” conditions when the Listener is syntactically or semantically invalid.

"InvalidCertificateRef"

This reason is used with the “ResolvedRefs” condition when the Listener has a TLS configuration with at least one TLS CertificateRef that is invalid or does not exist. A CertificateRef is considered invalid when it refers to a nonexistent or unsupported resource or kind, or when the data within that resource is malformed. This reason must be used only when the reference is allowed, either by referencing an object in the same namespace as the Gateway, or when a cross-namespace reference has been explicitly allowed by a ReferenceGrant. If the reference is not allowed, the reason RefNotPermitted must be used instead.

"InvalidRouteKinds"

This reason is used with the “ResolvedRefs” condition when an invalid or unsupported Route kind is specified by the Listener.

"NoConflicts"

This reason is used with the “Conflicted” condition when the condition is False.

"Pending"

This reason is used with the “Accepted”, “Ready” and “Programmed” conditions when the Listener is either not yet reconciled or not yet not online and ready to accept client traffic.

"PortUnavailable"

This reason is used with the “Accepted” condition when the Listener requests a port that cannot be used on the Gateway. This reason could be used in a number of instances, including:

  • The port is already in use.
  • The port is not supported by the implementation.

"Programmed"

This reason is used with the “Programmed” condition when the condition is true.

"ProtocolConflict"

This reason is used with the “Conflicted” condition when multiple Listeners are specified with the same Listener port number, but have conflicting protocol specifications.

"Ready"

Deprecated: Ready is reserved for future use

"RefNotPermitted"

This reason is used with the “ResolvedRefs” condition when the Listener has a TLS configuration that references an object in another namespace, where the object in the other namespace does not have a ReferenceGrant explicitly allowing the reference.

"ResolvedRefs"

This reason is used with the “ResolvedRefs” condition when the condition is true.

"UnsupportedProtocol"

This reason is used with the “Accepted” condition when the Listener could not be attached to be Gateway because its protocol type is not supported.

ListenerConditionType (string alias)

ListenerConditionType is a type of condition associated with the listener. This type should be used with the ListenerStatus.Conditions field.

Value Description

"Accepted"

This condition indicates that the listener is syntactically and semantically valid, and that all features used in the listener’s spec are supported.

In general, a Listener will be marked as Accepted when the supplied configuration will generate at least some data plane configuration.

For example, a Listener with an unsupported protocol will never generate any data plane config, and so will have Accepted set to false. Conversely, a Listener that does not have any Routes will be able to generate data plane config, and so will have Accepted set to true.

Possible reasons for this condition to be True are:

  • “Accepted”

Possible reasons for this condition to be False are:

  • “PortUnavailable”
  • “UnsupportedProtocol”

Possible reasons for this condition to be Unknown are:

  • “Pending”

Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability.

"Conflicted"

This condition indicates that the controller was unable to resolve conflicting specification requirements for this Listener. If a Listener is conflicted, its network port should not be configured on any network elements.

Possible reasons for this condition to be true are:

  • “HostnameConflict”
  • “ProtocolConflict”

Possible reasons for this condition to be False are:

  • “NoConflicts”

Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability.

"Detached"

Deprecated: use “Accepted” instead.

"Programmed"

This condition indicates whether a Listener has generated some configuration that will soon be ready in the underlying data plane.

It is a positive-polarity summary condition, and so should always be present on the resource with ObservedGeneration set.

It should be set to Unknown if the controller performs updates to the status before it has all the information it needs to be able to determine if the condition is true.

Possible reasons for this condition to be True are:

  • “Programmed”

Possible reasons for this condition to be False are:

  • “Invalid”
  • “Pending”

Possible reasons for this condition to be Unknown are:

  • “Pending”

Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability.

"Ready"

“Ready” is a condition type reserved for future use. It should not be used by implementations. Note: This condition is not really “deprecated”, but rather “reserved”; however, deprecated triggers Go linters to alert about usage.

If used in the future, “Ready” will represent the final state where all configuration is confirmed good and has completely propagated to the data plane. That is, it is a guarantee that, as soon as something sees the Condition as true, then connections will be correctly routed immediately.

This is a very strong guarantee, and to date no implementation has satisfied it enough to implement it. This reservation can be discussed in the future if necessary.

Deprecated: Ready is reserved for future use

"ResolvedRefs"

This condition indicates whether the controller was able to resolve all the object references for the Listener.

Possible reasons for this condition to be true are:

  • “ResolvedRefs”

Possible reasons for this condition to be False are:

  • “InvalidCertificateRef”
  • “InvalidRouteKinds”
  • “RefNotPermitted”

Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability.

ListenerStatus

(Appears on: GatewayStatus)

ListenerStatus is the status associated with a Listener.

Field Description
name
SectionName

Name is the name of the Listener that this status corresponds to.

supportedKinds
[]RouteGroupKind

SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration.

If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the “ResolvedRefs” condition to “False” with the “InvalidRouteKinds” reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified.

attachedRoutes
int32

AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener.

Successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route’s ParentRefs field. A Route is successfully attached to a Listener when it is selected by the Listener’s AllowedRoutes field AND the Route has a valid ParentRef selecting the whole Gateway resource or a specific Listener as a parent resource (more detail on attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set for Listeners with condition Accepted: false and MUST count successfully attached Routes that may themselves have Accepted: false conditions.

Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener.

conditions
[]Kubernetes meta/v1.Condition

Conditions describe the current condition of this listener.

LocalObjectReference

(Appears on: GRPCRouteFilter, HTTPRouteFilter, BackendTLSPolicyValidation)

LocalObjectReference identifies an API object within the namespace of the referrer. The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.

Field Description
group
Group

Group is the group of the referent. For example, “gateway.networking.k8s.io”. When unspecified or empty string, core API group is inferred.

kind
Kind

Kind is kind of the referent. For example “HTTPRoute” or “Service”.

name
ObjectName

Name is the name of the referent.

LocalParametersReference

(Appears on: GatewayInfrastructure)

LocalParametersReference identifies an API object containing controller-specific configuration resource within the namespace.

Field Description
group
Group

Group is the group of the referent.

kind
Kind

Kind is kind of the referent.

name
string

Name is the name of the referent.

Namespace (string alias)

(Appears on: BackendObjectReference, ObjectReference, ParametersReference, ParentReference, SecretObjectReference, NamespacedPolicyTargetReference, ReferenceGrantFrom)

Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.

This validation is based off of the corresponding Kubernetes validation: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187

This is used for Namespace name validation here: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63

Valid values include:

  • “example”

Invalid values include:

  • “example.com” - “.” is an invalid character

ObjectName (string alias)

(Appears on: BackendObjectReference, GatewaySpec, LocalObjectReference, ObjectReference, ParentReference, SecretObjectReference, LocalPolicyTargetReference, NamespacedPolicyTargetReference, ReferenceGrantTo)

ObjectName refers to the name of a Kubernetes object. Object names can have a variety of forms, including RFC 1123 subdomains, RFC 1123 labels, or RFC 1035 labels.

ObjectReference

(Appears on: FrontendTLSValidation)

ObjectReference identifies an API object including its namespace.

The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.

Field Description
group
Group

Group is the group of the referent. For example, “gateway.networking.k8s.io”. When unspecified or empty string, core API group is inferred.

kind
Kind

Kind is kind of the referent. For example “ConfigMap” or “Service”.

name
ObjectName

Name is the name of the referent.

namespace
Namespace
(Optional)

Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.

Support: Core

ParametersReference

(Appears on: GatewayClassSpec)

ParametersReference identifies an API object containing controller-specific configuration resource within the cluster.

Field Description
group
Group

Group is the group of the referent.

kind
Kind

Kind is kind of the referent.

name
string

Name is the name of the referent.

namespace
Namespace
(Optional)

Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource.

ParentReference

(Appears on: CommonRouteSpec, RouteParentStatus, PolicyAncestorStatus)

ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with “Core” support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute.

Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference.

The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.

Field Description
group
Group
(Optional)

Group is the group of the referent. When unspecified, “gateway.networking.k8s.io” is inferred. To set the core API group (such as for a “Service” kind referent), Group must be explicitly set to “” (empty string).

Support: Core

kind
Kind
(Optional)

Kind is kind of the referent.

There are two kinds of parent resources with “Core” support:

  • Gateway (Gateway conformance profile)
  • Service (Mesh conformance profile, ClusterIP Services only)

Support for other resources is Implementation-Specific.

namespace
Namespace
(Optional)

Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route.

Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference.

gateway:experimental:description ParentRefs from a Route to a Service in the same namespace are “producer” routes, which apply default routing rules to inbound connections from any namespace to the Service.

ParentRefs from a Route to a Service in a different namespace are “consumer” routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. /gateway:experimental:description

Support: Core

name
ObjectName

Name is the name of the referent.

Support: Core

sectionName
SectionName
(Optional)

SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following:

  • Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values.
  • Service: Port name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values.

Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted.

When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway.

Support: Core

port
PortNumber
(Optional)

Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource.

When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It’s not recommended to set Port unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values.

gateway:experimental:description When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. /gateway:experimental:description

Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted.

For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway.

Support: Extended

PathMatchType (string alias)

(Appears on: HTTPPathMatch)

PathMatchType specifies the semantics of how HTTP paths should be compared. Valid PathMatchType values, along with their conformance level, are:

  • “Exact” - Core
  • “PathPrefix” - Core
  • “RegularExpression” - Implementation Specific

PathPrefix and Exact paths must be syntactically valid:

  • Must begin with the / character
  • Must not contain consecutive / characters (e.g. /foo///, //).

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Value Description

"Exact"

Matches the URL path exactly and with case sensitivity. This means that an exact path match on /abc will only match requests to /abc, NOT /abc/, /Abc, or /abcd.

"PathPrefix"

Matches based on a URL path prefix split by /. Matching is case sensitive and done on a path element by element basis. A path element refers to the list of labels in the path split by the / separator. When specified, a trailing / is ignored.

For example, the paths /abc, /abc/, and /abc/def would all match the prefix /abc, but the path /abcd would not.

“PathPrefix” is semantically equivalent to the “Prefix” path type in the Kubernetes Ingress API.

"RegularExpression"

Matches if the URL path matches the given regular expression with case sensitivity.

Since "RegularExpression" has implementation-specific conformance, implementations can support POSIX, PCRE, RE2 or any other regular expression dialect. Please read the implementation’s documentation to determine the supported dialect.

PortNumber (int32 alias)

(Appears on: BackendObjectReference, HTTPRequestRedirectFilter, Listener, ParentReference)

PortNumber defines a network port.

PreciseHostname (string alias)

(Appears on: HTTPRequestRedirectFilter, HTTPURLRewriteFilter, BackendTLSPolicyValidation)

PreciseHostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 1 notable exception that numeric IP addresses are not allowed.

Note that as per RFC1035 and RFC1123, a label must consist of lower case alphanumeric characters or ‘-’, and must start and end with an alphanumeric character. No other punctuation is allowed.

ProtocolType (string alias)

(Appears on: Listener)

ProtocolType defines the application protocol accepted by a Listener. Implementations are not required to accept all the defined protocols. If an implementation does not support a specified protocol, it MUST set the “Accepted” condition to False for the affected Listener with a reason of “UnsupportedProtocol”.

Core ProtocolType values are listed in the table below.

Implementations can define their own protocols if a core ProtocolType does not exist. Such definitions must use prefixed name, such as mycompany.com/my-custom-protocol. Un-prefixed names are reserved for core protocols. Any protocol defined by implementations will fall under implementation-specific conformance.

Valid values include:

  • “HTTP” - Core support
  • “example.com/bar” - Implementation-specific support

Invalid values include:

  • “example.com” - must include path if domain is used
  • “foo.example.com” - must include path if domain is used

Value Description

"HTTP"

Accepts cleartext HTTP/1.1 sessions over TCP. Implementations MAY also support HTTP/2 over cleartext. If implementations support HTTP/2 over cleartext on “HTTP” listeners, that MUST be clearly documented by the implementation.

"HTTPS"

Accepts HTTP/1.1 or HTTP/2 sessions over TLS.

"TCP"

Accepts TCP sessions.

"TLS"

Accepts TLS sessions over TCP.

"UDP"

Accepts UDP packets.

QueryParamMatchType (string alias)

(Appears on: HTTPQueryParamMatch)

QueryParamMatchType specifies the semantics of how HTTP query parameter values should be compared. Valid QueryParamMatchType values, along with their conformance levels, are:

  • “Exact” - Core
  • “RegularExpression” - Implementation Specific

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Accepted Condition for the Route to status: False, with a Reason of UnsupportedValue.

Value Description

"Exact"

"RegularExpression"

RouteConditionReason (string alias)

RouteConditionReason is a reason for a route condition.

Value Description

"Accepted"

This reason is used with the “Accepted” condition when the Route has been accepted by the Gateway.

"BackendNotFound"

This reason is used with the “ResolvedRefs” condition when one of the Route’s rules has a reference to a resource that does not exist.

"IncompatibleFilters"

This reason is used with the “Accepted” condition when there are incompatible filters present on a route rule (for example if the URLRewrite and RequestRedirect are both present on an HTTPRoute).

"InvalidKind"

This reason is used with the “ResolvedRefs” condition when one of the Route’s rules has a reference to an unknown or unsupported Group and/or Kind.

"NoMatchingListenerHostname"

This reason is used with the “Accepted” condition when the Gateway has no compatible Listeners whose Hostname matches the route

"NoMatchingParent"

This reason is used with the “Accepted” condition when there are no matching Parents. In the case of Gateways, this can occur when a Route ParentRef specifies a Port and/or SectionName that does not match any Listeners in the Gateway.

"NotAllowedByListeners"

This reason is used with the “Accepted” condition when the route has not been accepted by a Gateway because the Gateway has no Listener whose allowedRoutes criteria permit the route

"Pending"

This reason is used with the “Accepted” when a controller has not yet reconciled the route.

"RefNotPermitted"

This reason is used with the “ResolvedRefs” condition when one of the Listener’s Routes has a BackendRef to an object in another namespace, where the object in the other namespace does not have a ReferenceGrant explicitly allowing the reference.

"ResolvedRefs"

This reason is used with the “ResolvedRefs” condition when the condition is true.

"UnsupportedProtocol"

This reason is used with the “ResolvedRefs” condition when one of the Route’s rules has a reference to a resource with an app protocol that is not supported by this implementation.

"UnsupportedValue"

This reason is used with the “Accepted” condition when a value for an Enum is not recognized.

RouteConditionType (string alias)

RouteConditionType is a type of condition for a route.

Value Description

"Accepted"

This condition indicates whether the route has been accepted or rejected by a Gateway, and why.

Possible reasons for this condition to be True are:

  • “Accepted”

Possible reasons for this condition to be False are:

  • “NotAllowedByListeners”
  • “NoMatchingListenerHostname”
  • “NoMatchingParent”
  • “UnsupportedValue”

Possible reasons for this condition to be Unknown are:

  • “Pending”

Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability.

"PartiallyInvalid"

This condition indicates that the Route contains a combination of both valid and invalid rules.

When this happens, implementations MUST take one of the following approaches:

1) Drop Rule(s): With this approach, implementations will drop the invalid Route Rule(s) until they are fully valid again. The message for this condition MUST start with the prefix “Dropped Rule” and include information about which Rules have been dropped. In this state, the “Accepted” condition MUST be set to “True” with the latest generation of the resource. 2) Fall Back: With this approach, implementations will fall back to the last known good state of the entire Route. The message for this condition MUST start with the prefix “Fall Back” and include information about why the current Rule(s) are invalid. To represent this, the “Accepted” condition MUST be set to “True” with the generation of the last known good state of the resource.

Reverting to the last known good state should only be done by implementations that have a means of restoring that state if/when they are restarted.

This condition MUST NOT be set if a Route is fully valid, fully invalid, or not accepted. By extension, that means that this condition MUST only be set when it is “True”.

Possible reasons for this condition to be True are:

  • “UnsupportedValue”

Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability.

"ResolvedRefs"

This condition indicates whether the controller was able to resolve all the object references for the Route.

Possible reasons for this condition to be True are:

  • “ResolvedRefs”

Possible reasons for this condition to be False are:

  • “RefNotPermitted”
  • “InvalidKind”
  • “BackendNotFound”
  • “UnsupportedProtocol”

Controllers may raise this condition with other reasons, but should prefer to use the reasons listed above to improve interoperability.

RouteGroupKind

(Appears on: AllowedRoutes, ListenerStatus)

RouteGroupKind indicates the group and kind of a Route resource.

Field Description
group
Group
(Optional)

Group is the group of the Route.

kind
Kind

Kind is the kind of the Route.

RouteNamespaces

(Appears on: AllowedRoutes)

RouteNamespaces indicate which namespaces Routes should be selected from.

Field Description
from
FromNamespaces
(Optional)

From indicates where Routes will be selected for this Gateway. Possible values are:

  • All: Routes in all namespaces may be used by this Gateway.
  • Selector: Routes in namespaces selected by the selector may be used by this Gateway.
  • Same: Only Routes in the same namespace may be used by this Gateway.

Support: Core

selector
Kubernetes meta/v1.LabelSelector
(Optional)

Selector must be specified when From is set to “Selector”. In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of “From”.

Support: Core

RouteParentStatus

(Appears on: RouteStatus)

RouteParentStatus describes the status of a route with respect to an associated Parent.

Field Description
parentRef
ParentReference

ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of.

controllerName
GatewayController

ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass.

Example: “example.net/gateway-controller”.

The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).

Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary.

conditions
[]Kubernetes meta/v1.Condition

Conditions describes the status of the route with respect to the Gateway. Note that the route’s availability is also subject to the Gateway’s own status conditions and listener status.

If the Route’s ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway’s controller has sufficient access, then that Gateway’s controller MUST set the “Accepted” condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why.

A Route MUST be considered “Accepted” if at least one of the Route’s rules is implemented by the Gateway.

There are a number of cases where the “Accepted” condition may not be set due to lack of controller visibility, that includes when:

  • The Route refers to a non-existent parent.
  • The Route is of a type that the controller does not support.
  • The Route is in a namespace the controller does not have access to.

RouteStatus

(Appears on: GRPCRouteStatus, HTTPRouteStatus, TCPRouteStatus, TLSRouteStatus, UDPRouteStatus)

RouteStatus defines the common attributes that all Routes MUST include within their status.

Field Description
parents
[]RouteParentStatus

Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified.

Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for.

A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway.

SecretObjectReference

(Appears on: GatewayBackendTLS, GatewayTLSConfig)

SecretObjectReference identifies an API object including its namespace, defaulting to Secret.

The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.

References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object.

Field Description
group
Group
(Optional)

Group is the group of the referent. For example, “gateway.networking.k8s.io”. When unspecified or empty string, core API group is inferred.

kind
Kind
(Optional)

Kind is kind of the referent. For example “Secret”.

name
ObjectName

Name is the name of the referent.

namespace
Namespace
(Optional)

Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.

Support: Core

SectionName (string alias)

(Appears on: GRPCRouteRule, HTTPRouteRule, Listener, ListenerStatus, ParentReference, LocalPolicyTargetReferenceWithSectionName, TCPRouteRule, TLSRouteRule, UDPRouteRule)

SectionName is the name of a section in a Kubernetes resource.

In the following resources, SectionName is interpreted as the following:

  • Gateway: Listener name
  • HTTPRoute: HTTPRouteRule name
  • Service: Port name

Section names can have a variety of forms, including RFC 1123 subdomains, RFC 1123 labels, or RFC 1035 labels.

This validation is based off of the corresponding Kubernetes validation: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L208

Valid values include:

  • “example”
  • “foo-example”
  • “example.com”
  • “foo.example.com”

Invalid values include:

  • “example.com/bar” - “/” is an invalid character

SessionPersistence

(Appears on: GRPCRouteRule, HTTPRouteRule, BackendLBPolicySpec)

SessionPersistence defines the desired state of SessionPersistence.

Field Description
sessionName
string
(Optional)

SessionName defines the name of the persistent session token which may be reflected in the cookie or the header. Users should avoid reusing session names to prevent unintended consequences, such as rejection or unpredictable behavior.

Support: Implementation-specific

absoluteTimeout
Duration
(Optional)

AbsoluteTimeout defines the absolute timeout of the persistent session. Once the AbsoluteTimeout duration has elapsed, the session becomes invalid.

Support: Extended

idleTimeout
Duration
(Optional)

IdleTimeout defines the idle timeout of the persistent session. Once the session has been idle for more than the specified IdleTimeout duration, the session becomes invalid.

Support: Extended

type
SessionPersistenceType
(Optional)

Type defines the type of session persistence such as through the use a header or cookie. Defaults to cookie based session persistence.

Support: Core for “Cookie” type

Support: Extended for “Header” type

cookieConfig
CookieConfig
(Optional)

CookieConfig provides configuration settings that are specific to cookie-based session persistence.

Support: Core

SessionPersistenceType (string alias)

(Appears on: SessionPersistence)

Value Description

"Cookie"

CookieBasedSessionPersistence specifies cookie-based session persistence.

Support: Core

"Header"

HeaderBasedSessionPersistence specifies header-based session persistence.

Support: Extended

SupportedFeature

(Appears on: GatewayClassStatus)

Field Description
name
FeatureName

TLSModeType (string alias)

(Appears on: GatewayTLSConfig)

TLSModeType type defines how a Gateway handles TLS sessions.

Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash.

Unknown values here must result in the implementation setting the Ready Condition for the Listener to status: False, with a Reason of Invalid.

Value Description

"Passthrough"

In this mode, the TLS session is NOT terminated by the Gateway. This implies that the Gateway can’t decipher the TLS stream except for the ClientHello message of the TLS protocol.

Note that SSL passthrough is only supported by TLSRoute.

"Terminate"

In this mode, TLS session between the downstream client and the Gateway is terminated at the Gateway.


gateway.networking.k8s.io/v1beta1

Package v1beta1 contains API Schema definitions for the gateway.networking.k8s.io API group.

Resource Types:

Gateway

Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1beta1
kind
string
Gateway
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GatewaySpec

Spec defines the desired state of Gateway.



gatewayClassName
ObjectName

GatewayClassName used for this Gateway. This is the name of a GatewayClass resource.

listeners
[]Listener

Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway’s addresses. At least one Listener MUST be specified.

Distinct Listeners

Each Listener in a set of Listeners (for example, in a single Gateway) MUST be distinct, in that a traffic flow MUST be able to be assigned to exactly one listener. (This section uses “set of Listeners” rather than “Listeners in a single Gateway” because implementations MAY merge configuration from multiple Gateways onto a single data plane, and these rules also apply in that case).

Practically, this means that each listener in a set MUST have a unique combination of Port, Protocol, and, if supported by the protocol, Hostname.

Some combinations of port, protocol, and TLS settings are considered Core support and MUST be supported by implementations based on the objects they support:

HTTPRoute

  1. HTTPRoute, Port: 80, Protocol: HTTP
  2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided

TLSRoute

  1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough

“Distinct” Listeners have the following property:

The implementation can match inbound requests to a single distinct Listener.

When multiple Listeners share values for fields (for example, two Listeners with the same Port value), the implementation can match requests to only one of the Listeners using other Listener fields.

When multiple listeners have the same value for the Protocol field, then each of the Listeners with matching Protocol values MUST have different values for other fields.

The set of fields that MUST be different for a Listener differs per protocol. The following rules define the rules for what fields MUST be considered for Listeners to be distinct with each protocol currently defined in the Gateway API spec.

The set of listeners that all share a protocol value MUST have different values for at least one of these fields to be distinct:

  • HTTP, HTTPS, TLS: Port, Hostname
  • TCP, UDP: Port

One very important rule to call out involves what happens when an implementation:

  • Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol Listeners, and
  • sees HTTP, HTTPS, or TLS protocols with the same port as one with TCP Protocol.

In this case all the Listeners that share a port with the TCP Listener are not distinct and so MUST NOT be accepted.

If an implementation does not support TCP Protocol Listeners, then the previous rule does not apply, and the TCP Listeners SHOULD NOT be accepted.

Note that the tls field is not used for determining if a listener is distinct, because Listeners that only differ on TLS config will still conflict in all cases.

Listeners that are distinct only by Hostname

When the Listeners are distinct based only on Hostname, inbound request hostnames MUST match from the most specific to least specific Hostname values to choose the correct Listener and its associated set of Routes.

Exact matches MUST be processed before wildcard matches, and wildcard matches MUST be processed before fallback (empty Hostname value) matches. For example, "foo.example.com" takes precedence over "*.example.com", and "*.example.com" takes precedence over "".

Additionally, if there are multiple wildcard entries, more specific wildcard entries must be processed before less specific wildcard entries. For example, "*.foo.example.com" takes precedence over "*.example.com".

The precise definition here is that the higher the number of dots in the hostname to the right of the wildcard character, the higher the precedence.

The wildcard character will match any number of characters and dots to the left, however, so "*.example.com" will match both "foo.bar.example.com" and "bar.example.com".

Handling indistinct Listeners

If a set of Listeners contains Listeners that are not distinct, then those Listeners are Conflicted, and the implementation MUST set the “Conflicted” condition in the Listener Status to “True”.

The words “indistict” and “conflicted” are considered equivalent for the purpose of this documentation.

Implementations MAY choose to accept a Gateway with some Conflicted Listeners only if they only accept the partial Listener set that contains no Conflicted Listeners.

Specifically, an implementation MAY accept a partial Listener set subject to the following rules:

  • The implementation MUST NOT pick one conflicting Listener as the winner. ALL indistinct Listeners must not be accepted for processing.
  • At least one distinct Listener MUST be present, or else the Gateway effectively contains no Listeners, and must be rejected from processing as a whole.

The implementation MUST set a “ListenersNotValid” condition on the Gateway Status when the Gateway contains Conflicted Listeners whether or not they accept the Gateway. That Condition SHOULD clearly indicate in the Message which Listeners are conflicted, and which are Accepted. Additionally, the Listener status for those listeners SHOULD indicate which Listeners are conflicted and not Accepted.

General Listener behavior

Note that, for all distinct Listeners, requests SHOULD match at most one Listener. For example, if Listeners are defined for “foo.example.com” and “.example.com”, a request to “foo.example.com” SHOULD only be routed using routes attached to the “foo.example.com” Listener (and not the “.example.com” Listener).

This concept is known as “Listener Isolation”, and it is an Extended feature of Gateway API. Implementations that do not support Listener Isolation MUST clearly document this, and MUST NOT claim support for the GatewayHTTPListenerIsolation feature.

Implementations that do support Listener Isolation SHOULD claim support for the Extended GatewayHTTPListenerIsolation feature and pass the associated conformance tests.

Compatible Listeners

A Gateway’s Listeners are considered compatible if:

  1. They are distinct.
  2. The implementation can serve them in compliance with the Addresses requirement that all Listeners are available on all assigned addresses.

Compatible combinations in Extended support are expected to vary across implementations. A combination that is compatible for one implementation may not be compatible for another.

For example, an implementation that cannot serve both TCP and UDP listeners on the same address, or cannot mix HTTPS and generic TLS listens on the same port would not consider those cases compatible, even though they are distinct.

Implementations MAY merge separate Gateways onto a single set of Addresses if all Listeners across all Gateways are compatible.

Support: Core

addresses
[]GatewayAddress
(Optional)

Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses.

The Addresses field represents a request for the address(es) on the “outside of the Gateway”, that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to.

If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses.

The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses.

Support: Extended

gateway:validateIPAddress

infrastructure
GatewayInfrastructure
(Optional)

Infrastructure defines infrastructure level attributes about this Gateway instance.

Support: Extended

backendTLS
GatewayBackendTLS
(Optional)

BackendTLS configures TLS settings for when this Gateway is connecting to backends with TLS.

Support: Core

gateway:experimental

status
GatewayStatus

Status defines the current state of Gateway.

GatewayClass

GatewayClass describes a class of Gateways available to the user for creating Gateway resources.

It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation.

Whenever one or more Gateways are using a GatewayClass, implementations SHOULD add the gateway-exists-finalizer.gateway.networking.k8s.io finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use.

GatewayClass is a Cluster level resource.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1beta1
kind
string
GatewayClass
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GatewayClassSpec

Spec defines the desired state of GatewayClass.



controllerName
GatewayController

ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path.

Example: “example.net/gateway-controller”.

This field is not mutable and cannot be empty.

Support: Core

parametersRef
ParametersReference
(Optional)

ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration.

ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped.

If the referent cannot be found, refers to an unsupported kind, or when the data within that resource is malformed, the GatewayClass SHOULD be rejected with the “Accepted” status condition set to “False” and an “InvalidParameters” reason.

A Gateway for this GatewayClass may provide its own parametersRef. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.

Support: Implementation-specific

description
string
(Optional)

Description helps describe a GatewayClass with more details.

status
GatewayClassStatus

Status defines the current state of GatewayClass.

Implementations MUST populate status on all GatewayClass resources which specify their controller name.

HTTPRoute

HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1beta1
kind
string
HTTPRoute
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
HTTPRouteSpec

Spec defines the desired state of HTTPRoute.



CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

hostnames
[]Hostname
(Optional)

Hostnames defines a set of hostnames that should match against the HTTP Host header to select a HTTPRoute used to process the request. Implementations MUST ignore any port value specified in the HTTP Host header while performing a match and (absent of any applicable header modification configuration) MUST forward this header unmodified to the backend.

Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 2 notable exceptions:

  1. IPs are not allowed.
  2. A hostname may be prefixed with a wildcard label (*.). The wildcard label must appear by itself as the first label.

If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example:

  • A Listener with test.example.com as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of test.example.com or *.example.com.
  • A Listener with *.example.com as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, *.example.com, test.example.com, and foo.test.example.com would all match. On the other hand, example.com and test.example.net would not match.

Hostnames that are prefixed with a wildcard label (*.) are interpreted as a suffix match. That means that a match for *.example.com would match both test.example.com, and foo.test.example.com, but not example.com.

If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified *.example.com, and the HTTPRoute specified test.example.com and test.example.net, test.example.net must not be considered for a match.

If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an ‘Accepted’ Condition with a status of False in the corresponding RouteParentStatus.

In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of:

  • Characters in a matching non-wildcard hostname.
  • Characters in a matching hostname.

If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over.

Support: Core

rules
[]HTTPRouteRule
(Optional)

Rules are a list of HTTP matchers, filters and actions.

status
HTTPRouteStatus

Status defines the current state of HTTPRoute.

ReferenceGrant

ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy.

Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within.

All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant.

ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1beta1
kind
string
ReferenceGrant
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ReferenceGrantSpec

Spec defines the desired state of ReferenceGrant.



from
[]ReferenceGrantFrom

From describes the trusted namespaces and kinds that can reference the resources described in “To”. Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR.

Support: Core

to
[]ReferenceGrantTo

To describes the resources that may be referenced by the resources described in “From”. Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR.

Support: Core

ReferenceGrantFrom

(Appears on: ReferenceGrantSpec)

ReferenceGrantFrom describes trusted namespaces and kinds.

Field Description
group
Group

Group is the group of the referent. When empty, the Kubernetes core API group is inferred.

Support: Core

kind
Kind

Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the “Core” support level for this field.

When used to permit a SecretObjectReference:

  • Gateway

When used to permit a BackendObjectReference:

  • GRPCRoute
  • HTTPRoute
  • TCPRoute
  • TLSRoute
  • UDPRoute
namespace
Namespace

Namespace is the namespace of the referent.

Support: Core

ReferenceGrantSpec

(Appears on: ReferenceGrant, ReferenceGrant)

ReferenceGrantSpec identifies a cross namespace relationship that is trusted for Gateway API.

Field Description
from
[]ReferenceGrantFrom

From describes the trusted namespaces and kinds that can reference the resources described in “To”. Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR.

Support: Core

to
[]ReferenceGrantTo

To describes the resources that may be referenced by the resources described in “From”. Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR.

Support: Core

ReferenceGrantTo

(Appears on: ReferenceGrantSpec)

ReferenceGrantTo describes what Kinds are allowed as targets of the references.

Field Description
group
Group

Group is the group of the referent. When empty, the Kubernetes core API group is inferred.

Support: Core

kind
Kind

Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the “Core” support level for this field:

  • Secret when used to permit a SecretObjectReference
  • Service when used to permit a BackendObjectReference
name
ObjectName
(Optional)

Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace.


gateway.networking.k8s.io/v1alpha3

Package v1alpha3 contains API Schema definitions for the gateway.networking.k8s.io API group.

Resource Types:

BackendTLSPolicy

BackendTLSPolicy provides a way to configure how a Gateway connects to a Backend via TLS.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1alpha3
kind
string
BackendTLSPolicy
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
BackendTLSPolicySpec

Spec defines the desired state of BackendTLSPolicy.



targetRefs
[]LocalPolicyTargetReferenceWithSectionName

TargetRefs identifies an API object to apply the policy to. Only Services have Extended support. Implementations MAY support additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy.

Support: Extended for Kubernetes Service

Support: Implementation-specific for any other resource

validation
BackendTLSPolicyValidation

Validation contains backend TLS validation configuration.

options
map[sigs.k8s.io/gateway-api/apis/v1.AnnotationKey]sigs.k8s.io/gateway-api/apis/v1.AnnotationValue
(Optional)

Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites.

A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as example.com/my-custom-option. Un-prefixed names are reserved for key names defined by Gateway API.

Support: Implementation-specific

status
PolicyStatus

Status defines the current state of BackendTLSPolicy.

BackendTLSPolicySpec

(Appears on: BackendTLSPolicy)

BackendTLSPolicySpec defines the desired state of BackendTLSPolicy.

Support: Extended

Field Description
targetRefs
[]LocalPolicyTargetReferenceWithSectionName

TargetRefs identifies an API object to apply the policy to. Only Services have Extended support. Implementations MAY support additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy.

Support: Extended for Kubernetes Service

Support: Implementation-specific for any other resource

validation
BackendTLSPolicyValidation

Validation contains backend TLS validation configuration.

options
map[sigs.k8s.io/gateway-api/apis/v1.AnnotationKey]sigs.k8s.io/gateway-api/apis/v1.AnnotationValue
(Optional)

Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites.

A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as example.com/my-custom-option. Un-prefixed names are reserved for key names defined by Gateway API.

Support: Implementation-specific

BackendTLSPolicyValidation

(Appears on: BackendTLSPolicySpec)

BackendTLSPolicyValidation contains backend TLS validation configuration.

Field Description
caCertificateRefs
[]LocalObjectReference
(Optional)

CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.

If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If CACertifcateRefs is empty or unspecified, the configuration for WellKnownCACertificates MUST be honored instead if supported by the implementation.

References to a resource in a different namespace are invalid for the moment, although we will revisit this in the future.

A single CACertificateRef to a Kubernetes ConfigMap kind has “Core” support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific.

Support: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named ca.crt.

Support: Implementation-specific (More than one reference, or other kinds of resources).

wellKnownCACertificates
WellKnownCACertificatesType
(Optional)

WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod.

If WellKnownCACertificates is unspecified or empty (“”), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If an implementation does not support the WellKnownCACertificates field or the value supplied is not supported, the Status Conditions on the Policy MUST be updated to include an Accepted: False Condition with Reason: Invalid.

Support: Implementation-specific

hostname
PreciseHostname

Hostname is used for two purposes in the connection between Gateways and backends:

  1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
  2. If SubjectAltNames is not specified, Hostname MUST be used for authentication and MUST match the certificate served by the matching backend.

Support: Core

subjectAltNames
[]SubjectAltName
(Optional)

SubjectAltNames contains one or more Subject Alternative Names. When specified, the certificate served from the backend MUST have at least one Subject Alternate Name matching one of the specified SubjectAltNames.

Support: Core

SubjectAltName

(Appears on: BackendTLSPolicyValidation)

SubjectAltName represents Subject Alternative Name.

Field Description
type
SubjectAltNameType

Type determines the format of the Subject Alternative Name. Always required.

Support: Core

hostname
Hostname
(Optional)

Hostname contains Subject Alternative Name specified in DNS name format. Required when Type is set to Hostname, ignored otherwise.

Support: Core

uri
AbsoluteURI
(Optional)

URI contains Subject Alternative Name specified in a full URI format. It MUST include both a scheme (e.g., “http” or “ftp”) and a scheme-specific-part. Common values include SPIFFE IDs like “spiffe://mycluster.example.com/ns/myns/sa/svc1sa”. Required when Type is set to URI, ignored otherwise.

Support: Core

SubjectAltNameType (string alias)

(Appears on: SubjectAltName)

SubjectAltNameType is the type of the Subject Alternative Name.

Value Description

"Hostname"

HostnameSubjectAltNameType specifies hostname-based SAN.

Support: Core

"URI"

URISubjectAltNameType specifies URI-based SAN, e.g. SPIFFE id.

Support: Core

WellKnownCACertificatesType (string alias)

(Appears on: BackendTLSPolicyValidation)

WellKnownCACertificatesType is the type of CA certificate that will be used when the caCertificateRefs field is unspecified.

Value Description

"System"

WellKnownCACertificatesSystem indicates that well known system CA certificates should be used.


gateway.networking.k8s.io/v1alpha2

Package v1alpha2 contains API Schema definitions for the gateway.networking.k8s.io API group.

Resource Types:

BackendLBPolicy

BackendLBPolicy provides a way to define load balancing rules for a backend.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1alpha2
kind
string
BackendLBPolicy
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
BackendLBPolicySpec

Spec defines the desired state of BackendLBPolicy.



targetRefs
[]LocalPolicyTargetReference

TargetRef identifies an API object to apply policy to. Currently, Backends (i.e. Service, ServiceImport, or any implementation-specific backendRef) are the only valid API target references.

sessionPersistence
SessionPersistence
(Optional)

SessionPersistence defines and configures session persistence for the backend.

Support: Extended

status
PolicyStatus

Status defines the current state of BackendLBPolicy.

ReferenceGrant

ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy.

Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within.

A ReferenceGrant is required for all cross-namespace references in Gateway API (with the exception of cross-namespace Route-Gateway attachment, which is governed by the AllowedRoutes configuration on the Gateway, and cross-namespace Service ParentRefs on a “consumer” mesh Route, which defines routing rules applicable only to workloads in the Route namespace). ReferenceGrants allowing a reference from a Route to a Service are only applicable to BackendRefs.

ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1alpha2
kind
string
ReferenceGrant
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ReferenceGrantSpec

Spec defines the desired state of ReferenceGrant.



from
[]ReferenceGrantFrom

From describes the trusted namespaces and kinds that can reference the resources described in “To”. Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR.

Support: Core

to
[]ReferenceGrantTo

To describes the resources that may be referenced by the resources described in “From”. Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR.

Support: Core

TCPRoute

TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1alpha2
kind
string
TCPRoute
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
TCPRouteSpec

Spec defines the desired state of TCPRoute.



CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

rules
[]TCPRouteRule

Rules are a list of TCP matchers and actions.

status
TCPRouteStatus

Status defines the current state of TCPRoute.

TLSRoute

The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener.

If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1alpha2
kind
string
TLSRoute
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
TLSRouteSpec

Spec defines the desired state of TLSRoute.



CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

hostnames
[]Hostname
(Optional)

Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions:

  1. IPs are not allowed in SNI names per RFC 6066.
  2. A hostname may be prefixed with a wildcard label (*.). The wildcard label must appear by itself as the first label.

If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example:

  • A Listener with test.example.com as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of test.example.com or *.example.com.
  • A Listener with *.example.com as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, test.example.com and *.example.com would both match. On the other hand, example.com and test.example.net would not match.

If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified *.example.com, and the TLSRoute specified test.example.com and test.example.net, test.example.net must not be considered for a match.

If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an ‘Accepted’ Condition with a status of False in the corresponding RouteParentStatus.

Support: Core

rules
[]TLSRouteRule

Rules are a list of TLS matchers and actions.

status
TLSRouteStatus

Status defines the current state of TLSRoute.

UDPRoute

UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute.

Field Description
apiVersion
string
gateway.networking.k8s.io/v1alpha2
kind
string
UDPRoute
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
UDPRouteSpec

Spec defines the desired state of UDPRoute.



CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

rules
[]UDPRouteRule

Rules are a list of UDP matchers and actions.

status
UDPRouteStatus

Status defines the current state of UDPRoute.

BackendLBPolicySpec

(Appears on: BackendLBPolicy)

BackendLBPolicySpec defines the desired state of BackendLBPolicy. Note: there is no Override or Default policy configuration.

Field Description
targetRefs
[]LocalPolicyTargetReference

TargetRef identifies an API object to apply policy to. Currently, Backends (i.e. Service, ServiceImport, or any implementation-specific backendRef) are the only valid API target references.

sessionPersistence
SessionPersistence
(Optional)

SessionPersistence defines and configures session persistence for the backend.

Support: Extended

GRPCRoute

Field Description
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GRPCRouteSpec

Spec defines the desired state of GRPCRoute.



CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

hostnames
[]Hostname
(Optional)

Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions:

  1. IPs are not allowed.
  2. A hostname may be prefixed with a wildcard label (*.). The wildcard label MUST appear by itself as the first label.

If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example:

  • A Listener with test.example.com as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of test.example.com or *.example.com.
  • A Listener with *.example.com as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, test.example.com and *.example.com would both match. On the other hand, example.com and test.example.net would not match.

Hostnames that are prefixed with a wildcard label (*.) are interpreted as a suffix match. That means that a match for *.example.com would match both test.example.com, and foo.test.example.com, but not example.com.

If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified *.example.com, and the GRPCRoute specified test.example.com and test.example.net, test.example.net MUST NOT be considered for a match.

If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an ‘Accepted’ Condition with a status of False in the corresponding RouteParentStatus.

If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order:

  • The oldest Route based on creation timestamp.
  • The Route appearing first in alphabetical order by “{namespace}/{name}”.

The rejected Route MUST raise an ‘Accepted’ condition with a status of ‘False’ in the corresponding RouteParentStatus.

Support: Core

rules
[]GRPCRouteRule
(Optional)

Rules are a list of GRPC matchers, filters and actions.

status
GRPCRouteStatus

Status defines the current state of GRPCRoute.

LocalPolicyTargetReference

(Appears on: BackendLBPolicySpec, LocalPolicyTargetReferenceWithSectionName)

LocalPolicyTargetReference identifies an API object to apply a direct or inherited policy to. This should be used as part of Policy resources that can target Gateway API resources. For more information on how this policy attachment model works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API.

Field Description
group
Group

Group is the group of the target resource.

kind
Kind

Kind is kind of the target resource.

name
ObjectName

Name is the name of the target resource.

LocalPolicyTargetReferenceWithSectionName

(Appears on: BackendTLSPolicySpec)

LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a direct policy to. This should be used as part of Policy resources that can target single resources. For more information on how this policy attachment mode works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API.

Note: This should only be used for direct policy attachment when references to SectionName are actually needed. In all other cases, LocalPolicyTargetReference should be used.

Field Description
LocalPolicyTargetReference
LocalPolicyTargetReference

(Members of LocalPolicyTargetReference are embedded into this type.)

sectionName
SectionName
(Optional)

SectionName is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following:

  • Gateway: Listener name
  • HTTPRoute: HTTPRouteRule name
  • Service: Port name

If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a ResolvedRefs or similar Condition in the Policy’s status.

NamespacedPolicyTargetReference

NamespacedPolicyTargetReference identifies an API object to apply a direct or inherited policy to, potentially in a different namespace. This should only be used as part of Policy resources that need to be able to target resources in different namespaces. For more information on how this policy attachment model works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API.

Field Description
group
Group

Group is the group of the target resource.

kind
Kind

Kind is kind of the target resource.

name
ObjectName

Name is the name of the target resource.

namespace
Namespace
(Optional)

Namespace is the namespace of the referent. When unspecified, the local namespace is inferred. Even when policy targets a resource in a different namespace, it MUST only apply to traffic originating from the same namespace as the policy.

PolicyAncestorStatus

(Appears on: PolicyStatus)

PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor.

Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy’s Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most useful object to place Policy status on, so we recommend that implementations SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a very good reason otherwise.

In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway.

Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations.

For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status.

Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used.

This struct is intended to be used in a slice that’s effectively a map, with a composite key made up of the AncestorRef and the ControllerName.

Field Description
ancestorRef
ParentReference

AncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of.

controllerName
GatewayController

ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass.

Example: “example.net/gateway-controller”.

The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).

Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary.

conditions
[]Kubernetes meta/v1.Condition

Conditions describes the status of the Policy with respect to the given Ancestor.

PolicyConditionReason (string alias)

PolicyConditionReason is a reason for a policy condition.

Value Description

"Accepted"

PolicyReasonAccepted is used with the “Accepted” condition when the policy has been accepted by the targeted resource.

"Conflicted"

PolicyReasonConflicted is used with the “Accepted” condition when the policy has not been accepted by a targeted resource because there is another policy that targets the same resource and a merge is not possible.

"Invalid"

PolicyReasonInvalid is used with the “Accepted” condition when the policy is syntactically or semantically invalid.

"TargetNotFound"

PolicyReasonTargetNotFound is used with the “Accepted” condition when the policy is attached to an invalid target resource.

PolicyConditionType (string alias)

PolicyConditionType is a type of condition for a policy. This type should be used with a Policy resource Status.Conditions field.

Value Description

"Accepted"

PolicyConditionAccepted indicates whether the policy has been accepted or rejected by a targeted resource, and why.

Possible reasons for this condition to be True are:

  • “Accepted”

Possible reasons for this condition to be False are:

  • “Conflicted”
  • “Invalid”
  • “TargetNotFound”

PolicyStatus

(Appears on: BackendLBPolicy, BackendTLSPolicy)

PolicyStatus defines the common attributes that all Policies should include within their status.

Field Description
ancestors
[]PolicyAncestorStatus

Ancestors is a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy with respect to each ancestor. When this policy attaches to a parent, the controller that manages the parent and the ancestors MUST add an entry to this list when the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified.

Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status.

Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for.

Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined.

A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors.

If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced here. For example, if this list was full on BackendTLSPolicy, no additional Gateways would be able to reference the Service targeted by the BackendTLSPolicy.

TCPRouteRule

(Appears on: TCPRouteSpec)

TCPRouteRule is the configuration for a given rule.

Field Description
name
SectionName
(Optional)

Name is the name of the route rule. This name MUST be unique within a Route if it is set.

Support: Extended

backendRefs
[]BackendRef

BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead.

Support: Core for Kubernetes Service

Support: Extended for Kubernetes ServiceImport

Support: Implementation-specific for any other resource

Support for weight: Extended

TCPRouteSpec

(Appears on: TCPRoute)

TCPRouteSpec defines the desired state of TCPRoute

Field Description
CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

rules
[]TCPRouteRule

Rules are a list of TCP matchers and actions.

TCPRouteStatus

(Appears on: TCPRoute)

TCPRouteStatus defines the observed state of TCPRoute

Field Description
RouteStatus
RouteStatus

(Members of RouteStatus are embedded into this type.)

TLSRouteRule

(Appears on: TLSRouteSpec)

TLSRouteRule is the configuration for a given rule.

Field Description
name
SectionName
(Optional)

Name is the name of the route rule. This name MUST be unique within a Route if it is set.

Support: Extended

backendRefs
[]BackendRef

BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead.

Support: Core for Kubernetes Service

Support: Extended for Kubernetes ServiceImport

Support: Implementation-specific for any other resource

Support for weight: Extended

TLSRouteSpec

(Appears on: TLSRoute)

TLSRouteSpec defines the desired state of a TLSRoute resource.

Field Description
CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

hostnames
[]Hostname
(Optional)

Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions:

  1. IPs are not allowed in SNI names per RFC 6066.
  2. A hostname may be prefixed with a wildcard label (*.). The wildcard label must appear by itself as the first label.

If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example:

  • A Listener with test.example.com as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of test.example.com or *.example.com.
  • A Listener with *.example.com as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, test.example.com and *.example.com would both match. On the other hand, example.com and test.example.net would not match.

If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified *.example.com, and the TLSRoute specified test.example.com and test.example.net, test.example.net must not be considered for a match.

If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an ‘Accepted’ Condition with a status of False in the corresponding RouteParentStatus.

Support: Core

rules
[]TLSRouteRule

Rules are a list of TLS matchers and actions.

TLSRouteStatus

(Appears on: TLSRoute)

TLSRouteStatus defines the observed state of TLSRoute

Field Description
RouteStatus
RouteStatus

(Members of RouteStatus are embedded into this type.)

UDPRouteRule

(Appears on: UDPRouteSpec)

UDPRouteRule is the configuration for a given rule.

Field Description
name
SectionName
(Optional)

Name is the name of the route rule. This name MUST be unique within a Route if it is set.

Support: Extended

backendRefs
[]BackendRef

BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead.

Support: Core for Kubernetes Service

Support: Extended for Kubernetes ServiceImport

Support: Implementation-specific for any other resource

Support for weight: Extended

UDPRouteSpec

(Appears on: UDPRoute)

UDPRouteSpec defines the desired state of UDPRoute.

Field Description
CommonRouteSpec
CommonRouteSpec

(Members of CommonRouteSpec are embedded into this type.)

rules
[]UDPRouteRule

Rules are a list of UDP matchers and actions.

UDPRouteStatus

(Appears on: UDPRoute)

UDPRouteStatus defines the observed state of UDPRoute.

Field Description
RouteStatus
RouteStatus

(Members of RouteStatus are embedded into this type.)


Generated with gen-crd-api-reference-docs.